FTC's Revised Internet Privacy Rules for Children (COPPA) Published in Federal Register

By J. Bradford Currier, Marc Martin, and David Tallman

Providers of online services, websites, and applications directed at children will need to reexamine their policies regarding the collection of information from children in light of new privacy rules issued by the Federal Trade Commission and recently published in the Federal Register. The rules impose new obligations under the Children’s Online Privacy Protection Act (“COPPA”), which generally requires online services and websites to notify parents and obtain parental consent before collecting, using, or disclosing personal information from children under 13 years of age. The revised regulations were announced late last month and represent the result of more than a year-long examination of COPPA by the FTC that produced hundreds of comments from stakeholders. The COPPA revisions are just the latest step for the FTC regarding children’s privacy, which has been the focus of increased enforcement action and staff reports over recent years.

The new regulations revise the COPPA rules in five key areas:

(1) Definition Changes: The new rules expand the definition of online “operators” subject to COPPA to include child-directed sites or services that use third parties, such as plug-ins or advertising networks, to collect personal information from children. However, the FTC clarified that this change is not intended to extend liability to platforms that merely offer access to child-directed apps (such as online application storefronts). In addition, the definition of “personal information” for which parental consent must be obtained now will include location information, as well as photos, videos, and audio files that contain a child’s image or voice.

(2) Permitted Operations: The new rules permit the collection of a child’s personal information through the use of “persistent identifiers,” which recognize users over time and across different websites, for the sole purpose of supporting the online service’s internal operations (e.g., contextual advertising, frequency capping, legal compliance, site analysis, and network communications). Such information, however, cannot be used to contact a specific user, amass a profile on that person, or for any other purpose. Operators also may allow children to participate in interactive communities without parental consent, so long as they take reasonable measures to delete a child’s personal information before it is made public.

(3) “Age Screens”: The new rules distinguish between online services and websites whose primary target audience is children and those directed to a broader audience. While online services and websites whose primary target audience is children must continue to presume that all of their users are children subject to COPPA, the online services and websites directed to a broader audience may implement procedures to “age screen” users and obtain consent only for users who self-identify as under 13 years of age.

(4) Parental Notice and Consent: The new rules amend the parental notice provisions to require concise and timely notices to parents and access to operators’ privacy policies. Specifically, the notice to parents should clearly explain: (i) the types of personal information to be collected; (ii) that the parent’s consent is required for the collection of such information; and (iii) how to provide consent. The parental notice must also include a hyperlink to the operator’s privacy policy. The revised rules add several new methods for operators to obtain parental consent, including: (i) electronic scans of signed parental consent forms; (ii) videoconferencing; (iii) government-issued identification; and (iv) alternative payment systems (such as credit or debit cards), if they meet certain criteria. The FTC also established a voluntary 120-day notice and comment process so parties can seek approval of particular parental consent methods.

(5) Increased Security Measures: The new rules require websites and services to take reasonable steps to ensure that children’s personal information is released only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of such information. The new rules allow the retention of children’s personal information only for as long as reasonably necessary to provide the service and also require operators to securely dispose of the information.

The revised COPPA regulations have drawn a mixed reaction. Some stakeholders have praised the FTC for striking an appropriate balance between privacy and innovation, while others have suggested that increased compliance costs will lead to a decline in online service and mobile application development. Either way, the new rules reaffirm the importance of COPPA compliance and children’s privacy issues to online services.

The revised COPPA rules will take effect on July 1, 2013.

FTC Releases Mobile App Privacy and Advertising Guide

By J. Bradford Currier, Marc Martin, and Samuel R. Castic

Developers of mobile applications are urged to adopt truthful advertising practices and build in basic privacy principles into their products under guidance recently issued by the Federal Trade Commission. The guidance is aimed at providing mobile app start-ups and independent developers with marketing recommendations designed to ensure compliance with federal consumer protection regulations. The guidance follows recent actions by the Federal Communications Commission, the White House, states, private stakeholders, and the FTC itself to establish mobile privacy codes of conduct and safeguard consumer information. The FTC guidance focuses on two key regulatory compliance areas for mobile app developers: (1) truthful advertising and (2) consumer privacy.

