by Kevin Mills
Privacy continues to evolve into one of the most important legal issues of this decade. While we as Americans are wary of the government collecting our private information, we are comparatively complacent regarding private information collected by private businesses. It’s a dangerous conundrum. After all, the government is created for our benefit and is ultimately accountable to us, but private business, on the other hand, has no such inherent accountability and is dedicated to its own self-interest.
The Federal Trade Commission (“FTC”) plays an important role in protecting the privacy of persons using the internet. The FTC has just recently adopted changes to its Children’s Online Privacy Protection Act (“COPPA”) to strengthen privacy protections for children and give parents greater control over the personal information that websites and online services may collect from children under thirteen. The information in this article, largely taken from the FTC itself, explains these changes.
Congress passed COPPA in 1998. It requires that operators of websites or online services that are either directed to children under thirteen or have actual knowledge that they are collecting personal information from children under thirteen give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children. It also prohibits these operators from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary for them to participate. COPPA contains a “safe harbor” provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines.
In 2010, the FTC initiated a review to ensure that COPPA keeps up with evolving technology and changes in the way children use and access the internet, including the increased use of mobile devices and social networking.
The final amendments:
- modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
- offer companies a streamlined, voluntary, and transparent approval process for new ways of getting parental consent;
- close a loophole that allowed child-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
- extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
- extend COPPA to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
- strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
- require that covered website operators adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
The Final Rule includes these modified definitions:
- The definition of an “operator” has been updated to make clear that COPPA covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.
- The definition of a “website or online service directed to children” is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. In addition, in contrast to sites and services whose primary target audience is children, and who must presume all users are children, sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than thirteen.
- The definition of “personal information” now also includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice.
- The definition of “personal information requiring parental notice and consent before collection” now includes “persistent identifiers” that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.
- The definition of “collection of personal information” has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all of the children’s personal information before it is made public.
The amended Final Rule revises the parental notice provisions to help ensure that operators’ privacy policies, and the direct notices they must give parents before collecting children’s personal information, are concise and timely.
Parental Consent Mechanisms
The Final Rule changes add several new methods that operators can use to obtain verifiable parental consent: electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria.
The amendments retain email plus as an acceptable consent method for operators that collect personal information only for internal use. Under this method, operators that collect children’s personal information for internal use only may obtain verifiable parental consent with an email from the parent, as long as the operator confirms consent by sending a delayed email confirmation to the parent, or by calling or sending a letter to the parent.
To encourage the development of new consent methods, the FTC establishes a voluntary 120-day notice and comment process so parties can seek approval of a particular consent method. Operators participating in an FTC-approved safe-harbor program may use any consent method approved by the program.
Confidentiality and Security Requirements
COPPA requires operators to take reasonable steps to make sure that children’s personal information is released only to service providers and third parties that are capable of maintaining the confidentiality, security, and integrity of such information, and who assure that they will do so. COPPA also requires operators to retain children’s personal information for only as long as is reasonably necessary, and to protect against unauthorized access or use while the information is being disposed of.
The FTC seeks to strengthen its oversight of the approved self-regulatory “safe harbor programs” by requiring them to audit their members and report annually to the FTC the aggregated results of those audits.
These changes will go into effect on July 1, 2013.
Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.