On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.
The Commission proposes modifications to the Rule in the following areas:
- Definitions;
- Parental notice and consent mechanisms;
- Confidentiality and security;
- Self-regulatory safe harbor programs.
What Will Not Change
While the proposed amendment would make some significant changes in some areas, a number of issues that had raised questions will not be affected. For example:
- The definition of “child” will not change. The Rule will continue to protect children under 13, and not minors or other teens.
- The amendment does not propose a clarification of what constitutes “actual knowledge” that a site is collecting information of children. This is unfortunate, since this question is the source of many problems for companies.
Several Revised Definitions
The proposed amendment would modify and clarify a number of definitions of crucial terms. Some of these clarifications will likely be welcomed by the service providers. Other changes significantly expand the scope of the defined terms, to take into account the changes and advances in technology and online practices. For example, the proposed amendment addresses the now ubiquitous use of behavioral targeting and location information. Several definitions are affected.
Definition of “Personal Information”
The proposed amendment would expand the definition of “personal information.” The new definition would include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the website. Among other things, this addition would cover tracking cookies used for behavioral advertising.
The proposed amendment would also add geolocation information as well as photographs, videos and audio files that contain a child’s image or voice to the definition of personal information protected under COPPA.
Definition of “Collection”
The new definition of “collection” would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information.
The revised definition would permit a website operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.
Definition of “Release of Personal Information”
The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing selling, renting, or transfer of personal information to a third party.
Definition of “Online Contact Information”
The definition of “Online Contact Information” would be expanded to include instant message user identifier, VoIP identifier, and video chat user identifier.
Parents’ Notice and Consent Requirements
The amendment would provide much needed improvements to the rules that pertain to giving notice to parents and custodians and obtaining their consent.
Methods to be Used to Provide Parental Notice
COPPA requires that the parents be notified both on the operator’s website and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendment would streamline the parental notice requirement. Key information would be presented to parents succinctly in a “just-in-time” notice, in addition to being presented in a privacy policy.
There are also proposed changes to the content of the notice. For example, all operators of a website would have to provide contact information including name, physical and email address, and telephone numbers. In addition, the amendment would streamline the content requirements for the notice.
Parental Consent Mechanisms
The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.
Concurrently, the proposed amendment would eliminate the “email – plus” method of parental consent which allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.
Confidentiality and Security Requirements
The amendment would strengthen the existing confidentiality and security requirements and would introduce new data retention and disposal requirements.
Data Retention and Deletion
The amendment would introduce a data retention and deletion requirement, which would require the data to be retained only for as long as is necessary to fulfill the purposes for which it was collected. In addition, the proposed amendment would require the operator of a website or service to delete the child’s personal information by taking reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.
Service Providers
The amendment proposes adding a requirement that operators ensure that service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.
This requirement is consistent with similar requirements that are in place in most – if not all – laws, regulations, rulings, and standards that address the protection of personal information. In all cases, the data custodian who gives access to personal information to a third party is responsible for ensuring that the third party protects the data with privacy, confidentiality, and security measures at least as stringent as those that the data custodian is required to use.
Safe Harbor
Finally, the amendment would strengthen the COPPA Safe Harbor Programs. It would modify the criteria for approval of self-regulatory guidelines and introduce new reporting and record keeping requirements. The amendment would require the Safe Harbor Programs to audit their members at least annually and report periodically to the Commission the results of these audits.
Comments Invited
The FTC has invited comments to the proposed amendment. These comments must be received by November 28, 2011.
Conclusion
The proposed amendment to the COPPA rule provides numerous significant additions and clarifications to the existing Rule. It takes into account changes in practices and technologies to adapt to the new forms of using online services. It also takes into account some of the obstacles encountered and questions asked by online services – and their advisors – when trying to implement some of the provisions of COPPA. While the amendment would improve and simplify the procedures to be used to notify parents and obtain their consent, it remains to be seen whether companies will be able to provide elegant and reliable methods for signing up children with their parents’ consent.