The Federal Trade Commission wants to bolster the law that
prohibits the disclosure of children's personal information
online. The Children's Online Privacy Protection Act (COPPA) is
designed to ensure that children under the age of 13 do not
disclose any personal information about themselves without their
parent's permission. The COPPA rules were adopted in 2000.
Because of the many technological changes and the increase in use
of the Internet by young children since 2000, the FTC decided last
year to review the Rule to see if it needed to be amended.
As part of this process, the Commission requested comments from
the public and received nearly 200 comments from industry representatives,
advocacy groups, academics, technologists, and individual members
of the public in late 2011. The FTC proposed several amendments
that are designed to strengthen the Rules and clarify their
application to the Internet of 2012.
Some of the key proposed amendments include:
The definition of "personal information" is expanded
to include geolocation information and certain types of
"persistent identifiers" used for functions other than
the website's internal operations, such as tracking cookies
used for behavioral advertising. The Commission also proposed
revising the definition of "collection" so website
operators covered by the Rules may allow children to participate in
interactive communities without parental consent so long as the
operators take reasonable measures to delete virtually all
children's personal information.
The FTC also added several new methods of obtaining verifiable
parental consent, including the use of electronic scans of parental
consent forms and video-conferencing. The FTC also approved a
method where, if the parent's identification is deleted
immediately after verification, the website operator can check the
parent's government-issued ID card against a database. All of
these methods are in addition to the methods currently included in
Another FTC amendment would delete one current method of
parental consent, known as "email plus" which is
available to operators who collect personal information only for
internal use. Right now this method allows operators to obtain
consent through an email to the parent, coupled with one other
step, such as sending a subsequent email confirmation to the parent
after receiving initial consent.
The Commission also suggests adding a requirement that if
operators disclose any child's personal information to a
service provider or third party, those entities must have a
reasonable procedure in place to protect the information. Operators
also must retain the information only for as long as reasonably
necessary and must delete it by taking measures to protect against
access to the data during its disposal.
Finally, the FTC recommends strengthening its self-regulatory
"safe harbor" programs by requiring these groups to audit
their members at least once each year and report the result of
those audits to the Commission.
It is difficult to predict when the FTC will adopt these
amendments. But Commission staffers have mulled the public comments
since November 2011, so it's likely the amendments may be
presented to the Commissioners in the fairly near future.
The Sweepstakes Law Blog will let you know as soon as the FTC
releases the rule changes.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s "List of Considerations" before signing.