FTC Proposes Revisions to COPPA Rule
On September 15, 2011 the FTC issued proposed revisions to the Children’s Online Privacy Protection Rule (the “COPPA Rule”), which imposes requirements on web sites that are directed at and/or collect personal information from children younger than 13 years old. According to the FTC, the revisions are to “ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve.” The proposed amendments would modify the Rule in five areas: definitions, parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and safe harbor programs. Each of these may have a significant impact on a company’s current online practices. In this post we summarize the proposed revisions.
Definitions
The FTC proposes to modify particular definitions to update the Rule’s coverage and to streamline the Rule’s language. The COPPA Rule requires websites and online services to obtain parental consent before collecting personal information from children. The FTC proposes to change the definition of “personal information” to include geolocation information, photos and videos containing a child’s image, audio files containing a child’s voice, and certain types of persistent identifiers used for functions other than, or in addition to, support for the internal operations of a website or online service. In addition, the FTC proposes to modify and streamline the definition of “collects or collection.” First, the FTC aims to clarify that the definition includes all means of passive online tracking, irrespective of the technology used. Additionally, the current definition of “collects or collection” includes enabling children to publicly post personal information (e.g., on social networking sites or on blogs), “except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator’s records.” Instead of a “100% deletion standard,” the FTC is proposing a “reasonable measures” standard. This means that websites and online services will not be deemed to be “collecting” children’s personal information if they employ technologies “reasonably designed to capture all or virtually all personal information inputted by children.” This change is intended to lower the hurdle to websites’ development and to encourage the development of systems “to detect and delete all or virtually all personal information that may be submitted by children prior to its public posting.”
Parental Notice
COPPA requires that websites and online services notify parents of their online information practices in two ways: on the website or online service (usually in a privacy policy), and in a “direct notice” delivered to a parent whose child seeks to register on the site or service. The FTC proposes to revise the notice requirements to reinforce COPPA’s goal of providing complete and clear information in the direct notice, and to rely less heavily on the online notice or privacy policy as a means of providing parents with information about operators’ information practices.
Parental Consent
Central to COPPA is the requirement that websites and online services must obtain parental consent before collecting, using, or disclosing children’s personal information. The FTC proposes to add several new methods to obtain parental consent to the Rule’s current list, including “electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done.” The FTC also proposes to remove the “e-mail plus” method of parental consent because it “has inhibited the development of more reliable methods of obtaining verifiable parental consent.”
Confidentiality and Security Requirements
To strengthen the Rule’s confidentiality and security requirements, the FTC proposes to require websites and online services ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect the information. Additionally, the FTC proposes to add a new data retention and deletion provision. The new provision requires websites and online services to retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The new provision also requires websites and online services to delete children’s personal information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.
Safe Harbors
The COPPA statute established a “safe harbor” for participants in Commission-approved COPPA self-regulatory programs. The Rule provides that websites and online services fully complying with an approved safe harbor program will be “deemed to be in compliance” with the Rule. The FTC proposes to strengthen its oversight of self-regulatory safe harbor programs by mandating that, at a minimum, safe harbor programs conduct annual reviews of each of their members’ information practices and periodically report the results to the FTC.
Although the proposed amendments expand and clarify the Rule in several ways, the breadth of COPPA’s coverage remains unclear. For example, the FTC has indicated it will continue to consider whether short message services and multimedia messaging services are covered by COPPA.
The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.