What the Newly Revised COPPA Rule Means to Marketers
March 20, 2013
John Feldman, partner at Reed Smith, moderated a panel discussion with participants Wayne Keeley, vice president and director of the Children’s Advertising Review Unit (CARU) at the Council of Better Business Bureaus, and Kandi Parsons, staff attorney of the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC), on revisions to the Children’s Online Privacy Protection Rule and how they will affect privacy enforcement and self-regulation. The most significant changes involved definitions, online and direct notices, and parental consent mechanisms.
The Children’s Online Privacy Protection Act (COPPA) is a federal statute that imposes notice and consent requirements on the operators of websites or online services that are directed toward children under the age of 13, as well as operators of general audience sites who have actual knowledge that they are collecting or storing personal information from children under the age of 13. The Children’s Online Privacy Protection Rule (the “Rule”) is the regulation by which the FTC enforces COPPA. The amended FTC Rule, scheduled to go into effect on July 1, 2013, is targeted to address the explosive growth of online data collection, behavioral marketing, and the ubiquitous use of tablets, smart phones and other mobile devices by children.
The Rule dramatically increases the liability for operators of websites and Internet applications that are directed to children or that knowingly collect personal information of children. For the first time, these operators will be required to provide notice and parental consent for the collection activities of independent third parties like social network plug-ins and behind-the-scenes advertising networks. The Rule also amends the definition of personal information to include persistent identifiers (e.g., cookies, user IDs, IP addresses, processor or device serial numbers, or unique device identifiers), geolocation information (that identifies street name and name of a city or town), screen/user names (where they function in the same manner as online contact information), and photographs, videos, or audio files containing a child’s image or voice. Other amendments to the Rule are as follows:
- Streamline and clarify the direct notice requirements to ensure that key information is presented to parents in a succinct ‘‘just-in-time’’ notice.
- Expand the non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent.
- Create new exceptions to the Rule’s notice and consent requirements.
- Strengthen data security protections.
- Require reasonable data retention and deletion procedures.
- Strengthen the Commission’s oversight of self-regulatory Safe Harbor programs.
- Institute voluntary pre-approval mechanisms for new consent methods and for activities that support the internal operations of a web site or online service.
John Feldman, partner at Reed Smith: What are the differences between the CARU guidelines and the COPPA Rule? Should the space between the two be closing?
Wayne Keeley, vice president and director of CARU at the Council of Better Business Bureaus: There has always been a gap between the COPPA Rule and our guidelines. Our self-regulatory guidelines have been in effect for the past 30 years, even before COPPA was implemented, and there is carryover from our guidelines into the COPPA Rule. I think the new modifications of COPPA are an indication that the gap has closed a bit.
Reed Smith: With regards to the closure of that gap, if a CARU decision were to say that an advertiser’s website isn’t in compliance with COPPA, what does that communicate to the public? And to what degree is CARU enforcing COPPA?
CARU: Self-regulation has worked, both on the National Advertising Division level and on the CARU level. Our enforcement comes from our guidelines, which are consistent with COPPA. Under the Safe Harbor program, we’re mandated by the FTC to enforce compliance with COPPA. We don’t tell people they’re in violation of COPPA; we tell them that they may not be in compliance. At that point, it’s up to them. Our Safe Harbor program was first approved by the FTC in 2001, so it has been around for a long time, and we believe both the participants and the FTC have been satisfied. I think any additional oversight isn’t that big of a change for CARU, since we’ve periodically reviewed our Safe Harbors.
Reed Smith: In regards to the use of social media, when would it be appropriate to rely on a Facebook Connect plug-in to register for a website?
Kandi Parsons, staff attorney of the Division of Privacy and Identity Protection at the FTC: The FTC has said that you can be “a child-directed website where part of your audience is intended to be towards children but part of your audience may also be toward people 13 and over.” Therefore, instead of treating everyone like a child, you can use an age screener to funnel children under 13 into a COPPA-compliant area and funnel people 13 and over into another area. However, that age screener should be neutral so that you aren’t encouraging children to lie. The current Facebook Connect model doesn’t offer a neutral age-screen.
