On December 19, 2012, the Federal Trade Commission (FTC) issued final amendments to the Children's Online Privacy Protection Rule (COPPA Rule), which implements the Children's Online Privacy Protection Act (COPPA).¹

The COPPA Rule applies to operators of websites and online services² that collect information from children under 13 years of age.³ The rule is triggered where either the website/service is directed to children or the operator has actual knowledge that the website/service is collecting "personal information" from children. The rule requires covered operators to, among other things, provide detailed notice to parents about the information being collected and its uses, and to obtain parents' verifiable consent prior to collecting, using, or disclosing personal information from children.

The FTC's final amendments to the rule, effective July 1, 2013, represent the culmination of the FTC's review of the rule that it commenced in 2010.⁴ They follow the FTC's issuance of proposed amendments in September 2011 (the NPR)⁵ and certain clarifications and additional proposed amendments published in August 2012 (the Supplemental NPR),⁶ as well as multiple rounds of stakeholder comments. In previous WSGR Alerts, we discussed the most significant amendments proposed in the NPR⁷ and the Supplemental NPR.⁸ In its final amendments, the FTC retained many of its proposed updates to the rule without change, but it clarified a number of others. In some cases, the FTC responded to comments by abandoning its proposed modifications.

This WSGR Alert briefly summarizes the FTC's final amendments to the rule that we believe will be of the greatest significance to our clients. We plan to hold a webinar in January in which our attorneys will provide additional insight on the amendments and their implications for our clients and other interested parties.

Final Amendments

I. Strict liability for operators of child-directed websites and online services for third-party collection of personal information

By modifying the definition of "operator," an operator of a website or online service directed to children, or that has actual knowledge that particular users are children,⁹ will be strictly liable for the third-party collection of personal information from its website or online service (e.g., ad networks or providers of software "plug-ins").¹⁰

Under these revisions, the first-party operator will be responsible for providing parents with notice and obtaining verifiable parental consent for the third-party collection of personal information.

II. Ad networks, providers of software plug-ins, and other third parties deemed "operators" if they have actual knowledge that they directly collect personal information from users of a child-directed website or online service

Replacing an earlier, more aggressive proposal,¹¹ the FTC provided that third-party operators of websites or online services (including, for example, ad networks, operators of software plug-ins, and social media services) will be covered "co-operators" if they have actual knowledge of collecting personal information from users of a website or online service that is directed to children.¹² In that case, the third-party operator will be responsible for complying with COPPA, including by providing notice to parents and obtaining verifiable parental consent prior to collecting such information.¹³

The FTC stated that "actual knowledge" most likely would be obtained when (i) a child-directed first-party operator directly communicates the child-directed nature of its content to the third-party operator, or (ii) a representative of the third-party operator recognizes the child-directed nature of the content on the first-party operator's website or online service, but that other facts might also suffice to establish actual knowledge on a case-by-case basis.¹⁴

III. Persistent identifiers that can be used to recognize a user over time and across different websites or online services are newly covered as "personal information," with exceptions to the requirement to obtain verifiable parental consent where they are collected only for the purpose of providing support for internal operations

The amended rule amends the definition of "personal information" to include "a persistent identifier that can be used to recognize a user over time and across different websites or online services."¹⁵ Such persistent identifiers could include, but are not necessarily limited to, customer numbers held in cookies, IP addresses, and unique device identifiers.

The amended rule also includes, however, an exception to the requirement to obtain verifiable parental consent in situations in which an operator collects a persistent identifier for the sole purpose of providing support for its internal operations.¹⁶ The new definition of "support for internal operations of [a] website or online service" includes those activities necessary to (i) maintain or analyze the functioning of the website or online service; (ii) perform network communications; (iii) authenticate users of, or personalize the content on, the website or online service; (iv) serve contextual advertising on the website or online service or cap the frequency of advertising; (v) protect the security or integrity of the user, website, or online service; (vi) ensure legal or regulatory compliance; or (vii) fulfill a request of a child as permitted by two exceptions to COPPA's verifiable parental consent requirements.¹⁷

