By J. Bradford Currier, Marc Martin, and Lauren Pryor
Websites, social media platforms, software “plug in” developers, and online advertisements aimed at children may face new restrictions under proposed rules recently released by the Federal Trade Commission. The proposed rules would modify key definitions contained in the Children’s Online Privacy Protection Act (“COPPA”), which requires websites or online services directed at children under the age of 13 to seek and obtain parental consent before collecting or using a child’s personal information. With the new definitions, the FTC aims to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. The proposed rules represent another example of the FTC’s recent efforts to expand its enforcement on a variety of privacy-related issues related to children. Comments on the proposed rules will be accepted until September 10, 2012.
The proposed rules modify the scope of the FTC’s COPPA Notice of Proposed Rulemaking released in September 2011. As we reported previously, the earlier proposals would have expanded the definition of personal information to include so-called “persistent identifiers,” which represent unique user identification information obtained through “cookies” or other methods for purposes other than to support the website/service’s internal operations. The initial proposals would also have extended COPPA protections to photographs, videos, or audio files that include a child’s image or voice. The prior proposals further stated that the FTC would consider a wider range of factors, including whether a website included child celebrities and music content, when determining whether a website or online service was directed to children. Stakeholders submitted hundreds of comments in response to the 2011 proposals, leading the FTC to release this new round of proposed rule changes.
The new proposed rules modify the obligations under COPPA in three key areas:
(1) Website Operators
Previous FTC guidance suggested that the responsibility for providing notice to parents and obtaining consent for the collection of personal information from children rested with the entity actually collecting the information. As a result, a child-directed website/service operator could permit others to collect personal information from child visitors without taking responsibility for seeking and obtaining parental consent. The proposed rules would now hold responsible both the child-directed website/service operator andany third-parties collecting information on such operator’s behalf for the parental consent requirements. Specifically, the FTC stated that “an operator of a child-directed site or service that chooses to integrate into its site or service other services that collect personal information from its visitors should be considered a covered operator under [COPPA].” The FTC noted that the website/service operator is often in the best position to give notice and obtain consent from parents and can control which third-party plug-ins, software downloads, or advertising networks are integrated into its site.
(2) Website/Service Directed to Children
The COPPA rules only apply to websites/services “directed to children.” The new rules would clarify that that a third-party plug-in, software download, or advertising network is covered under COPPA when the third-party provider “knows or has reason to know” that it is collecting personal information through a child-directed website or online service. The new rules would not require third-party providers to monitor or investigate whether their services are incorporated into child-directed websites/services, but providers may not ignore information brought to their attention indicating that incorporation has occurred.
The proposed rules also attempt to address the fact that some websites/services that contain child-oriented content may also be of interest to adults. Under current FTC rules, these sites must treat all visitors as under 13 years of age. In response, some commenters suggested that the FTC adopt a system that would permit websites/services directed to a broad audience to implement procedures to differentiate among users and require notice and consent only for users who self-identify as under age 13 years of age. The FTC agreed. The new rules allow general audience websites/services to “age screen” all users (i.e. by supplying a birth date) and provide notice and obtain consent only for users who identify themselves as under 13 years of age. The FTC recognized that child users may lie about their age, but thought the age screening process “strike[s] the correct balance” between privacy and access. However, child-directed websites/services that knowingly target children under 13 as their “primary audience” or whose overall content is likely to attract children under 13 must continue to treat all users as children under COPPA.
(3) Persistent Identifiers and Website/Service Support
The new rules clarify how child-directed websites/services can use persistent identifiers. The FTC first reiterated its 2011 proposal that persistent identifiers should be included in the definition of personal information. The FTC then stated that website/service operators may still use persistent identifiers without obtaining consent for activities such as performing site maintenance and analysis; performing network communications; authenticating users; maintaining user preferences; serving contextual advertisements; and protecting against fraud and theft. The exemption would not apply when the information collected through persistent identifiers is used to contact a user directly, including through the use of behaviorally-targeted advertising, or for any other purpose.