The Federal Trade Commission proposed changes to the Children's Online Privacy Protection Act rules on August 1, 2012, that would significantly expand the parties subject to COPPA and potentially impose new procedures on those online products and services that may interact with or collect data about children. Reflecting a general trend, the FTC also proposed changing the COPPA rules' definition of "personal information" to include persistent identifiers, which would narrow the information available for behavioral advertising and other activities. These proposals reflect the increased focus regulators have placed on children and the online marketplace, and are of note to a wide range of parties – whether potentially interacting directly with children or simply providing generic tools or services to those who do.
The FTC's recent proposed COPPA rule changes follow the agency's September 2011 proposed rule changes. The agency received over 350 comments in response to that proposal, and reviewed them as well as its recent enforcement experience in coming up with its more recent proposal. In the FTC's own words, the recent proposed changes "diverge" from those of the September 2011 proposal and are intended to strengthen the COPPA rules' "protections for the online collection, use or disclosure of children's personal information." The FTC proposes to do so by modifying the rules' definitions of "operator," "website or online service directed to children," "personal information" and "support for internal operations."
The COPPA rules' current definition of "operator" refers only to those who collect personal information on a website or service's behalf. Under this definition, there is a view that only those who collect personal information are responsible for complying with COPPA. This has led to the corollary view that the current COPPA rules do not apply directly to those websites that may incorporate plug-ins or other features controlled by third parties where just the plug-ins collect personal information of users, even if the website may be directed at children.
The recent proposed change would clarify that COPPA's requirements apply both to the website itself and the third party collecting data. It would do so by adding a proviso to the definition of operator stating that personal information is collected on behalf of an operator if collected "in the interest of, as a representative of, or for the benefit of, the operator." The FTC's reasoning is that information is collected on behalf of a website if it obtains advertising or other benefits from a third party plug-in service, even if the website itself does not have access to the data collected.
The FTC would further broaden COPPA's reach through the proposed change to the definition of "website or online service directed to children." The FTC appears to acknowledge that the current definition and practices around it have gaps. A particularly difficult area is websites that are child-friendly, though directed at a mixed audience. As a matter of prosecutorial discretion, the FTC so far has declined to charge operators of those sites as being directed at children. Under current practices, this allows operators of those sites to collect information from its users so long as the operator does not ask users their age. The proposed change would no longer allow that practice. Specifically, the proposed change would create three categories of websites or online services that may be directed at children. The first two, which must treat all users as children and comply with COPPA, are those sites and services that (i) "knowingly target" children under 13 as their primary audience or (ii) are "likely to attract" children under 13 as their primary audience based on the overall site or service content. The third category is mixed audience sites and services, which are those that are "likely to attract an audience that includes a disproportionately large percentage of children under age 13 as compared to the percentage of such children in the general population." For the third category of sites, the FTC proposes that those sites and services not be treated as directed at children on the whole, if collecting any personal information regarding a user, the user is first age-screened. At that point, users who self-identify under 13 must be treated as children for COPPA purposes and parental consent obtained. All other users may be treated as 13 or older. The FTC recognizes that children may lie about their age, and is structuring the safe harbor to allow a website or service to collect personal information about a child who may misrepresent their age. The FTC also recognized that the rule's strict liability standard was not appropriate for services like advertising networks, which may not purposely direct their services based on website content. The proposed rule would add a further clarification to the definition of "website or online service directed to children" to include an ad network or plug-in service only if it knows or "has reason to know" that it is collecting personal information through one of the above three categories of websites.
Finally, the proposed COPPA rule change would modify the definition of "personal information" to include screen or user names that rise to the level of online contact information and "persistent identifiers," such as IP addresses or cookies, that "recognize a user over time, or across different websites or online services," except where the identifier provides "support for the internal operations of the website or online services." The rule also offers a new definition for "support of internal operations," providing a list of examples, such as authenticating users, serving contextual advertising on the website or service and protecting user security. The FTC went out of its way to note, though, that the exception is not intended to allow information collected to be used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.
The FTC's proposed COPPA rule changes, if adopted, likely would impose new COPPA notice, consent, and other responsibilities to a wider range of website and online services than before. Operators and providers of websites and online services that may attract children should review their existing data policies and practices in light of these proposals. The FTC is accepting comments to these proposed changes until September 10, 2012. After evaluating the comments received, the FTC will determine whether to issue specific COPPA rule amendments. For more information regarding the FTC's August 1 supplemental notice of proposed rulemaking and request for comment and its potential impact on your operations, contact one of the lawyers listed below or your regular Ropes & Gray contact.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.