The FTC clarified specifically that "support for internal operations" does not include the collection of persistent identifiers used to track children over time and across sites or services, or to amass a profile on an individual child user based on the collection of identifiers over time and across different websites in order to make decisions or draw insights about the child.¹⁸

The rule also provides for a new method for industry members to request that the FTC formally approve new activities to be added to the "support for internal operations of the website or online service" definition.¹⁹

IV. Additional types of personal information

In addition, the amended rule includes other new types of data as "personal information" that cannot be collected from a child without parental notice and consent. These include (i) photographs, videos, and audio files that contain a child's image or voice;²⁰ (ii) screen or user names that function as "online contact information" (i.e., where they are substantially similar to an email address and permit direct contact with a person online);²¹ and geolocation information sufficient to identify street name and name of a city or town.²²

V. Revisions to definition of "website or online service directed to children"

Under the COPPA Rule, whether a website or online service, or a portion thereof, is directed to children is a totality of the circumstances test in which the FTC considers various factors such as the website's or online service's subject matter, visual or audio content, age of models, language or other characteristics, advertising, evidence regarding audience composition and intended audience, and whether a site uses animated characters and/or child-oriented activities and incentives.²³

The amendments to the COPPA Rule add musical content, the presence of child celebrities, and celebrities who appeal to children to the factors that it will consider.²⁴

The final amendments also permit a website or service that is directed to children, but that does not target children as its primary audience, to use an age screen to identify users under 13, and obtain verifiable parental consent only for data collection from those users.²⁵

VI. Streamlined notices to parents

The final amendments simplify the notices that must be provided on the operator's website and online service, as well as the direct notice to the parent.

For online notices, the final amendments eliminate the COPPA Rule's current lengthy recitation of an operator's information collection, use, and disclosure practices in favor of a simple statement of (i) what information the operator collects from children, including whether the website or online service enables a child to make personal information publicly available; (ii) how the operator uses such information; and (iii) the operator's disclosure practices for such information.²⁶

As for direct notices, the final amendments provide for "just in time" notices that are intended to be more useful to parents. The final amendments specify, in each instance in which direct notice is required, the precise information that operators must convey to parents regarding the items of personal information the operator already has obtained from the child; the purpose of the notification; action that the parent must or may take; and what use, if any, the operator will make of the personal information collected. They also specify that each direct notice must contain a link to the operator's online notice of information practices.²⁷

VI. Additional methods for obtaining verifiable parental consent

The COPPA Rule specifies that to obtain verifiable parental consent, operators must do so by "mak[ing] reasonable efforts to obtain verifiable parental consent, taking into consideration available technology," and that "[a]ny method to obtain verifiable parental consent must be reasonably calculated in light of available technology to ensure that the person providing consent is the child's parent."²⁸

The rule sets forth a non-exclusive list of methods that meet this standard, such as requiring a parent to use a credit card in connection with a transaction, or providing consent forms to be signed by the parent and returned by postal mail or facsimile. In its final amendments, the FTC added several new methods to this non-exhaustive list, including electronic scans of signed parental consent forms; videoconferencing; use of electronic or online payment systems (with appropriate direct notice to the parent), including notification of each discrete monetary transaction to the primary account holder; and use of government-issued identification (such as a driver's license or a segment of the parent's Social Security number), checked against a database, provided that the parent's ID is deleted promptly after verification is complete.²⁹

Additionally, while the FTC declined to add digital or electronic signatures to its non-exhaustive list of parental consent mechanisms, it noted that its amended COPPA Rule would not prohibit an operator's acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult, such as an icon, certificate, or seal of authenticity that accompanies the certificate.³⁰

The FTC's amendments also add two new means of obtaining FTC approval for other proposed methods of obtaining verifiable parental consent. First, applicants will be able to present the FTC with a detailed description of the proposed consent mechanism, along with an analysis of how the mechanism meets applicable requirements. The FTC would publish the application for public comment and rule on the request within 120 days.³¹ Second, the amendments provide that operators participating in an FTC-approved COPPA safe harbor program may use any parental consent mechanism that the safe harbor program deems to meet the rule's parental consent standards.³²

