The Federal Trade Commission (“FTC”) has released a new set of proposed amendments in its ongoing
review of its Children’s Online Privacy Protection Act (“COPPA”) regulations. These amendments would
alter key definitions in the COPPA regulations, modifying the FTC’s original proposal from September
2011. If finalized, the FTC’s proposals to date will significantly change who and what COPPA covers and
when COPPA applies. Comments are due by September 10, 2012.
WHO is responsible for COPPA compliance: The FTC has clarified its proposals for how COPPA
compliance responsibility would be assigned in situations when third parties collect data through websites or online services (“sites” or “services”) operated by other entities. There are two sides to this equation:
- First, the FTC intends to add a proviso that will make sites and services responsible, in many
cases, for executing COPPA requirements for third parties on their online properties. Examples of
third parties are ad networks and social plug-ins. Sites and services would be “operators” if a third
party collects “personal information” in the interest of, as a representative of, or for the benefit of
the site or service where the data is collected. This broad proviso would encompass, for example,
any data collection that benefits a site or service by supplying ad revenue, content, or functionality. - At the same time, the FTC would limit which third-party data collectors would be directly
responsible for COPPA compliance. By statute, COPPA applies to operators of sites or services
that are directed to children or have actual knowledge that they are collecting personal information
from children. Recognizing that third parties face challenges in controlling or monitoring how their
services are deployed, the FTC would provide that third-party operators would be “directed to
children” only if they know, or have reason to know, that they are collecting “personal information”
through another site or service that is directed to children.
WHEN a site or service is “directed to children:”
- In addition to addressing third-party data collectors, the FTC would redefine when first-party sites
and services are “directed to children.” Currently, numerous factors determine whether a site or
service is “targeted to” children. While these factors would be retained, the new “directed to
children” definition would include sites and services that either “knowingly target” or are “likely to
attract” children as a primary audience. - The FTC also proposes a new approach for sites and services with mixed audiences of children
along with teenagers or adults. Any site with a “disproportionately large” percentage of children in
its audience would now be “directed to children,” but would have more flexibility in complying with
the law. Such mixed-audience sites could either fulfill COPPA requirements for all users, or could
age-screen all users and then fulfill COPPA requirements only for children. Coupled with the
FTC’s proposed new definition of “personal information,” this provision could significantly expand
the reach of COPPA.
WHAT “personal information” COPPA covers:
- The FTC is attempting to clarify when “persistent identifiers” count as “personal information.”
Currently, persistent identifiers are “personal information” only when combined with certain other
types of data. Under the FTC’s new proposal, “personal information” would include persistent
identifiers that can be used to recognize users over time or across different sites or services,
unless such identifiers are used only to support internal operations. The FTC would define a list of
acceptable “support” activities; using identifiers for any purpose that is not listed would trigger
COPPA. - Last year, the FTC proposed to add any “screen or user names” to the list of “personal
information” under COPPA. The FTC now states that screen or user names should be “personal
information” only when they function as online contact information. - The FTC has not retreated from its 2011 proposals to expand “personal information” to include, for
example, audio and video files, photographs, certain geolocation information, and other “online
contact information” such as VOIP and video chat identifiers. Taken together, these proposals
would apply COPPA, for the first time, to many data elements that sites and services previously
collected in order to avoid requesting more identifiable details from children.
Venable attorneys routinely counsel clients on COPPA requirements and we will continue to monitor all
developments and proposed changes to this Rule. If you have any questions please contact Julia Kernochan Tama, Emilio Cividanes, or Stu Ingis.