Changes for the COPPA, Copacabana...

On December 19, the Federal Trade Commission adopted and unveiled final amendments to the Children’s Online Privacy Protection Rule in order to strengthen kids’ privacy protections and give parents greater control over the personal information that websites and online services may collect from children under 13. The COPPA Rule was mandated when Congress passed the Children’s Online Privacy Protection Act of 1998. The amendments to the Final Rule will go into effect on July 1, 2013.

The law:

  • requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children, and
  • prohibits those websites and online services from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary for them to participate.

The FTC’s rule contains a "safe harbor" provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines. The updated rule seeks to strengthen oversight of the approved self-regulatory "safe harbor programs" by requiring them to audit their members and report annually to the FTC the aggregated results of those audits.

The final amendments:

  • modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  • offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  • extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
  • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • require that covered website operators adopt reasonable procedures for data retention and deletion; and
  • strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The FTC also modified some key definitions:

  • The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.
  • The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. In addition, in contrast to sites and services whose primary target audience is children, and who must presume all users are children, sites and services that target children only as a secondary audience or to a lesser degree may differentiate among users, and will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13.
  • The definition of personal information now also includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice.
  • The definition of personal information requiring parental notice and consent before collection now includes “persistent identifiers” that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose. The final amended Rule also adds a process allowing industry to seek formal approval to add permitted activities to the definition of support for internal operations.
  • The definition of collection of personal information has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.

The updated definitions of personal information and operators that are only “directed to children” have spurred the most controversy. While the privacy advocacy community [including the Benton Foundation (see statement below)] welcomes the changes to personal information, this step has been warily viewed by industry for it’s potential to affect privacy procedures with respect to teens and adults. The definition of personal information now includes “persistent identifiers” which are used both internally (to improve site services) and externally (sent to 3rd parties and for behavioral advertising across sites). While the sites can still collect persistent identifiers, the use of these identifiers is curtailed by the notice and consent rule if sites want to send the information to 3rd parties or behavioral targerters. While most of the privacy community is strongly supportive of the new rules, there is also concern of the potential loophole created by the changes which allow operators of sites whose primary focus is not children. Because these sites do not have to provide notice or seek consent, the concern is that many child focused sites will simply expand their content to become “family focused” so that the burden of notice and consent only exists if they are certain that a user is 13 or under.

In a blog post, the FTC noted the new definitions the commission adopted for "operator," "website or online service directed to children," "personal information," and "support for internal operations." The FTC also highlights that in the notice that operators must send directly to parents before collecting personal info from their kids, the new rule puts key information up front. The rule also streamlines what operators have to put in their online privacy policies about their information practices. The rule allows for new ways for operators to get parental consent including electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID, and alternative payment systems (assuming they meet the same stringent criteria as credit cards). Operators must take reasonable steps to make sure that before releasing information to service providers and third parties, those companies are capable of maintaining the confidentiality, security, and integrity of the information — and that they give assurances they’ll follow through. The rule also requires that operators retain kids’ personal information for only as long as is reasonably necessary and that when they dispose of it, they’ll take reasonable measures to protect against unauthorized access.

Federal officials say the mobile apps space in particular has been a Wild West, where hundreds of apps aimed at children collected personal information and shared it with ad networks without informing parents, according to a study released last week by the FTC.

However, in a departure from rule changes proposed in August, the FTC explicitly exempted app stores like those run by Apple and Google from responsibility for privacy violations by the games and other software that are sold there. Software such as Facebook's "Like" button and ads placed by advertising networks will only have to meet child online privacy regulations if companies have "actual knowledge" that they're collecting information through a website or app that targets kids. Erin Egan, Facebook’s chief privacy officer, said: “We are pleased the Commission clarified the limited circumstances under which providers of social plugins would be subject to Coppa when those plugins are displayed on other websites.”

Even at the FTC, adoption of the new rule was not unanimous. FTC Commissioner J. Thomas Rosch abstained. Fellow Commissioner Maureen Ohlhausen voted no and issued a dissenting statement on the ground that she believes a core provision of the amendments exceeds the scope of the authority granted by Congress in COPPA. She stated that, regardless of policy justifications, she cannot support extending COPPA’s statutory definition of “operator” to impose obligations on websites or online services that do not collect personal information from children or have access to or control of such information collected by a third-party.

The COPPA release event highlighted the strong congressional support for the COPPA updates from both Republicans and Democrats. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) attended, saying the update was long overdue. "The new rule puts all online companies on notice," said Chairman Rockefeller "that they are required to comply with the law. Under the new Rule, when a children’s website or application allows third-parties to collect information from children, those websites and apps will be liable under COPPA. Furthermore, those third-parties will also be held liable if they know they are collecting information on websites or apps directed toward children." Chairman Rockefeller made clear that while the FTC rules were strong he felt the Senate would have more work to do to develop even stronger protections for consumers. He followed up his statement on COPPA with references to his own "Do Not Track" bill and to the need to review policies around violent video games. Chairman Rockefeller was joined by Senator Mark Pryor (D-AR) and the two chairs of the House Bi-Partisan Privacy Caucus -- Reps. Ed Markey (D-MA) and Joe Barton (R-TX). Rep. Barton supported and praised the FTC changes and even stated that further Congressional action on the issue was necessary." The Members of Congress all mentioned the strong work of the public interest community, highlighting the work of Angela Campbell of Georgetown Law Center’s Institute for Public Representation (Benton’s lawyers on the COPPA proceeding), Jeff Chester of the Center for Digital Democracy, Kathryn Montgomery of American University and even invited a public interest representative, Common Sense Media, to speak.