Further, despite having proposed in the NPR to eliminate the "email-plus" consent mechanism, the FTC retained it in its final amendments.³³ The email-plus consent method permits operators collecting personal information only for their internal use to obtain verifiable parental consent via email, provided that the email is coupled with an additional step (such as a follow-up telephone call or letter, or a delayed follow-up email message).³⁴

VII. Strengthening of confidentiality and security requirements

The COPPA Rule presently obligates operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.³⁵ The amended COPPA Rule requires operators to take reasonable measures to release children's personal information only to service providers and third parties that are capable of maintaining the confidentiality, security, and integrity of such information, and that provide assurances that they will maintain the information in such a manner.³⁶

The amended COPPA Rule also adds new data-retention and deletion provisions under which operators must (i) retain children's personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected; and (ii) take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.³⁷

VIII. Increased oversight of safe harbor programs

COPPA contains a "safe harbor" for participants in FTC-approved COPPA self-regulatory programs.³⁸ The COPPA Rule provides that operators complying fully with an approved safe harbor program will be deemed to be in compliance with COPPA for purposes of enforcement, and participation in an approved program may afford companies some protection against FTC enforcement.³⁹

The amendments to the COPPA Rule strengthen its safe harbor provisions by: (i) requiring safe harbor program applicants to submit comprehensive information about their capability to run an effective safe harbor program; (b) establishing more rigorous baseline oversight by FTC-approved safe harbor programs of their members (including annual comprehensive reviews of members' information practices); and (c) requiring FTC-approved safe harbor programs to submit periodic reports to the FTC.⁴⁰

Implications of the Final Amendments

The FTC has aggressively enforced the COPPA Rule since its enactment in 2000. Numerous companies have paid multimillion-dollar penalties as a result of non-compliance. The FTC's changes to the COPPA Rule are significant and reflect the FTC's continued focus on consumer privacy, particularly with regard to children. Companies that collect personal information from children will need to evaluate and, where appropriate, revise their practices to conform to the modifications to the COPPA Rule. Further, the revised COPPA Rule will now impose compliance obligations on many operators of websites and online services that were previously unaffected by the rule.

Our attorneys routinely counsel clients on the subtleties of COPPA and other rapidly changing domestic and international privacy issues. As mentioned in the introduction to this alert, we will be offering a webinar in January in which we will provide additional information on the FTC's updates to the COPPA Rule. If you would like to receive an invitation to this webinar, please contact us at PrivacyAlerts@wsgr.com.

Additionally, if you have questions relating to children's privacy, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Matthew Staples at mstaples@wsgr.com or (206) 883-2583; Tracy Shapiro at tshapiro@wsgr.com or (415) 947-2042; or any of the many members of our privacy and data security practice.

¹ Federal Trade Commission, 16 C.F.R. Part 312: Children's Online Privacy Protection Rule: Final Rule Amendments and Statement of Basis and Purpose (Dec. 19, 2012), available at http://ftc.gov/os/2012/12/121219copparulefrn.pdf (Final Rule and SBP).

² The FTC has taken the position that the COPPA Rule applies to mobile apps.

³ References to "children" in this WSGR Alert are to children under 13 years of age.

⁴ The FTC was not scheduled to review the COPPA Rule again until 2017 but, citing the rapid pace of technological change, including an explosion in children's use of mobile devices and the proliferation of online social networking and interactive gaming, the FTC initiated its review of the rule on an accelerated schedule.

⁵ Federal Trade Commission, 16 C.F.R. Part 312: Children's Online Privacy Protection Rule: Proposed Rule; Request for Comment (Sept. 14, 2011), available at http://www.ftc.gov/os/2011/09/110915coppa.pdf.

