FTC Modifies COPPA Rule Proposal

4 min

The Federal Trade Commission (“FTC”) has released a new set of proposed amendments in its ongoing
review of its Children’s Online Privacy Protection Act (“COPPA”) regulations. These amendments would
alter key definitions in the COPPA regulations, modifying the FTC’s original proposal from September
2011. If finalized, the FTC’s proposals to date will significantly change who and what COPPA covers and
when COPPA applies. Comments are due by September 10, 2012.

WHO is responsible for COPPA compliance: The FTC has clarified its proposals for how COPPA
compliance responsibility would be assigned in situations when third parties collect data through websites or online services (“sites” or “services”) operated by other entities. There are two sides to this equation:

  • First, the FTC intends to add a proviso that will make sites and services responsible, in many
    cases, for executing COPPA requirements for third parties on their online properties. Examples of
    third parties are ad networks and social plug-ins. Sites and services would be “operators” if a third
    party collects “personal information” in the interest of, as a representative of, or for the benefit of
    the site or service where the data is collected. This broad proviso would encompass, for example,
    any data collection that benefits a site or service by supplying ad revenue, content, or functionality.
  • At the same time, the FTC would limit which third-party data collectors would be directly
    responsible for COPPA compliance. By statute, COPPA applies to operators of sites or services
    that are directed to children or have actual knowledge that they are collecting personal information
    from children. Recognizing that third parties face challenges in controlling or monitoring how their
    services are deployed, the FTC would provide that third-party operators would be “directed to
    children” only if they know, or have reason to know, that they are collecting “personal information”
    through another site or service that is directed to children.

WHEN a site or service is “directed to children:”

  • In addition to addressing third-party data collectors, the FTC would redefine when first-party sites
    and services are “directed to children.” Currently, numerous factors determine whether a site or
    service is “targeted to” children. While these factors would be retained, the new “directed to
    children” definition would include sites and services that either “knowingly target” or are “likely to
    attract” children as a primary audience.
  • The FTC also proposes a new approach for sites and services with mixed audiences of children
    along with teenagers or adults. Any site with a “disproportionately large” percentage of children in
    its audience would now be “directed to children,” but would have more flexibility in complying with
    the law. Such mixed-audience sites could either fulfill COPPA requirements for all users, or could
    age-screen all users and then fulfill COPPA requirements only for children. Coupled with the
    FTC’s proposed new definition of “personal information,” this provision could significantly expand
    the reach of COPPA.

WHAT “personal information” COPPA covers:

  • The FTC is attempting to clarify when “persistent identifiers” count as “personal information.”
    Currently, persistent identifiers are “personal information” only when combined with certain other
    types of data. Under the FTC’s new proposal, “personal information” would include persistent
    identifiers that can be used to recognize users over time or across different sites or services,
    unless such identifiers are used only to support internal operations. The FTC would define a list of
    acceptable “support” activities; using identifiers for any purpose that is not listed would trigger
  • Last year, the FTC proposed to add any “screen or user names” to the list of “personal
    information” under COPPA. The FTC now states that screen or user names should be “personal
    information” only when they function as online contact information.
  • The FTC has not retreated from its 2011 proposals to expand “personal information” to include, for
    example, audio and video files, photographs, certain geolocation information, and other “online
    contact information” such as VOIP and video chat identifiers. Taken together, these proposals
    would apply COPPA, for the first time, to many data elements that sites and services previously
    collected in order to avoid requesting more identifiable details from children.

Venable attorneys routinely counsel clients on COPPA requirements and we will continue to monitor all
developments and proposed changes to this Rule. If you have any questions please contact Julia Kernochan Tama, Emilio Cividanes, or Stu Ingis.