(1)        Truthful Advertising – The guidance recommends that mobile app developers always “[t]ell the truth about what your app can do.” The FTC cautions mobile app developers that anything a developer tells a prospective buyer or user about their app can constitute an advertisement subject to the FTC’s prohibitions on false or misleading claims. As a result, mobile app developers are encouraged to carefully consider the promises made concerning their apps on websites, in app stores, or within the app itself. Specifically, the guidance reminds mobile app developers that any claim that an app can provide health, safety, or performance benefits must be supported by “competent and reliable” scientific evidence. The FTC notes that it has taken enforcement action against mobile app developers for suggesting that their apps could treat medical conditions and recommends app developers review the FTC’s advertising guidelines before making any claims to consumers.

The guidance also advises mobile app developers to disclose key information about their products “clearly and conspicuously.” While the guidance recognizes that FTC regulation does not dictate a specific font or type size for disclosures, mobile app developers are encouraged to develop disclosures that are “big enough and clear enough that users actually notice them and understand what they say.” The FTC warns mobile app developers that it will take action against mobile app developers that attempt to “bury” important terms and conditions in long, dense licensing agreements. 

(2)        Consumer Privacy – The guidance calls upon mobile app developers to build privacy considerations into their products from the start, also known as “privacy by design” development. The FTC suggests that mobile app developers establish default privacy settings which would limit the amount of information the app will collect. The FTC also recommends that app developers provide their users with conspicuous, easy-to-use tools to control how their personal information is collected and shared. The guidance pushes mobile app developers to get users’ express agreement to: (1) any collection or sharing of information that is not readily apparent in the app; (2) any material changes to an app’s privacy policy; or (3) any collection of users’ medical, financial, or precise geolocation information. At all times, mobile app developers should be transparent with consumers about their data collection and sharing practices, especially when the app shares information with other entities. 

The FTC also advocates that mobile app developers install strong personal information security protections in their products. In order to keep sensitive data secure, the guidance suggests that mobile app developers: (1) collect only the data they need; (2) secure the data they keep by taking reasonable precautions against well-known security risks; (3) limit access to a need-to-know basis; and (4) safely dispose of data they no longer need. Mobile app developers are also encouraged to establish similar standards with any independent contractors.

The guidance also pays special attention to the issue of mobile app protection of children’s privacy under the Children’s Online Privacy Protection Act (“COPPA”). The guidance reminds mobile app developers that they must clearly explain their information practices and get parental consent before collecting personal information from children if their apps are “directed to” kids under age 13 and keep such information confidential and secure. The FTC’s recommendations parallel its recently proposed rules designed to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. Mobile app developers are encouraged to contact the FTC or review the Bureau of Consumer Protection’s business resources when developing their privacy policies.

Comment Deadline on Proposed Children's Online Privacy Rules Extended by FTC

By J. Bradford Currier and Marc Martin

The Federal Trade Commission has extended the deadline for comments on the agency’s proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) released earlier this month. As we reported previously, the proposed rules would modify key definitions contained in COPPA to clarify the parental notice and consent responsibilities of website operators as well as third-party advertisers and “plug-in” developers that collect personal information on children. The proposed rules also aim to establish clear guidelines for the use of so-called “persistent identifiers” and would potentially allow websites which appeal to a general audience to “age screen” users by birth date and provide parental notice and obtain consent only for users who identify themselves as under 13 years of age. 

Comments on the proposed rules will now be accepted until September 24, 2012.

FCC Political File Rule Effective Date Set

By J. Bradford Currier and Marc Martin

Major television stations throughout the country will soon be required to disclose online how much candidates and interest groups pay for political advertisements. The so-called “political file” rules will take effect on August 2, 2012, following approval by the Office of Management and Budget of the online disclosure requirements adopted by the Federal Communications Commission in April 2012. The political file rules will initially apply only to television stations located in the top 50 national markets that are affiliated with the “big four” national broadcast networks. All other stations will need to comply with the political file rules by July 1, 2014. In addition to political advertising pricing and sales data, the FCC’s rules require television stations to provide programming lists, retransmission consent elections, joint sales agreements, FCC investigation notices, and other information in the online file hosted by the FCC.