⁶ Federal Trade Commission, 16 C.F.R. Part 312: Children's Online Privacy Protection Rule: Supplemental Notice of Proposed Rulemaking; Request for Comment (Aug. 6, 2012), available at http://www.ftc.gov/os/2012/08/120801copparule.pdf.

⁷ Our WSGR Alert regarding the NPR is available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/pdfsearch/wsgralert-childrens-online-privacy-protection.htm.

⁸ Our WSGR Alert regarding the Supplemental NPR is available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-COPPA-additional-revisions.htm.

⁹ The FTC's discussion of this matter in the Final Rule and SBP is framed in terms of child-directed content providers integrating plug-ins or other online services into their sites. The FTC clarified, however, that the same strict liability standard would apply to a general audience content provider that allows a third-party service to collect personal information from a specific user when the provider has actual knowledge that the user is a child. See Final Rule and SBP at *20 n. 59.

¹⁰ Final Rule and SBP at *15-24. The FTC clarified that personal information will be deemed to be collected on behalf of an operator where it benefits by allowing another person to collect personal information directly from users of such operator's website or online service. This limits the scope of the provision to operators that design or control the child-directed content, and would exclude platforms that merely provide access to a third party's child-directed websites or online services. Final Rule and SBP at *24.

¹¹ The FTC initially had proposed holding responsible as a co-operator any website or online service that "knows or has reason to know" that it is collecting personal information through a host website or online service that is directed to children. Supplemental NPR, 77 Fed. Reg. at 46,645.

¹² Final Rule and SBP at *24-27.

¹³ The FTC included an exception to this requirement in the narrow circumstance in which an operator collects a persistent identifier, and no other personal information, from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. Such exception applies only where the user affirmatively interacts with the operator's online service (e.g., by clicking on a plug-in), and does not apply if the online service otherwise passively collects personal information from the user while he or she is on another site or service. See Final Rule and SBP, at *92.

¹⁴ Final Rule and SBP at *27.

¹⁵ Final Rule and SBP at *31-39.

¹⁶ Final Rule and SBP at *37.

¹⁷ Final Rule and SBP at *37-38.

¹⁸ Final Rule and SBP at *39.

¹⁹ Final Rule and SBP at *38.

²⁰ Final Rule and SBP at *40-43.

²¹ Final Rule and SBP at *28-30. The FTC clarified that this definition does not reach, among other things, single log-in identifiers that permit children to transition between devices or access related properties across multiple platforms.

²² Final Rule and SBP at *43-46.

²³ See NPR, 76 Fed. Reg. at 59,814; 16 CFR § 312.2.

²⁴ Final Rule and SBP at *52.

²⁵ Final Rule and SBP at *56-60.

²⁶ Final Rule and SBP at *52-53.

²⁷ Final Rule and SBP at *54-56.

²⁸ 16 CFR § 312.5(b)(1).

²⁹ The FTC also eliminated the use of a digital certificate using public key technology, and email accompanied by a PIN or password obtained through another FTC-approved verification method, from the COPPA Rule's non-exhaustive list of methods by which verifiable parental consent may be obtained. See 16 CFR § 312.5(b)(1); Final Rule and SBP at *160-61.

³⁰ Final Rule and SBP at *70-71.

³¹ Final Rule and SBP at *81-85.

³² Final Rule and SBP at *85-86.

³³ Final Rule and SBP at *76-81.

³⁴ 16 CFR § 312.5(b)(2).

³⁵ 16 CFR § 312.8.

³⁶ Final Rule and SBP at *95-96.

³⁷ Final Rule and SBP at *96-99.

³⁸ 15 U.S.C. § 6503.

³⁹ The COPPA Rule provides that when considering whether to initiate an investigation or to bring an enforcement action for violations of the COPPA, and in considering appropriate remedies, the FTC will take into account whether an operator has been subject to an approved safe harbor program and has taken remedial action pursuant to such program's guidelines. See 16 CFR § 312.10(b)(4).

⁴⁰ Final Rule and SBP at *99-103.