Steven Roosa is a Partner in our New York office

Under the new FAQ's issued by the FTC, http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions, in particular the new FAQ D11, the FTC has stated that a 3rd party (e.g. ad exchange, social network, widget supplier, databroker, ad buyer, re-targeter, 3rd-party hosted solution, real time bidding platform, etc.) can be put on "actual notice" that a website or mobile app is directed to children by being alerted to that fact by the public. "Actual notice" in such a case may consist of screenshots together with URLS and app titles, or potentially other information. According to the FTC, this may constitute "actual notice" to the 3rd Party even if the the website or app developer previously represented to the 3rd party (by accepting the 3rd party's terms of use) that the website or app is not directed to kids under 13.

What does this mean for 3rd Parties?

1. Mode of Notice. 3rd parties should create a single point of communication, email address, or web form, that is available and obvious to the public, for receiving COPPA-related communications from the public.

2. Process. If a member of the public or a public interest group attempts to put a 3rd party on "actual notice" of collecting information from kids under 13, via screenshots together with URLs or other information, the 3rd Party needs a reliable process in place to make sure that it promptly determines whether personal information is being collected from kids. In this regard, FAQ D11 is a trap for the unwary. Failure to make a determination regarding "actual notice," after receiving the foregoing information, could result in substantial COPPA penalties: 16,000 per instance of collected information or per child.

3. Documentation. The 3rd party needs a record keeping process in place to make sure that steps 1 and 2 are fully documented.

The New FAQs:

D.9. I operate a child-directed app that allows kids to make paintings. I don't collect the paintings — they rest on the device — but the app includes buttons for popular email and social media providers that kids can click on within the app. The buttons open the email program or social network, populate it with the painting, and allow the child to share it along with a message. I don't collect or share any other personal information through the app. Do I have to seek verifiable parental consent?

Yes. The COPPA rule defines "collection" to include requesting, prompting, or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in identifiable form. In addition, under the COPPA Rule, "disclosure" includes making a child's personal information publicly available in identifiable form through an email service or other means, such as a social network. You must get verifiable parental consent before enabling children to share personal information in this manner, even through third parties on your app. This is true unless an exception applies. (See Section I, Exceptions to Prior Parental Consent). However, in the situation you describe — where a child can email a painting and a message or post content on his or her social networking page through your app — no exception applies.

D.10. I operate an advertising network service. Under what circumstances will I be held to have "actual knowledge" that I have collected personal information directly from users of another Web site or online service directed to children?

The circumstances under which you will be deemed to have acquired "actual knowledge" that you have collected personal information directly from users of a child-directed site or service will depend a lot on the particular facts of your situation. In the 2012 Statement of Basis and Purpose, the Commission set forth two cases where it believes that the actual knowledge standard will likely be met:

  1. where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to you, the ad network; or
  2. where a representative of your ad network recognizes the child-directed nature of the content.

Under the first scenario, any direct communications that the child-directed provider has with you that indicate the child-directed nature of its content would give rise to actual knowledge. In addition, if a formal industry standard or convention is developed through which a site or service could signal its child-directed status to you, that would give rise to actual knowledge. Under the second scenario, whether a particular individual can obtain actual knowledge on behalf of your business depends on the facts. Prominently disclosing on your site or service methods by which individuals can contact your business with COPPA information – such as: 1) contact information for designated individuals, 2) a specific phone number, and/or 3) an online form or email address – will reduce the likelihood that you would be deemed to have gained actual knowledge through other employees. (See also FAQ D.12 below).

D.11. I operate an ad network. I receive a list of Web sites from a parents' organization, advocacy group or someone else, which says that the Web sites are child-directed. Does this give me actual knowledge of the child-directed nature of these sites?

It's unlikely the receipt of a list of purportedly child-directed Web sites alone would constitute actual knowledge. You would have no duty to investigate. It's possible, however, that you will receive screenshots or other forms of concrete information that do give you actual knowledge that the Web site is directed at children. If you receive information and are uncertain whether the site is child-directed, you may ordinarily rely on a specific affirmative representation from the Web site operator that its content is not child-directed. For this purpose, a Web site operator would not be deemed to have provided a specific affirmative representation if it merely accepts a standard provision in your Terms of Service stating that, by incorporating your code, the first party agrees that it is not child directed.

D.12. I operate an ad network and am considering participating in a system in which first-party sites could signal their child-directed status to me, such as by explicit signaling from the embedding webpage to ad networks. I understand that I would have "actual knowledge" if I collect information from users on a first-party site that has signaled its child-directed status. Are there any benefits to me if I participate in such a system?

Such a system could provide more certainty for you. If the system requires the first-party site to affirmatively certify whether it is "child-directed" or "not child-directed," and the site signals that it is "not child-directed," you may ordinarily rely on such a representation. Such reliance is advisable, however, only if first parties affirmatively signal that their sites or services are "not child-directed." You could not set that option for them as the default.

Remember, though, that you may still be faced with screenshots or other concrete information that gives you actual knowledge of the child-directed nature of the Web site despite a contradictory representation by the site. If, however, such information is inconclusive, you may ordinarily continue to rely on a specific affirmative representation made through a system that meets the criteria above.

K.2. I operate an ad network. I discover three months after the effective date of the Rule that I have been collecting personal information via a child-directed website. What are my obligations regarding personal information I collected after the Rule's effective date, but before I discovered that the information was collected via a child-directed site?

Unless an exception applies, you must provide notice and obtain verifiable parental consent if you: (1) continue to collect new personal information via the website, (2) re-collect personal information you collected before, or (3) use or disclose personal information you know to have come from the child-directed site. With respect to (3), you have to obtain verifiable parental consent before using or disclosing previously-collected data only if you have actual knowledge that you collected it from a child-directed site. In contrast, if, for example, you had converted the data about websites visited into interest categories (e.g., sports enthusiast) and no longer have any indication about where the data originally came from, you can continue to use those interest categories without providing notice or obtaining verifiable parental consent. In addition, if you had collected a persistent identifier from a user on the child-directed website, but have not associated that identifier with the website, you can continue to use the identifier without providing notice or obtaining verifiable parental consent.

With respect to the previously-collected personal information you know came from users of a child-directed site, you must comply with parents' requests under 16 C.F.R. § 312.6, including requests to delete any personal information collected from the child, even if you will not be using or disclosing it. Furthermore, as a best practice you should delete personal information you know to have come from the child-directed site.