On August 1, 2012, the Federal Trade Commission (FTC) issued a supplemental notice of proposed rulemaking (Supplemental NPR)1 in which it proposed additional modifications to the Children's Online Privacy Protection Rule (COPPA Rule), which implements the Children's Online Privacy Protection Act (COPPA).
COPPA generally requires that all operators of commercial websites or online services that are directed to or knowingly collect personal information from children under 13 years of age disclose their information-collection practices and obtain verifiable parental consent before collecting personal information from children. The proposed modifications augment the FTC's notice of proposed rulemaking issued on September 15, 2011,2 and address certain comments received by the FTC to date regarding the original NPR, as well as the FTC's experience in administering and enforcing the COPPA Rule. As explained below, the proposed modifications would further expand the scope of entities that the FTC deems to be covered by COPPA, but they also would ease consent requirements somewhat with respect to covered websites and online services that appeal to mixed-age audiences.
Companies that may be affected by the proposed amendments have until September 10, 2012, to submit comments to the FTC.
Proposed Amendments
The FTC's proposed amendments would modify four key definitions in the COPPA Rule: "operator," "website or online service directed to children," "support for internal operations," and "personal information."
Modifications to "Operator" and "Website or Online Service Directed to Children" to Address Third-Party Collection of Personal Information
In the Supplemental NPR, the FTC noted that public comments and its law enforcement experience highlighted the need for the FTC to allocate and clarify responsibilities under COPPA when independent entities or third parties such as advertising networks, social media services, or other providers of downloadable software kits (referred to in the Supplemental NPR as "plug-ins") collect information from users through child-directed websites and online services. A child-directed site or online service would determine the child-directed nature of the content, but third-party advertising networks and providers of plug-ins collect information that would be considered personal information under the COPPA Rule.
The FTC noted changes in technology that have made it easy and commonplace for child-directed sites and services to integrate social networking and other personal-information-collection features into the content offered to their users without maintaining ownership, control, or access to the personal information that is collected. Given these advancements in technology, the FTC proposes changes to the definitions of "operator" and "website or online service directed to children" that would hold both (i) the child-directed website or online service and (ii) the information-collecting website or online service responsible as covered "co-operators" under the COPPA Rule.
First, the modified COPPA Rule would redefine the term "operator." COPPA applies to child-directed websites and online services that directly collect or maintain information about users, "or on whose behalf such information is collected or maintained."3 The modified COPPA Rule would make clear that operators of websites that do not themselves collect personal information that triggers the notice and consent requirements of COPPA still would be subject to those requirements if third parties such as advertising networks or downloadable plug-ins collect such information. In the FTC's view, such third parties are collecting the information "on behalf of" the child-directed website or online service. Specifically, the FTC proposes revising its definition of "operator" to add a proviso stating:
Personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.4
The FTC reasoned that a child-directed site or service is in the position to provide the required notice and obtain the required parental consent, and can control which plug-ins, software downloads, or advertising networks it integrates into its site or service.
Second, the modified COPPA Rule would make clear that any third-party operator that collects personal information through child-directed websites and services also is subject to COPPA's requirements if it knows or has reason to know that it is collecting such information through a child-directed website or online service. The FTC would effectuate this by including in the definition of "website or online service directed to children" any operator that "knows or has reason to know" it is collecting personal information through any website or online service otherwise covered by COPPA.5 In proposing this modification, the FTC expressed a desire to cover advertising networks, plug-ins, and other third-party websites and online services that collect personal information through child-directed properties.
The FTC clarified that in using the phrase "reason to know" as part of this proposed modification, it is not imposing a duty on third-party operators to monitor or investigate whether their services are incorporated into child-directed properties; these entities, however, would not be free to ignore credible information brought to their attention indicating that such is the case. Critically, while the examples given by the FTC center around advertising networks and plug-ins, the operator of any third-party website or online service that collects personal information through another website or online service would be subject to this "knows or has reason to know" standard.
The FTC stated its belief that the proposed modification to "website or online service directed to children," along with its proposed modifications to the definition of "operator," would hold a child-directed property to be a "co-operator" equally responsible under the COPPA Rule for personal information collected by a plug-in, advertising network, or other third-party website or online service, which would help ensure that operators in both positions cooperate to fulfill their obligations under COPPA to notify parents and obtain parental consent.6
Modifications to "Website or Online Service Directed to Children" to Address Websites and Online Services Directed to Children and Families
The FTC also proposes to modify the COPPA Rule's definition of "website or online service directed to children" to treat websites differently depending on the extent to which they are directed to children. Currently, all websites and online services directed to children are subject to COPPA's requirements, even if only a portion of the site or service is so directed, and even if the site or service attracts a substantial number of persons over the age of 13 as users. Under the proposed revisions, websites and online services that knowingly target or have content likely to draw children under 13 as their primary audience still must treat all users as children (that is, provide notice to parents and obtain consent before collecting personal information from any user).7 Websites and online services with child-oriented content appealing to a mixed audience, where children under 13 are likely to be an over-represented group, would not be deemed directed to children if they use an age screen prior to collecting personal information from any users. When users identify themselves as under 13 in the age screen, the site or service would be deemed to have actual knowledge that such users are under 13. As a result, it would need to obtain appropriate parental consent before collecting any personal information from them, and also would need to comply with all other aspects of the COPPA Rule.8 Parental consent would not be required from users who identify themselves as 13 years of age or older.
