United States: FTC Updates To Online Privacy Acts, COPPA And VPPA

Ilardi: The Children's Online Privacy Protection Act ("COPPA") was enacted to place parents in control over what information is collected, used and disclosed from young children online. COPPA applies to operators of commercial websites and online services directed to children under the age of thirteen that collect, use, or disclose personal information from children, and to operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from children under thirteen. COPPA prohibits website operators from knowingly collecting information from children under the age of thirteen unless the operator obtains parental consent and allows parents to review their children's information and to restrict its further use. 

In order to ensure compliance with COPPA, website operators must: (i) post a clear and comprehensive privacy policy on their website describing their information practices for children's personal information; (ii) provide direct notice to parents and obtain verifiable parental consent (with limited exceptions) before collecting personal information from children; (iii) give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties; (iv) provide parents access to their child's personal information to review and/or have the information deleted; (v) give parents the opportunity to prevent further use or online collection of a child's personal information; and (vi) maintain the confidentiality, security and integrity of information they collect from children.

The Video Privacy Protection Act (the "VPPA") was passed in reaction to the disclosure of Supreme Court nominee Robert Bork's video rental records in a newspaper. The VPPA is not often invoked, but stands as one of the strongest protections of consumer privacy against a specific form of data collection. Generally, it prevents disclosure of personally identifiable rental records of "prerecorded video cassette tapes or similar audio visual material." The VPPA has several important provisions, including: (i) a general ban on the disclosure of personally identifiable rental information unless the consumer consents specifically and in writing; (ii) prohibiting the disclosure of personally identifiable rental information to police officers unless there is a valid warrant or court order; (iii) exclusion of evidence acquired in violation of the VPPA; (iv) civil remedies, including possible punitive damages and attorneys' fees, not less than $2,500; and (v) a requirement that video stores destroy rental records no longer than one year after an account is terminated. It's also worth noting that many states have enacted laws providing greater protections than the federal VPPA. Video rentals in Connecticut and Maryland, for example, are considered confidential and cannot be sold. California, Delaware, Iowa, Louisiana, New York and Rhode Island have also enacted video privacy laws. Michigan's video privacy law goes beyond the VPPA and protects records of book purchases, rentals and borrowing as well.

Editor: The Federal Trade Commission (FTC) recently enacted updates to both Acts. What is the substance of these updates?

Ilardi: On December 19, 2012, The FTC announced the adoption of its long-awaited amendments to COPPA. The updates are primarily aimed at mobile privacy, but are intended to reflect the FTC's commitment to "helping to create a safer, more secure online experience for children" in the face of rapid technological change. The amended rule will be effective July 1, 2013. Some of the key changes to COPPA include:

(i) Modifying the definition of "personal information" to include "geolocation information sufficient to identify street name and name of a city or town" and photographs, videos or audio files "where such file contains a child's image or voice."

(ii) Revising the "persistent identifier" element in the definition of personal information to cover identifiers that "can be used to recognize a user over time and across different websites or online services," specifically including Internet Protocol ("IP") addresses.

(iii) Expanding and clarifying the accepted methods for obtaining verifiable parental consent to respond to evolving technology. For example, a signed parental consent form may now be returned to the website operator by "electronic scan" and consent may be provided to "trained personnel via video-conference."

(iv) Adding an exception to the requirement to provide notice and obtain verifiable parental consent where an operator "collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service."

(v) Imposing a new requirement that personal information collected from children be retained only "as long as is reasonably necessary to fulfill the purpose for which the information was collected" and deleted "using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion."

(vi) Prohibiting applications and websites directed at children from using third parties to collect children's personal information through plug-ins unless parental notice is given and consent is obtained, and in some cases, such third parties will be responsible for complying with COPPA.

On January 10, 2013, President Obama signed into law amendments to the VPPA that facilitate social media sharing of video viewing preferences when users consent to disclosure of information via the Internet. The amendments provide that a consumer's written consent can now be obtained through electronic means using the Internet, provided that the consent is in a "form separate and distinct from any form setting forth other legal or financial obligations of the consumer." The amendments also permit the consumer to choose between giving consent to disclosure either: (1) in advance for a set period of time, up to two years or until consent is withdrawn, or (2) each time disclosure is sought (like under the old statute). Finally, the service provider must give the consumer "in a clear and conspicuous manner" the opportunity to withdraw consent either on a case-by-case basis or from ongoing disclosures, at the consumer's election.

