Child Privacy Rules with Broad Implications: Opportunity to Comment until November 28
This week, the Federal Trade Commission (FTC or Commission) received a warm welcome from the House Subcommittee on Commerce, Manufacturing and Trade for its plan to tighten regulation of children's online privacy. The House hearing adds to growing momentum for the FTC's proposed amendments to the Children's Online Privacy Protection (COPPA) Rule.
Broadcasters whose websites, online advertising, social media ventures or mobile applications might appeal to children have a clear interest in helping to shape the FTC's COPPA rulemaking. Moreover, any broadcaster that operates online should be concerned about the broader implications of this proceeding. Businesses have an opportunity to comment until November 28.
Tighter Regulation of Children's Privacy
COPPA generally requires online operators to obtain "verifiable parental consent" for the collection of personally identifiable information (PII) from children aged 12 years or younger. Regulations are triggered when a business directs an online offering to children or obtains actual knowledge that it has collected PII from children. In the past decade, the FTC has actively enforced COPPA, obtaining million dollar settlement payments.
The FTC ratchets up these restrictions on children's PII in its proposed rulemaking, calling for:
- Expansion of the operative definition of PII, to include "persistent identifiers" such as IP addresses, cookie identification numbers and device serial numbers, meaning that COPPA could apply where adults and children use the computers to which these identifiers refer.
- Expansion of the definition of PII to include children's photos and videos, meaning that online operators might need to obtain parents' consent before allowing children to submit such media to social networking or community sites.
- Greater specification of notices that operators must provide to parents.
- Elimination of the popular "email plus" method to seek parents' consent via email.
- New data security requirements.
- New affirmative requirements on data deletion.
The FTC's drive on children's privacy does not occur in a vacuum. Indeed, the COPPA rulemaking echoes the privacy "wish list" of the FTC staff in its December 2010 Preliminary Report concerning online consumer privacy (a follow-up report is expected by the end of the year). It is troubling because components of the framework for children's privacy are susceptible to becoming privacy benchmarks generally, due to the FTC's considerable informal influence over acceptable practices.
For example, broadcasters should be concerned that IP addresses and cookie identifiers-presently considered anonymous data-would become "individually identifying" under the new COPPA rule. These identifiers are fundamental to online advertising, which underwrites many free and affordable online services. The Commission is targeting these identifiers although it admits it is "not aware of any operator directing online advertising to children." Should industry accede to the idea that these strings of numbers "personally identify" children, it will be difficult to argue that they do not also "personally identify" adults. In other words, the COPPA rulemaking could help lay a stronger foundation for the FTC to regulate online advertising generally. Indeed, the FTC staff has told Congress that it is addressing the children's rule in the context of its views towards privacy more broadly.
The FTC also steers dangerously close to eroding critical protections in the Communications Decency Act (CDA) against intermediary liability. For 15 years, the CDA has protected online businesses from liability when they create a public platform for others to post their own content and third party content causes injury. The Internet has flourished under this protection. Yet in the proposed COPPA rules, the agency seeks to hold businesses responsible when they "enable" a child to make his or her personal information publicly available online-for example, on a social networking site or the child's personal website. Regulation that seeks to require businesses to cull their users' content should be closely scrutinized, both in light of the CDA's legal requirements and its success as a proven policy.