"With the carefully considered changes to the COPPA rule," said Rep Henry Waxman (D-CA), the ranking member of the House Commerce Committee, "the FTC is ensuring that COPPA continues to meet its goal of keeping parents in control of their children’s information, including their location, their photographic images, and records of their online habits and activities. Congress was well aware that technology can change quickly and gave the FTC enough flexibility and discretion to make sure the law could evolve with technology. In the 14 years since COPPA was enacted, how children interact with online services has changed dramatically as these services have become accessible from almost anywhere on ever smaller mobile devices. The techniques used to collect information about all of us have also changed, becoming both more prolific and opaque."

The advertising industry lobbied hard to make sure updates to COPPA didn't chill advertising and innovation in children’s websites and apps. FTC Chairman Jon Leibowitz addressed advertisers directly, reassuring the industry that the rules would not kill advertising. “Let’s be clear about one thing: under this rule, advertisers and even ad networks can continue to advertise, even on sites directed to children,” Leibowitz said. “Business models that depend on advertising will continue to thrive. The only limit we place is on behavioral advertising, and in this regard our rule is simple: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.” At first blush, advertisers said the new rules addressed a number of their concerns.

Some smaller application developers were disappointed. Jon Potter, president of the Application Developers Alliance, said that the new regulations could prove so burdensome "that talented and responsible developers will abandon the children's app marketplace." Based on the FTC's estimate that the average app or website would need to spend $9,000 to comply with the rules, the Association for Competitive Technology estimated that the extra expense to educational apps alone could add up to $272 million. "While we appreciate the efforts of Chairman Leibowitz, we are particularly concerned with his expectatiion that the industry will simply find a solution to the new rules. It is akin to jumping off a cliff with the plan to build the parachute on the way down. While that may work for big companies, small companies lack the silk and line to build that parahute before they hit the ground," Morgan Reed, executive director of ACT, said in a statement.

The Information Technology and Innovation Foundation was not pleased with the new rule. ITIF analyst Daniel Castro said, “Due in part to FTC rule making, the Internet has failed to live up to its potential in bringing forth a new era of compelling and educational child-friendly websites. This recent announcement is just another example of how federal child privacy laws harm children more than help them. The new rule changes do not address the real problems with current privacy restrictions which are woven into the open nature of the Internet and the always changing technology environment. The FTC should have focused on rules to better address these issues and not simply restrict legitimate business practices used by companies in the Internet marketplace."

Adonis Hoffman, a communications professor at Georgetown and former general counsel of the American Association of Advertising Agencies, said, "In the tender aftermath of the tragedy at Sandy Hook, the FTC's decision to protect kids from digital harm is poignant. We are now talking about the role of parents in broader terms, and on a day-to-day basis, one of the clear and present dangers faced by kids could be the misuse of their information. Kudos to the FTC for taking a step in the right direction."

The Center for Democracy and Technology announced support for the new rule, but raised concerns that the updated definition of when a website is “directed to children” could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them. This uncertainty will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children.

“We applaud the FTC for its rigorous and comprehensive review of the [Children’s Online Privacy Protection Act] rules and for bringing them up to date with industry changes,” said Kathryn Montgomery, a communications professor at American University and a leading advocate of the updates. “However, the commission will need to engage in ongoing monitoring efforts, as well as strong enforcement actions, if the implementation of these rules is to be effective in the long run.” “We are at a critical moment in the growth of the children’s digital marketplace as social networks, mobile phones and gaming platforms become an increasingly powerful presence in the lives of young people,” she added. “The new rules should help ensure that companies targeting children throughout the rapidly expanding digital media landscape will be required to engage in fair marketing and data collection practices.”

Jeffrey Chester, executive director of the Center for Digital Democracy and a consumer advocate who has been involved in the COPPA debate for years, said the FTC's decision was a step in the right direction but left loopholes for companies to mine kids' data inappropriately. He said he would continue to push for more scrutiny of the role of the Internet giants that distribute kids' apps.

Santa Clara University School of Law Professor Erik Goldman, writing for Forbes, called the new rules “a real mess.” He notes that most websites and apps won’t be affected directly by the rule change. “However, the news is less happy for vendors to kid-oriented websites or apps, including ad networks and app plug-ins, and for kid-oriented websites that haven’t already complied with COPPA.”

Jessica Guynn of the Los Angeles Times was quick to point out that Apple, Facebook, Google and other app purveyors are exempted from the new rules.

Natasha Singer at the New York Times writes that the new rules may allow Facebook to officially open its site to children under 13.

FTC Chairman Leibowitz said the vision is for the commission to be vigorous in privacy protection. That has some worried that the new COPPA rules, by expanding personal information to include device IDs like IP addresses, could be a template to expand privacy regulations to crack down on behaviorally targeted advertising. “This shows a concerted effort to set ground for a greater battle against interest-based advertising,” said Carl Szabo, policy council for NetChoice, a coalition of trade associations, eCommerce businesses, and online consumers.

We’ll do our best to keep you up-to-date on all the debates over online privacy -- and we’ll see you in the Headlines. Happy New Year, dear readers.

Statement of Amina Fazlullah Policy Counsel to the Benton Foundation:

"Today, the Internet is brimming with content directed at children through computers, tablets and smartphones. To safeguard children against the misuse of their personal information, the Benton Foundation strongly supports the Federal Trade Commission's action this week to expand and strengthen the Children's Online Privacy Protection Act (COPPA). Benton was proud to be a part of the public interest community to help create COPPA in 1998 and was pleased to join in the effort to update these important rules. We are proud to see the FTC include COPPA protections for geo-location information, videos and images. With these rules the FTC hands parents strong tools to protect kids online. We look forward to the FTC's implementation and enforcement of the new COPPA rule."

By Amina Fazlullah.
By Kevin Taglang.