The US Federal Trade Commission (FTC) has issued new rules under the Children’s Online Privacy Protection Act (COPPA) that strengthen existing restrictions on the online collection and use of personal information about children under the age of 13.1The new regulations will have a significant impact on the operation of websites, applications, plug-ins, and other online services and may make it more difficult to provide online content directed toward children. But they also afford content providers additional flexibility in complying with existing obligations, including COPPA’s parental consent requirement. The new regulations go into effect on July 1, 2013.
The new rules make four fundamental changes to the prior regulations:
- Providers of websites and other online services will be considered “operators”—and therefore subject to COPPA if their website or service is directed to children—even if they have no actual knowledge that a third-party provider operating on their website or service (such as an application, plug-in, or advertising network) collects personal information from users of the site or service.
- Providers subject to COPPA will have several additional ways to obtain “verifiable parental consent” for the collection, use, and disclosure of children’s personal information.
- The definition of “personal information” will encompass a wider range of information, including persistent identifiers.
- Websites and other online services that are “directed to children” but that do not target children as their primary audience will be permitted to age-screen their users and apply COPPA’s protections only to those users who self-identify as under age 13.
In addition, the FTC adopted several other rule changes that will affect online content providers.2
Four Key Changes to the Existing Regulations
First, the FTC expanded the reach of COPPA to many websites that incorporate third-party applications, plug-ins, or advertising networks. COPPA generally prohibits an “operator” of a website “directed to children” from collecting a child’s “personal information” without parental notice and consent.3 An “operator” is an entity that collects personal information through a commercial website or that allows another entity to collect such information on its behalf.4 Under the new regulations, an entity will be an “operator” when it merely “benefits” from allowing a third party to collect personal information through the entity’s website, even without an agency relationship.5 The FTC found that websites generally benefit from incorporating third-party applications or plug-ins because those services “enhance the functionality or content” of the host website.6
The new regulations establish a “strict liability standard for child-directed sites and services.”7 That is, even if a website provider has no knowledge that a third-party application or plug-in that runs on the site is collecting personal information from children, that host website provider may be regulated as an “operator” of a website directed to children.8
Second, the FTC’s new rules expand the definition of “verifiable parental consent.”9 COPPA generally requires that an “operator” of an online service “directed to children,” or an “operator” that has actual knowledge that it collects personal information from children, obtain “verifiable parental consent” for the collection, use, or disclosure of a child’s personal information.10 The revised regulations add the following new methods for obtaining “verifiable parental consent”:
- electronically scanned versions of signed parental consent forms;
- video conferencing;
- government-issued identification; and
- debit cards and online payment systems used “in connection with a monetary transaction where … the operator provides notification of each discrete monetary transaction to the primary account holder.”11
The FTC also confirmed that an operator may obtain verifiable parental consent in other ways that are not specifically listed. For example, digital signatures or platform-based methods may be permissible in some cases.12 The new rules also establish a voluntary advisory process for FTC review and approval of additional parental consent mechanisms.13
Third, the new regulations clarify and broaden the definition of “personal information.”14 For example, personal information now expressly includes:
- photographs, videos or audio files containing a child’s image or voice, even if the files do not contain any other identifying data;15
- “persistent identifiers that can be used to recognize a user over time and across different websites or online services,” if the identifier is used for purposes beyond “support for the internal operations of the website or online service”;16
- street-name-level geolocation information, even without a specific address number;17 and
- screen names or user names that “function[ ] in the same manner as online contact information” and enable direct contact with a person online, such as an email address, voice over Internet protocol identifier, instant messaging user identifier, or video chat user identifier.18
Fourth, the new regulations allow websites that are “directed to children,” but that do not target children as their primary audience, to differentiate among their users and not treat all users as children.19 Such websites (i) may not collect personal information from any user before performing an age screen, and
(ii) may not collect, use or disclose personal information from users who self-identify as under age 13 without complying with the rules’ notice and parental consent provisions.20
Additional Changes to Existing Regulations
In addition to the changes detailed above, the new FTC regulations made many other adjustments to existing rules, including:
- The new rules expressly require an operator to take “reasonable steps” to ensure that it releases personal information only to service providers and third parties capable of maintaining the information securely. Operators must “inquire about entities’ data security capabilities and, either by contract or otherwise, receive assurances from such entities about how they will treat the personal information they receive.”21
- The FTC broadened the types of online services that will fall under COPPA. For example, when considering whether a commercial online service is one “directed to children,” the FTC now will consider in its existing “totality of the circumstances” approach a service’s musical content, as well as the presence of child celebrities or celebrities who appeal to children.22 Additionally, the new regulations consider a third-party online service as one “directed to children” if the service’s administrators have actual knowledge that the service collects personal information from users on a host site that is “directed to children.”23
- The FTC will not consider a site to have “collected personal information” if the site takes “reasonable measures” (such as “sophisticated automated filtering technologies”) to delete all or virtually all personal information from a child’s posting before it is made public, and also deletes the information from its own records.24
- The new regulations permit a website to retain personal information collected from a child for only as long as reasonably necessary to fulfill the purpose for which that information was collected. They also require an operator to delete unnecessary information using reasonable measures to protect against unauthorized access.25
- The FTC also made rule changes to streamline COPPA’s direct notice requirements and clarify the precise information that operators must provide to parents regarding their collection, use, and transfer of personal information.26
1 The FTC’s Federal Register notice and amended rules are available at http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf (FTC Notice). The pre-amendment COPPA regulations can be found at 16 C.F.R. Part 312, and the statute is codified at 15 U.S.C. § 6501 et seq.