Definition of "Personal Information"
The FTC also seeks to clarify two aspects of the definition of "personal information," the collection of which subjects the operator to COPPA's requirements: screen or user names and persistent identifiers.
I. Screen or User Names
In the original NPR, the FTC had proposed to define as personal information "a screen or user name where such screen or user name is used for functions other than or in addition to support for the internal operations of the website or online service." This was intended to address scenarios in which a screen or user name could be used by a child as a single credential to access multiple online properties, thereby permitting him or her to be directly contacted online regardless of whether the screen or user name contained an email address.
Citing comments promoting the benefits of using screen names as alternatives to email addresses and other personal information, including the benefits of using single sign-in identifiers across sites and services, the FTC now proposes to modify the definition of "personal information" to include screen names or user names only where they function in the same manner as "online contact information" (i.e., where they permit direct contact with a person online).9
II. Persistent Identifiers and Support for Internal Operations
In the original NPR, the FTC proposed changes to the definition of "personal information" to include, among other things, persistent identifiers "used for functions other than or in addition to support for the internal operations of the website or online service." The FTC also proposed to include in the definition of personal information "identifiers that link the activities of a child across different websites or online services."10
In response to various concerns of commenters, the FTC proposes modifications to the definition of "personal information" to (i) address concerns about the confusion caused by having two different portions of the "personal information" definition dealing with persistent identifiers and (ii) provide more specificity to the types of activities that would be considered "support for internal operations."
First, with respect to persistent identifiers, the FTC proposes that they be included as "personal information" where they "can be used to recognize a user over time, or across different websites or online services."11 These would include, but would not be limited to, customer numbers held in cookies, IP addresses, processor or device serial numbers, and unique device identifiers. Critically, unlike the FTC's original modified definition, persistent identifiers would have to be able to recognize a user over time or across different websites or online services in order to be considered "personal information."
Second, the FTC proposes adding a definition for the "support for internal operations" exclusion to include "those activities necessary to: (a) maintain or analyze the functioning of the website or online service; (b) perform network communications; (c) authenticate users of, or personalize the content on, the website or online service; (d) serve contextual advertising on the website or online service; (e) protect the security or integrity of the user, website, or online service; or (f) fulfill a request of a child as permitted by [limited circumstances under the COPPA Rule]; so long as the information collected for the activities listed in (a)-(f) is not used or disclosed to contact a specific individual or for any other purpose."12 The FTC emphasized that to fall within the "support for internal operations" exclusion, the information may not be used or disclosed to contact a specific individual, including through the use of behaviorally targeted advertising, or for any other purpose not elucidated in the proposed "support for internal operations" definition.13
Implications of Proposed Amendments
The FTC's proposed amendments reflect its continued expansion of the scope of the COPPA Rule, while at the same time recognizing some of the compliance challenges faced by covered operators, as well as the need for more clarity regarding the FTC's expectations under the original proposed modifications to the COPPA Rule.
The amendments requiring operators of websites and online services directed to children to know whether advertising networks, the operators of integrated social media services or other plug-ins, or other integrated third-party services collect personal information would impose new burdens on the operators of those child-directed sites and services. Similarly, the operators of websites and online services that collect personal information through third-party websites and online services would need to assess what they know about the websites and online services into which they are integrated in order to determine whether they may have notice and consent requirements.
Otherwise, the changes generally appear helpful to operators of websites and other online services. The amendments to permit websites and online services with child-directed content to age-screen may allow those website and service operators to engage in greater collection and use of personal information from their users who are 13 years of age or older. The clarifications regarding "screen and user names" address concerns that many website and online service operators had after seeing those data elements identified as "personal information" in the original NPR. Similarly, the modifications to the definition of "support for internal operations" add some much-needed clarification.
Operators of commercial websites and online services, particularly child-directed websites or online services that contain integrated third-party services that may collect personal information, as well as websites or online services that collect personal information through integration with third-party services or that collect persistent identifiers in connection with behavioral advertising, may wish to review their existing practices and consider submitting comments.
More generally, all companies that interact with children on the Internet should be aware of COPPA, the COPPA Rule, and the FTC's enforcement in this area. Since its enactment in 2000, the COPPA Rule has been aggressively enforced by the FTC. Numerous companies have paid multimillion-dollar settlements or penalties due to non-compliance. The FTC's proposed revisions to the COPPA Rule in the original NPR, and now in the Supplemental NPR, reflect the commission's continued focus on consumer privacy, particularly with respect to children.
Our attorneys routinely counsel clients on the subtleties of COPPA and other rapidly changing domestic and international privacy issues. If you have questions in these areas or are interested in submitting comments to the FTC regarding its proposed modifications to the COPPA Rule, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Tonia Klausner at tklausner@wsgr.com or (212) 497-7706; Matthew Staples at mstaples@wsgr.com or (206) 883-2583; or any of the many members of our privacy and data security practice.
