Two and a half years after initiating a review of the Children’s Online Privacy Protection Rule (the “Rule”), the Federal Trade Commission (FTC) announced on December 19, 2012 that the Rule will be amended to clarify perceived ambiguities and to strengthen the Rule’s protections for children who engage in online activities in light of significant technological changes in the online industry since the Rule went into effect more than 12 years ago (the “Amended Rule”).
The Amended Rule includes significant modifications, which are outlined below:
- The definition of “Personal information” – In a nod to new technologies and the prevalence of social networking, “personal information” has been expanded to include geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services, as well as some usernames, photographs, videos and audio files. While this revision seems to nullify the ability to avoid falling under COPPA by keeping users anonymous by assigning them a unique number, persistent identifiers are only covered by the Rule’s definition of Personal Information if they can be used to track users across websites, and the FTC notes that parental notice and consent are not required when an operator collects a persistent identifier (like an IP address) solely to support the website’s or online service’s internal operations (e.g., contextual advertising, frequency capping, legal compliance, site analysis, and network communications). Acknowledging the likelihood of future technical innovation, the FTC has included in the Amended Rule a process whereby industry members may request the FTC to approve additional activities to be included within the definition of “support for internal operations.”
- The definition of “Operator” – The Amended Rule clarifies that a child-directed site or service that integrates outside services (such as plug-ins or advertising networks) which themselves collect personal information from the site’s or service’s visitors qualifies as an “operator” of those services. Thus, website operators are now responsible for not only their own compliance with the Amended Rule, but compliance by third parties who collect personal information on their websites using third party services.
- The definition of “Website or online service directed to children” – The Amended Rule now explicitly provides that a “website or online service directed to children” also covers, for example, a plug-in or ad network when it has actual knowledge that it is collecting personal information directly from a user of a child directed website or online service.” However, exceptions from certain of the Rule’s requirements apply if certain conditions are not met. Additionally, the new Rule codifies, an allowance previously only articulated by the FTC in its FAQ – that is, the ability to differentiate child users from other users of a teen or general audience site by asking the user his age.
- Parental Notice: The Amended Rule revises notice requirements so that privacy policies and direct notices to parents are concise (i.e., by removing extraneous information) and timely (i.e., through a “just-in-time” message).
- Consent Mechanisms: The Amended Rule allows for several new methods by which operators can obtain parental consent, including electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification and alternative payment systems (i.e., debit cards and electronic payment systems). It also allows operators to petition the FTC or a safe harbor program to approve additional methods. The amended Rule also slightly narrows the commonly used “multiple use” exception by adding a requirement that the contact information collected cannot be combined with any other information collected from the child. Finally, the FTC removed the little used public key encryption exception.
- Confidentiality and Security Requirements: The Amended Rule provides that operators only release information subject to the Rule to service providers and other third parties who are capable of, and provide assurances to, adequately safeguarding and securing data related to children.
- Safe Harbor Audits: The Amended Rule requires that safe harbor programs (i.e., approved self-regulatory programs) audit their members annually and report the aggregated audit results to the FTC annually.
- Data Retention and Deletion: The Amended Rule now requires an operator of a website or online service to limit its retention of personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator is also required to delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.
Companies who have web sites or online services that are targeted to children under 13 years of age or that knowingly collect PI from them should review their current data practices to ensure their compliance with the Amended Rule, which is scheduled to go into effect on July 1, 2013.