2 The process leading to the new rules began in April 2010 with a request for public comment, see 75 Fed. Reg. 17089 (Apr. 5, 2010). The FTC issued a notice of proposed rulemaking in September 2011, see 76 Fed. Reg. 59804 (Sept. 27, 2011), and a supplemental notice in August 2012, see 77 Fed. Reg. 46643 (Aug. 6, 2012).
315 U.S.C. § 6502(a); 16 C.F.R. § 312.3.
415 U.S.C. § 6501(2); 16 C.F.R. § 312.2.
5See FTC Notice at 15-24. The FTC implemented that change by adding the following language to the definitions section of its rules, particularly clause (b):
Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service.
FTC Notice at 154, Amended Rule § 312.2. Importantly, the FTC clarified that its new rules are not intended to encompass platforms that merely offer access to another party’s child-directed content, such as the Apple iTunes App Store or Google Play. See FTC Notice at 24.
6See FTC Notice at 22. Commissioner Maureen K. Ohlhausen dissented from this proposed change, arguing that it is inconsistent with the statutory definition of “operator” and thus “exceeds the scope of the authority granted us by Congress in COPPA”:
The proposed amendments construe the term “on whose behalf such information is collected and maintained” to reach child-directed websites or services that merely derive from a third-party plug-in some kind of benefit, which may well be unrelated to the collection and use of children’s information (e.g., content, functionality, or advertising revenue). I find that this proviso—which would extend COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party—does not comport with the plain meaning of the statutory definition of an operator in COPPA, which covers only entities “on whose behalf such information is collected and maintained.”
Dissenting Statement of Commissioner Maureen K. Ohlhausen, at 2, http://ftc.gov/os/2012/12/121219copparulestatement.pdf.
7See FTC Notice at 20.
8See FTC Notice at 17-24. On the other hand, the rules also clarify that third-party providers of applications, plug-ins, and advertising networks are themselves subject to COPPA obligations only when those providers have “actual knowledge” that they are collecting personal information directly from users of a child-directed website or online service. See id. at 25-27.
9See FTC Notice at 60-86; id. at 160-61, Amended Rule § 312.5(b).
10 15 U.S.C. § 6502(b)(1)(A); 16 C.F.R. §§ 312.3(b), 312.5(a). Several exceptions to this requirement are detailed in § 312.5(c) of the amended regulations. See FTC Notice at 161-62.
11See FTC Notice at 60-69; id. at 160-61, Amended Rule § 312.5(b).
12See FTC Notice at 69-76. Importantly, the FTC encouraged the development of “common consent mechanisms” that could provide notice and obtain parental consent for multiple operators simultaneously. Id. at 72-75.
13See FTC Notice at 81-85. Under the new rule, the Commission will seek public comment on applications for approval of additional consent mechanisms and either approve or deny the applicant’s request in writing within 120 days. Id. at 84; id. at 166, Amended Rule § 312.12.
14See FTC Notice at 28-47; id. at 154-55, Amended Rule § 312.2.
15See FTC Notice at 40-43.
16See FTC Notice at 31-40. A “persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.” Id. at 154, Amended Rule § 312.2. The new rules define “support for the internal operations of the website” to include many activities, including those necessary to “serve contextual advertising on the website … or cap the frequency of advertising” or to “maintain or analyze the functioning of the website.” Id. at 155, Amended Rule § 312.2.
17See FTC Notice at 43-47.
18 FTC Notice at 28-31; id. at 13-15 (discussing the meaning of “online contact information”). This broadens the existing rule, which defines “personal information” to include “a screen name that reveals an individual’s email address.” 16 C.F.R. 312.2(c).
19See FTC Notice at 47-54. The scope of this category is not entirely clear. The FTC noted: “The Commission intends the word ‘primary’ to have its common meaning, i.e., something that stands first in rank, importance or value. This must be determined by the totality of the circumstances and not through a precise audience threshold cut-off.” Id. at 53 n.162.
20See FTC Notice at 53; id. at 156, Amended Rule § 312.2 (definition of “website or online service directed to children”).
21See FTC Notice at 92-96; id. at 163, Amended Rule § 312.8.
22See FTC Notice at 52.
23See FTC Notice at 25-27; id. at 156, Amended Rule § 312.2 (definition of “website or online service directed to children,” subsection (b)).
24See FTC Notice at 8-12; id. at 152, Amended Rule § 312.2 (definition of “collects or collection,” subsection (b)).
25See FTC Notice at 96-99; id. at 164, Amended Rule § 312.10.
26See FTC Notice at 54-60; id. at 157-60, Amended Rule § 312.4.