Yesterday, two FTC officials urged companies, websites and
parties (including third-parties) involved in the online and mobile
ecosystem to reassess and carefully evaluate their data collection,
use and sharing practices in light of the FTC's recent broad
expansion of its online privacy rule for children. [
Click to view our December 19, 2012 blog post]. The FTC
made clear that they would pursue entities that ignored their
obligations. During a webinar hosted by the International
Association of Privacy Professionals, FTC senior attorneys Mamie
Kresses and Phyllis Marcus described the COPPA Rule changes saying
that companies need to examine their data collection practices in
light of technological advances, and that this was the whole
purpose of the new Rule. Since the issuance of the new Rule,
there have been a lot of questions from businesses. While
many of these questions remain unanswered, what is clear is that
companies that never had to think about COPPA before, will now have
To help address some of the uncertainty, the regulators said the
FTC is planning to release a guide for businesses about the new
Rule and said they would not be issuing a static guide, signaling
their input may vary over time leading up to July 1st the effective
date of the new Rule. For instance, FTC Chief Technologist
Steve Bellovin recently proposed that industry should create a
standard--perhaps through the URL - that would allow websites to
explicitly signal their COPPA-covered status to third-parties in a
position to track children with plug-ins, widgets, or other
third-party content or services.
While much uncertainty remains, what is certain is that companies
should be evaluating their data collection practices - in light of
the new COPPA Rule changes - now. A company should identify
the spectrum of third-parties implicated by their websites and
mobile apps in order to determine: (1) which "persistent
identifiers" qualify as personal information subject to the
new Rule, (2) those instances where parental consent can be readily
obtained, and (3) those situations where parental consent is not
desired and the third-party tag or server call will need to either
be removed or replaced with one that is compliant, and (4) those
third-party arrangements which require intensive oversight and
The questions that BYOD policies seek to answer are these: (1) Who owns your device? (2) Who owns the information on your device? (3) What happens if that information (or the device itself) gets lost or stolen?
Orrick Cybersecurity & Data Privacy lawyers Emily Tabatabai and Shea Leitch co-authored an article for the International Association of Privacy Professionals' Privacy Tracker on the continued expansion...
He advises on handling internal data breach investigations; supervising forensic examinations and coordinating with law enforcement in investigations of criminal attacks; and regulatory investigations and enforcement actions by the FTC and HHS/OCR.
Privacy advocates in both the United States and Europe are urging regulators to take a hard look at the privacy ramifications of internet-connected toys, which are often conventional toys augmented by companion mobile applications.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).