by Kevin Mills
The Federal Trade Commission (“FTC”) has recently proposed to modify the rules for the Children’s Online Privacy Protection Act (“COPPA”). If these modifications are implemented, it would be the first time COPPA rules were revised since 1999, a time when there was no Facebook or “an app for that” – even MySpace wasn’t founded until 2003.
Today, there are countless ad networks, third party tracking cookies, and information brokers that harvest personal data across the web and on smartphones – none of these existed when the COPPA rules were last issued. Although COPPA was designed to protect children’s online experiences, currently, certain loopholes in COPPA allow companies to gather children’s personal information. A 2010 Wall Street Journal report found that some popular children’s websites installed more data-gathering technology on computers than websites aimed at adults.
The FTC wants to revise COPPA rules so that they apply to third party ad networks and app and plug-in developers, and to expand the definition of “personal information.” Specifically, the revisions aim to cover plug-ins and ad networks that know or have reason to know that they are collecting personal information through child-directed websites or online services. The revisions could affect popular website features such as Facebook’s “Like” button, as well as new social networks for playing games on smartphones.
First, the proposed revised rules would require sites with content designed to appeal to both young children and others (including parents) to be able to “age-screen all visitors in order to provide COPPA’s protections only to users under age 13.” These sites would not be allowed to collect any personal information without first obtaining parental consent. Currently, many websites secure consent by sending an email to an address provided by the child.
Second, the proposed revised rules would create co-responsibility between companies that furnish apps or plug-ins and those that operate the platforms where the apps or plug-ins run. The FTC states that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered ‘operator’ under the Rule.” The revised rules would not only hold third parties responsible for any unlawful data collection, but would also make the host website responsible for those infractions.
Third, the proposed revised rules would expand the definition of “personal information” to include “‘persistent identifiers’ that recognize a user over a period of time which are used for purposes other than ‘support for internal operations.’” This revision is aimed at “tracking cookies” that are capable of delivering advertising within a single site and also of tracking people across sites to deliver targeted information. In other words, the revised rules would restrict or prohibit advertising to children based on their previous online behavior.
Fourth, the proposed revised rules would prohibit smartphone apps from collecting geolocation data (defined as “a home or other physical address including street name and name of a city or town”), which they often collect along with phone numbers.
Another important change, especially for many mobile apps, is that personal information now includes “a home or other physical address including street name and name of a city or town.” Such geolocation data is often collected by smart phone apps along with phone numbers, which will now be prohibited by the proposed rules.
It is also important to take a look at what is not covered in the new rules; these rules would apply to information that is being collected for the purposes of advertising or marketing — not information necessary to maintain a network or offer a service.
The revised rules are not aimed at sites that don’t allow children. This is true even though children do in fact use such sites. Facebook, for example, requires users to state their date of birth and does not allow users under thirteen to use the site. Of course, it is possible to lie about one’s age (Consumer Reports estimates that 5.6 million of Facebook’s users are under thirteen). And it’s worth noting that any site that requires a user to sign in via Facebook is certifying that that person claims to be thirteen or older based on Facebook’s terms of service.
Of course, when considering new rules, one must consider their effectiveness. Privacy advocates are concerned that the FTC lacks the resources to vigorously enforce the law. And given the FTC’s history of lax enforcement of COPPA, that is a valid concern.
Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.