Steven Roosa is a Partner in our New York office
Under the new FAQ's issued by the FTC, http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions, in particular the new FAQ D11, the FTC has stated that a 3rd party (e.g. ad exchange, social network, widget supplier, databroker, ad buyer, re-targeter, 3rd-party hosted solution, real time bidding platform, etc.) can be put on "actual notice" that a website or mobile app is directed to children by being alerted to that fact by the public. "Actual notice" in such a case may consist of screenshots together with URLS and app titles, or potentially other information. According to the FTC, this may constitute "actual notice" to the 3rd Party even if the the website or app developer previously represented to the 3rd party (by accepting the 3rd party's terms of use) that the website or app is not directed to kids under 13.
What does this mean for 3rd Parties?
1. Mode of Notice. 3rd parties should create a single point of communication, email address, or web form, that is available and obvious to the public, for receiving COPPA-related communications from the public.
2. Process. If a member of the public or a
public interest group attempts to put a 3rd party on "actual
notice" of collecting information from kids under 13, via
screenshots together with URLs or other information, the 3rd Party
needs a reliable process in place to make sure that it promptly
determines whether personal information is being collected from
kids. In this regard, FAQ D11 is a trap for the unwary. Failure to
make a determination regarding "actual notice," after
receiving the foregoing information, could result in substantial
COPPA penalties: 16,000 per instance of collected information or
per child.
3. Documentation. The 3rd party needs a record
keeping process in place to make sure that steps 1 and 2 are fully
documented.
The New FAQs:
D.9. I operate a child-directed app that allows kids to make paintings. I don't collect the paintings — they rest on the device — but the app includes buttons for popular email and social media providers that kids can click on within the app. The buttons open the email program or social network, populate it with the painting, and allow the child to share it along with a message. I don't collect or share any other personal information through the app. Do I have to seek verifiable parental consent?
Yes. The COPPA rule defines "collection" to include requesting, prompting, or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in identifiable form. In addition, under the COPPA Rule, "disclosure" includes making a child's personal information publicly available in identifiable form through an email service or other means, such as a social network. You must get verifiable parental consent before enabling children to share personal information in this manner, even through third parties on your app. This is true unless an exception applies. (See Section I, Exceptions to Prior Parental Consent). However, in the situation you describe — where a child can email a painting and a message or post content on his or her social networking page through your app — no exception applies.
D.10. I operate an advertising network service. Under what circumstances will I be held to have "actual knowledge" that I have collected personal information directly from users of another Web site or online service directed to children?
The circumstances under which you will be deemed to have acquired "actual knowledge" that you have collected personal information directly from users of a child-directed site or service will depend a lot on the particular facts of your situation. In the 2012 Statement of Basis and Purpose, the Commission set forth two cases where it believes that the actual knowledge standard will likely be met:
- where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to you, the ad network; or
- where a representative of your ad network recognizes the child-directed nature of the content.
Under the first scenario, any direct communications that the
child-directed provider has with you that indicate the
child-directed nature of its content would give rise to actual
knowledge. In addition, if a formal industry standard or convention
is developed through which a site or service could signal its
child-directed status to you, that would give rise to actual
knowledge. Under the second scenario, whether a particular
individual can obtain actual knowledge on behalf of your business
depends on the facts. Prominently disclosing on your site or
service methods by which individuals can contact your business with
COPPA information – such as: 1) contact information for
designated individuals, 2) a specific phone number, and/or 3) an
online form or email address – will reduce the likelihood
that you would be deemed to have gained actual knowledge through
other employees. (See also FAQ D.12 below).
D.11. I operate an ad network. I receive a list of Web
sites from a parents' organization, advocacy group or someone
else, which says that the Web sites are child-directed. Does this
give me actual knowledge of the child-directed nature of these
sites?
It's unlikely the receipt of a list of purportedly
child-directed Web sites alone would constitute actual knowledge.
You would have no duty to investigate. It's possible, however,
that you will receive screenshots or other forms of concrete
information that do give you actual knowledge that the Web site is
directed at children. If you receive information and are uncertain
whether the site is child-directed, you may ordinarily rely on a
specific affirmative representation from the Web site operator that
its content is not child-directed. For this purpose, a Web site
operator would not be deemed to have provided a specific
affirmative representation if it merely accepts a standard
provision in your Terms of Service stating that, by incorporating
your code, the first party agrees that it is not child
directed.
D.12. I operate an ad network and am considering
participating in a system in which first-party sites could signal
their child-directed status to me, such as by explicit signaling
from the embedding webpage to ad networks. I understand that I
would have "actual knowledge" if I collect information
from users on a first-party site that has signaled its
child-directed status. Are there any benefits to me if I
participate in such a system?
Such a system could provide more certainty for you. If the system requires the first-party site to affirmatively certify whether it is "child-directed" or "not child-directed," and the site signals that it is "not child-directed," you may ordinarily rely on such a representation. Such reliance is advisable, however, only if first parties affirmatively signal that their sites or services are "not child-directed." You could not set that option for them as the default.
Remember, though, that you may still be faced with screenshots or other concrete information that gives you actual knowledge of the child-directed nature of the Web site despite a contradictory representation by the site. If, however, such information is inconclusive, you may ordinarily continue to rely on a specific affirmative representation made through a system that meets the criteria above.
K.2. I operate an ad network. I discover three months after the effective date of the Rule that I have been collecting personal information via a child-directed website. What are my obligations regarding personal information I collected after the Rule's effective date, but before I discovered that the information was collected via a child-directed site?
Unless an exception applies, you must provide notice and obtain verifiable parental consent if you: (1) continue to collect new personal information via the website, (2) re-collect personal information you collected before, or (3) use or disclose personal information you know to have come from the child-directed site. With respect to (3), you have to obtain verifiable parental consent before using or disclosing previously-collected data only if you have actual knowledge that you collected it from a child-directed site. In contrast, if, for example, you had converted the data about websites visited into interest categories (e.g., sports enthusiast) and no longer have any indication about where the data originally came from, you can continue to use those interest categories without providing notice or obtaining verifiable parental consent. In addition, if you had collected a persistent identifier from a user on the child-directed website, but have not associated that identifier with the website, you can continue to use the identifier without providing notice or obtaining verifiable parental consent.
With respect to the previously-collected personal information you know came from users of a child-directed site, you must comply with parents' requests under 16 C.F.R. § 312.6, including requests to delete any personal information collected from the child, even if you will not be using or disclosing it. Furthermore, as a best practice you should delete personal information you know to have come from the child-directed site.