The Children's Online Privacy Protection Act (COPPA) applies to the online collection of personal information from children under 13 and requires, among other things, that web site operators obtain parental consent before collecting such information. Last year, the FTC announced that it was reviewing its COPPA Rule to see if it required updating to reflect changes in how children are using technology. On September 15, the FTC made public its proposed changes. These changes, if adopted by the FTC, will profoundly affect companies that engage with children online and through mobile devices.
Changes to Key Definitions
The FTC proposes updating the definition of "personal information" to include geolocation information and certain types of persistent identifiers such as tracking cookies used for behavioral advertising. In addition, the FTC proposes modifying the definition of "collection" so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take "reasonable measures to delete all or virtually all children's personal information from a child's postings before they are made public."
Parental Notice
COPPA requires that parents be notified of an operator's information practices in two ways: on the operator's website or online service (the "online notice," which typically takes the form of a privacy policy), and in a notice delivered directly to a parent whose child seeks to register on the site or service (the "direct notice"). The FTC proposes changes to both kinds of notice: (1) for online notice, the FTC is proposing new requirements about placement and content; and (2) for direct notice, the FTC wants to require operators to provide more detail about the personal information already collected from the child, the purpose of the notification, the action that the parent can take, and how the information will be used.
Parental Consent Mechanisms
The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent's ID is deleted promptly after verification is done. These supplement the nonexclusive list of verifiable parental consent methods already set forth in the Rule.
The FTC proposes eliminating the less-reliable method of parental consent, known as "e-mail plus," which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.
Confidentiality and Security Requirements
The FTC proposes strengthening the Rule's current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child's personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.
Safe Harbor
The FTC proposes to strengthen its oversight of self-regulatory "safe harbor programs" by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits.
This report is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This report does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For further information, feel free to contact us or other members of the firm. We welcome your comments and suggestions regarding this publication.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.