The political file rules have drawn harsh criticism from certain broadcasters and lawmakers. Under the FCC’s rules, broadcast and cable stations may only charge political candidates the “lowest unit” rate for commercial advertisements. Broadcasters are concerned that making their political advertising rates widely accessible may cause private-sector advertisers to demand the same low price. In May, a group of broadcasters filed suit in federal court, alleging the political file rules violate the free speech protections of the First Amendment and exceed the FCC’s authority. Broadcasters also asked the OMB to reject the information collection requirements imposed by the political file rules as unduly burdensome and duplicative of existing FCC reporting obligations. A coalition of Republican lawmakers joined the broadcasters’ opposition to the new rules by introducing a rider to the recent FCC appropriation bill which would have cut off funds for implementing the political file requirements. Late last month, the lawmakers abandoned the rider, but inserted new language requiring the Government Accountability Office to analyze the economic impact of the rules. Public interest groups have opposed the broadcasters’ challenges, stating that the new disclosure requirements are well within the FCC’s authority and improve transparency-related goals.

FTC Launches Antitrust Investigation Against Google

By Ryan Demotte

Last week Google acknowledged in an SEC filing that the Federal Trade Commission has launched a formal antitrust inquiry into the company’s search and advertising business practices, issuing a subpoena and notice of a civil investigative demand to the company. According to news reports, FTC lawyers have been informally gathering information for several months concerning the way Google orders search results and advertising. By taking this step, the FTC can compel Google to turn over a wide range of internal information concerning its business. Rivals argue that Google engages in anticompetitive conduct by using its dominance in the search market to favor its own services and reduce web traffic to competing services. Google already faces a similar investigation by European regulators.

In a response posted on its official blog, Google provided a preview of what may be its core defense to any antitrust allegations – that competition in the search engine market is “only one click away,” and that users are free to use any of a variety of alternatives to Google. 

Using Google is a choice – and there are lots of other choices available to you for getting information: other general-interest search engines, specialized search engines, direct navigation to websites, mobile applications, social networks, and more.   

According to this line of reasoning, since consumers, i.e. search engine users, can switch to alternative search engines at virtually no cost, Google does not have market power. Critics, on the other hand, point to Google’s high market share – over 66 percent in the U.S. and greater in Europe - as evidence that Google effectively controls traffic to web sites, and thus does have market power in search that can be leveraged anti-competitively in other businesses.

While Google has faced antitrust scrutiny on some of its acquisitions in the past, this investigation is the first to focus on its core business of search and advertising, and thus presents potentially serious legal risk for the company.

FTC Continues to Flex Its Enforcement Muscle With Regard to Social Media Promotional Activity

by Ann M. Begley, Lawrence C. Lanpher and Carolina M. Heavner

The Federal Trade Commission’s (“FTC”) recent action against a company and its owner in connection with the allegedly deceptive promotion of music teaching tools signals FTC’s continued intention to keep social media promotional activity as an enforcement priority. In its third public investigation and second enforcement action since issuing its revised Guides Concerning the Use of Endorsements and Testimonials in Advertising[1] (hereafter, FTC Endorsement/Testimonial Guides) in December 2009, FTC continues to expand advertisers’ responsibility to monitor third party interactive media communications containing endorsements of advertisers’ products.

In finding the advertiser and its owner, an individual, responsible for assuring that endorsers adequately disclose any material connections with the advertiser, FTC states that an advertiser agreement that requires endorsers to comply with FTC guidelines and disclosures is insufficient in the absence of an advertiser monitoring program that ensures clear and prominent disclosure of the relationship with the advertiser.[2]

Thus, in addition to a $250,000 penalty against the company and its owner, FTC has required a far-reaching monitoring program – a potentially expensive and burdensome commitment for the future.

Material Connection
The first public FTC investigation in this area concerned a division of the popular fashion company Ann Taylor Stores Corp., LOFT. The FTC investigation of LOFT was prompted by an exclusive event held by the company in January 2010 where it invited bloggers to preview the store’s 2010 summer collection.[3]FTC focused on LOFT’s provision of gifts to bloggers with the expectation that they would blog about the event. FTC was concerned that bloggers failed to disclose that they received gifts for posting blog content.

While deciding not to take enforcement action in this case due to mitigating factors, in the closing letter issued to the company, FTC noted that “[d]epending on the circumstances, an advertiser’s provision of a gift to a blogger for posting blog content about an event could constitute a material connection that is not reasonably expected by readers of the blog.”[4]

FTC’s statements concerning the need for disclosures of a “material connection” in Ann Taylor Stores are not unlike its statements in section 255.5, example 7, of the FTC Endorsement/Testimonial Guides describing a company that gave a free game system to a video game expert blogger for review. In the example, readers of the blog frequently sought advice from the blogger regarding video game hardware and software. FTC stated that this particular blogging forum created an environment in which readers are unlikely to know that the blogger received a free game in exchange for the review, and that the value of the game could materially affect the credibility they attach to the endorsement. The FTC Endorsement/Testimonial Guides state that under such circumstances, the connection must be fully disclosed.