Editor: What is the business impact on companies like Netflix and Facebook of the VPPA update that eases restrictions on sharing a user's online video renting/viewing history?

Ilardi: The business impact of the VPPA revisions is significant. Netflix, which was a strong advocate for the amendments of the VPPA, is now planning to launch a Netflix Facebook App this year, an initiative that would have been next to impossible under the old VPPA.  Prior to the recent amendment, the VPPA required "video tape service providers" to obtain the informed, written consent of consumers at the time disclosure of their personal information was sought. As such, providers like Netflix were largely unable to secure the type of ongoing customer consent necessary to provide certain social media features - such as Facebook integration - that are available to users outside the United States. The changes to the VPPA make obtaining the requisite customer consent much easier, by allowing consumers to grant consent via electronic means on the Internet for up to two years. In turn, service providers must obtain the consent on a separate form (distinct from other forms used to disclose legal or financial obligations), and must provide customers the opportunity to withdraw consent on a case-by-case basis or to withdraw consent from ongoing disclosures. The ability to obtain advance consent from customers offers increased flexibility for "video tape service providers" and is expected to lead to tighter integration between such video providers and social networks, such as Facebook and Twitter.

Editor: Please discuss the COPPA update that expands the definition of "personal information." Does this expanded definition apply only to COPPA, or might it be applied more generally?

Ilardi: The expansion of the definition of "personal information" is arguably the most important change to the rule. The FTC made these changes in order to address various forms of new data that the FTC considers now personally identifiable. For example, under the revised rule, "personal information" now includes (i) screen or user names in cases where these identifiers function as "online contact information" as defined in the rule; (ii) photographs and video or audio files containing a child's image or voice; and (iii) geolocation information. In addition, the FTC broadened the meaning of the term "persistent identifier" as it applies to personal information. Under the previous rule, a persistent identifier (e.g., a website cookie, IP address or a device serial number) must be linked to other information relating to a child or parent before it is classified as "personal information." Under the revised rule, a persistent identifier standing alone is considered "personal information" in instances where it can be used to recognize a user over time and across different websites or online services, except where the identifier is used solely to support the internal operations of the website or online service. In addition, a mobile device's unique identifier, or other identifier that can link a child's activities across different websites or online services, falls within the "personal information" definition under the revised Rule. This new broadened definition of "personal information" only applies to COPPA, but given the ever-changing landscape of privacy law in the U.S., it wouldn't be surprising to see amendments to other laws and new legislation addressing similar issues in different contexts.

Editor: Are there any safe harbor protections available? If so, under what circumstances?

Ilardi: An industry group may avoid compliance with COPPA if the group generates self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with COPPA. Such proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.

Editor: Going forward, what are the key components of effective online privacy policies?

Ilardi: An effective online privacy policy should disclose all of the ways in which a website collects personally identifiable and non-personally identifiable information and how that information is used. For example, does the website use cookies to collect information about its users? Does the website work with third parties to collect information about its users or provide personal information to third parties? Does the website use Twitter or Facebook application programming interface ("API") to link to users Facebook and/or Twitter accounts? If so, all of those practices should be disclosed in the privacy policy. The privacy policy should also inform users about how they can access and manage the data they have provided to the website and provide users with contact information for any questions or concerns they might have about the privacy policy and the use of their data. Finally, and most importantly, companies should comply with their privacy policy at all times and consistently review and update it in light of evolving law and policy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
3 Dec 2018, Other, Los Angeles, United States

National Contract Management Association’s Government Contract Management Symposium

20 Feb 2019, Seminar, Orange, United States

The annual seminar addressing changes and developments in state and federal wage and hour laws is a unique one-day program and hundreds of California employers, personnel managers, controllers, attorneys, payroll managers, and supervisors attend each year.

21 Feb 2019, Seminar, Orange, United States

The seminar is designed to provide a guide to Human Resource Officials, Personnel Specialists, Consultants, Supervisors and other management officials through the ever-increasing maze of state and federal employment discrimination laws.

Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Sheppard Mullin Richter & Hampton
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions