Implications Of COPPA Changes - Beyond Kids' Sites
The Federal Trade Commission's proposed changes to the Children's Online Privacy Protection rule (COPPA) have implications for all businesses, whether they direct their websites to children or not. The FTC has extended the comment deadline to Dec. 23.
Thus, companies have time to communicate to the agency that the proposed children's privacy rules must be clarified in order to prevent unintentional damage to standard online business models and general online liability protections. Websites, online advertising, social networking ventures and mobile applications potentially could be affected.
COPPA generally requires companies to obtain "verifiable parental consent" before collecting personal information from children under 13 years old (children's PII). This requirement is triggered when the company either directs a website, mobile application or other online offering to children or has actual knowledge that it has collected personal information from children online.
COPPA is a highly regulated area that is actively enforced by the FTC-sometimes to the tune of multimillion-dollar settlements. In our experience, many companies are careful to avoid appealing to children online or collecting their personal information in order to reduce regulatory risk.
The FTC ratchets up COPPA restrictions in its September proposed rulemaking, calling for:
- Expansion of the operative definition of PII, to include "persistent identifiers" such as IP addresses, cookie identification numbers and device serial numbers, meaning that COPPA potentially could apply to any computer or device linked with these identifiers, despite the fact that adults use these devices too.
- Expansion of the definition of PII to include children's photos and videos, meaning that online operators might need to obtain parents' consent before allowing children to submit such media to social networking or community sites.
- Greater specification of notices that operators must provide to parents.
- Elimination of the popular "email plus" method to seek parents' consent via email.
- New data security requirements.
- New affirmative requirements on data deletion.
Implications for Online Business - Beyond Children's Privacy
Businesses that operate online should consider commenting on the proposed COPPA rules-even if they do not collect personal information from children.
The FTC's drive on children's privacy does not occur in a vacuum. Indeed, the COPPA rulemaking echoes the privacy "wish list" of the FTC staff in its December 2010 Preliminary Report concerning general online consumer privacy (a follow-up report is expected by the end of the year). Similarities are troubling because components of the framework for children's privacy are susceptible to becoming privacy benchmarks generally, due to the FTC's considerable informal influence over acceptable practices.
For example, businesses should be concerned that IP addresses and cookie identifiers-presently considered unregulated, anonymous data-would become "individually identifying" subject to the new COPPA rule. These identifiers are fundamental to online advertising, which underwrites the free and affordable online services offered by companies.
The commission is targeting these identifiers although it admits it is "not aware of any operator directing online advertising to children." Should industry accede to the idea that these strings of numbers "personally identify" children, it will be difficult to argue that they do not also "personally identify" adults.
In other words, the COPPA rulemaking could provide collateral support for the FTC to regulate online advertising generally. Indeed, the FTC staff has told Congress that it is addressing the children's rule in the context of its views towards privacy more broadly.
The FTC also steers dangerously close to eroding critical protections in the Communications Decency Act (CDA) against intermediary liability. For 15 years, the CDA has protected online businesses from liability when they create a public platform for others to post their own content and third-party content causes injury. The Internet has flourished under this protection.
Yet in the proposed COPPA rules, the agency seeks to hold businesses responsible when they "enable" a child to make his or her personal information publicly available online-for example, on a social networking site or the child's personal website. Regulation that seeks to require businesses to cull their users' content should be closely scrutinized, both in light of the CDA's legal requirements and its success as a proven policy.