Clear and Prominent Disclosure
A second investigation (and the first enforcement action) pursuant to the FTC Endorsement/Testimonial Guides held the endorser liable for failure to clearly and prominently disclose the endorser’s material connection to the product developer.[5]

According to FTC, employees of Reverb Communications, Inc. (“Reverb Communications”), a public relations agency, posted public reviews about its clients’ gaming applications in the iTunes Store “using account names that would give the readers of these activities the impression [that] they had been submitted by disinterested consumers.”[6] The reviews endorsed the products by giving them high ratings (four or five stars) and posting positive comments about the gaming applications in iTunes.

FTC found that Reverb Communications had engaged in deceptive advertising by posing as “ordinary consumers,” and failing to disclose both that the reviews were submitted by paid employees working on behalf of the developers of the gaming applications and that the company was often paid a percentage of the applications’ sales. FTC concluded that these facts would have been “material” to consumers when making a decision to purchase a particular gaming application.

In addition to requiring Reverb Communications to “take reasonable steps” to remove any previously posted endorsement that misrepresented the authors as independent reviewers or endorsers, the Reverb Communications Final Order also prohibited the company from making any representation about a product or service “unless they disclose, clearly and prominently, a material connection,” when one exists.[7] FTC elaborated on the meaning of “clear and prominent” for purposes of satisfying the FTC Endorsement/Testimonial Guides requirement to disclose material connections:

Text Communications: (e.g., printed publications or words displayed on the screen of a computer) the required disclosure must be of a type, size and location “sufficiently noticeable” for an “ordinary consumer” to read and comprehend.

Audio Communications: (e.g., radio or streaming audio) the required disclosure must be delivered in a “volume and cadence” sufficient for an “ordinary consumer” to hear and comprehend.

Video Communications: (e.g., television or streaming video) the required disclosures must be consistent with the requirement for textual communications and appear on the screen for a sufficient period of time to allow an “ordinary consumer” to read and comprehend.

Interactive Media Communications: (e.g., internet, online services, software) the required disclosures must be “unavoidable” and presented in a manner consistent with the requirements for textual communications, as well as audio and video, if applicable.

FTC stated that all such disclosures must be presented in an understandable language/syntax and in the same language as the predominant language used in the communication, and with no language that is in conflict with or mitigates the disclosure.[8]

Advertiser Monitoring
In FTC’s most recent enforcement action, it further expands on concepts set forth in the FTC Endorsement/Testimonial Guides by describing expectations related to advertiser monitoring of endorser activities. In Legacy, the advertiser used an online program through which it recruited “Review Ad Affiliates” to promote its musical instrument courses through endorsements in articles, blog posts, and other online material. The endorsements were required to include a hyperlink to the Legacy website in close proximity to the review.[9] Below are examples of some of the endorsements:[10]

“www.bestguitarsoftware.com: Features . . . . (5 Stars out of
5 stars) The undisputed No. 1 training product for someone wanting to learn how to play the guitar.”

“www.reviewmspy.com: Learn and Master Guitar. 4.9/5 Stars, The best home study DVD course for guitar I have ever seen.”

“www.reviewsnest.com: Review Nest, The Independent Reviews Site.”

Affiliates received substantial commissions (20%-45%) on sales of each product resulting from a referral.

Since the release of the revised FTC Endorsement/Testimonial Guides, Legacy has required its Affiliates to sign a contract requiring them to comply with FTC’s guidelines and disclosures. However, FTC concluded that the contract without advertiser monitoring was insufficient. Legacy “failed to implement a reasonable monitoring program to ensure that the [Affiliates] clearly and prominently disclos[ed] their relationship to Legacy.”[11]

FTC stated in the Legacy Complaint that many Affiliates either failed to provide any disclosure of a Legacy relationship, or provided disclosures through inconspicuous hyperlinks located at the bottom of the Affiliates’ websites. As a result of these findings, FTC stated that the Affiliates’ reviews were false and misleading, that the failure to disclose the financial relationship was a deceptive practice, and that these acts and practices constituted unfair or deceptive acts or trade practices in violation of Section 5(a) of the FTC Act. Legacy and its owner, Lester Gabriel Smith, have agreed to an administrative settlement which includes a proposed consent order. Following public comment, FTC will make a final determination as to the proposed order.

The Legacy 20-year proposed consent order contains several familiar requirements, including a civil penalty ($250,000) and employee notification requirements. In addition, it adopts the detailed description of “clearly and prominently” found in Reverb Communications, signifying an FTC standard for this term. However, this case is of particular interest in that it sets forth an advertiser monitoring program that contains elements that also may become standard. 

In Legacy, the company and its owner have agreed to establish a time-intensive monitoring program that includes the following elements:

  • Monthly monitoring and review of the activities of its top 50 revenue-generating Affiliates to ensure that the Affiliates do not misrepresent the status of their relationship with Legacy, and that the Affiliates’ material connection to Legacy is adequately disclosed. The monitoring activity must occur in a “manner reasonably calculated not to disclose the source of the monitoring [] at the time it is being conducted.”

  • Similar monthly monitoring and review activities in connection with Legacy’s remaining Affiliates, using a random sampling approach that includes at least 50 Affiliates.

  • Procedures to terminate and stop payment to any Affiliate where Legacy determines that the Affiliate either misrepresented its status (e.g., an independent user or ordinary consumer), or failed to clearly and prominently disclose the material connection between the Affiliate and Legacy.

  • Creation and maintenance of reports sufficient to show the results of its monitoring.

According to the FTC press release, Legacy must submit these reports to FTC on a monthly basis, with such submissions to last for 20 years.

Legacy Fall-Out/Considerations
Needless to say, the monitoring program with monthly reports to FTC for the next 20 years may present a significant compliance burden for Legacy. This likely comes after a period of informal litigation where the company was required to respond to FTC data requests, followed by a need to negotiate the proposed consent order. The company had the opportunity to reject the proposed order and to take its chances in litigation with the FTC. However, no one can predict with certainty how such litigation might turn out, other than that it would be very expensive. Obviously, Legacy decided against this route.         

Nonetheless, with FTC taking seemingly ever-more-aggressive positions, companies should carefully consider whether settlement is the best course of action. A well-prepared company might prevail in cases where the company chooses to litigate. Thus, in addition to the development and implementation of a sound compliance program, a company should always consider its litigation posture depending on the facts.

Legacy, along with Ann Taylor Stores and Reverb Communications, demonstrates FTC’s ongoing intent to enforce the FTC Endorsement/Testimonial Guides in the social media space. Controlling the message in these new consumer-generated media venues clearly raises logistical complications not encountered in the traditional advertising forums, but FTC will expect companies across all industries to take active steps to maintain control where there is a material connection.

It is not enough for an advertiser to obtain compliance pledges from its endorsers. Rather, the advertiser bears responsibility according to FTC to make sure the commitments are carried out. Thus, endorser agreements, advertiser monitoring, endorser education, and procedures to halt deceptive representations when they are discovered should all be considered as the advertiser develops a compliance program.

Please contact us if you have any questions or would like assistance in developing or reviewing a compliance program.

[1] 16 C.F.R. Part 255; http://ftc.gov/os/2009/10/091005revisedendorsementguides.pdf.

[2] See In the Matter of Legacy Learning Systems Inc., FTC File No. 1023055 (hereafter Legacy), March 15, 2011. Available at http://ftc.gov/os/caselist/1023055/110315llsagree.pdf.

[3] See Closing Letter Issued to AnnTaylor [sic] Stores Corp., FTC File No. 102-3147 (hereafter Ann Taylor Stores), April 2010. Available at http://www.ftc.gov/os/closings/100420anntaylorclosingletter.pdf.

[4] Id.

[5] See In the Matter of Reverb Communications, Inc., FTC Docket No. C-4310 (hereafter Reverb Communications), November 22, 2010. Available at http://www.ftc.gov/os/caselist/0923199/index.shtm.

[6] See Reverb Communications FTC Complaint.

[7] See Reverb Communications Final Order (emphasis added).

[8] Id.

[9] See Legacy FTC Complaint, Para. 6.

[10] Id. at Para. 7.

[11] See Legacy FTC Complaint, Para. 9.

Ann M. Begley, +1.202.778.9365, ann.begley@klgates.com
Lawrence C. Lanpher, +1.202.778.9011, lawrence.lanpher@klgates.com
Carolina M. Heavner, +1.202.778.9175, carolina.heavner@klgates.com