Reed Smith: Suppose that a website operator who provides streaming video content for children allows a third-party ad network to drop cookies on the operator’s site to track the video viewing history of the children. The cookies only collect IP address, age of user, and video viewing history. The viewing history is used only to suggest other similar videos on the operator’s site. How would this situation be analyzed?
FTC: In this scenario, you’re using and collecting “personal information.” The IP address and the cookie are persistent identifiers under the revised rule. If you’re collecting no other personal information under the Rule, you might fall under the support for internal operations exception. The recommending of similar videos could fall under personalization and possibly contextual advertising. You would want to make sure that the third party isn’t tracking the user across websites, though.
Reed Smith: What evidence will the FTC want to see in an operator’s file to enable it to effectively argue against prosecution in this new strict liability environment?
FTC: Let’s take the scenario you used before, where a child-directed site decides to use a service provider to recommend other content. The FTC would look into whether the operator asked the third party the right questions, like how it works and how they plan to track users across sites. The FTC expects operators to be aware of what they’re putting on their sites and to check to make sure that the third party they’re using is being genuine. Third-party plug-ins can certainly enhance your cyber service, but it’s important for operators to understand what’s going on behind the scenes, which is where contracts, asking questions, and checklists can come in handy.
Reed Smith: Does the language of strict liability seem a bit scarier than it actually is?
FTC: You’re strictly liable, but we have prosecutorial discretion and we only have so many resources available. We expect operators to do their due diligence by looking behind the marketing, but if someone tricks them by changing their service, we take that into consideration.
Reed Smith: Another important change has to do with notice. The new provisions require the posting of a prominent link wherever personal information is collected from a child. Now that the FTC has broadened out the definition of personal information so that collection of a personal identifier might occur on almost every page of a site or service, is FTC expecting that there will be a need for a link on every page?
FTC: Keep in mind that collection of persistent identifier and no other personal information, or your internal operations, is exempt from the notice and consent requirements. If you’re just using an IP address to deliver the service, you’re not going to need it on every page. The second piece is that this isn’t much different than what a lot of sites are already doing; most sites already link to their privacy practices on all their pages. The FTC just wanted to make this a requirement where personal information is collected from children.
Reed Smith: The FTC’s revision to the definition of personal information notably refocuses on how it approaches persistent identifiers. Under the existing rule, the persistent identifier would be “personal information” if such identifier were associated with personally identifiable information. Under the revised rule, the FTC essentially skips a step and just assumes that it is associated with personally identifiable information. Can you elaborate on that change and the implications that it might have on a greater number of enforcement activities?
FTC: In my view, the FTC didn’t skip a step by saying that it needed to be connected to personally identifiable information, but rather looked at what was out there that allowed for the online contacting of children. The way persistent identifiers operate in 2013 is that you can contact individuals through persistent identifiers, targeted advertising, and unique device identifiers (which allows for pushing messages to mobile devices).
Question and Answer
Q. What evidence did the FTC have that necessitated the Rule changes as opposed to working it out through CARU and self-regulation?
FTC: Not every child-directed site or service operates under a Safe Harbor; many operate on their own. The FTC felt technology and the ways children could be contacted online had changed dramatically since the first Rule was enacted in 1999, so we updated it to reflect how the ecosystem works now. The Safe Harbors will integrate those changes into their programs, and the FTC will enforce against those entities that aren’t Safe Harbors.
Q. This is the first time the FTC has been able to say that behavior advertising is unlawful. Is this a bellwether towards a desire to make behavior advertising unlawful?
FTC: In my opinion, the answer is no. The FTC puts out best practice recommendations (e.g., “Do Not Track” option) so that consumers can make choices about how they’re tracked and targeted, and may, in some cases, even choose to receive interest-based advertising. However, children are a unique sub-set of our consumers because they don’t even understand what an advertisement means, which makes them highly susceptible to advertising. For this reason, the FTC has said that it isn’t appropriate to contact children online without parental consent.
“What the Newly Revised COPPA Rule Means to Marketers.” John Feldman, Partner at Reed Smith; Wayne Keeley, Vice President and Director of the Children’s Advertising Review Unit (CARU) at the Council of Better Business Bureaus; Kandi Parsons, Staff Attorney of the Division of Privacy and Identity Protection at the Federal Trade Commission. ANA Advertising Law and Public Policy Conference, 03/20/13.
You must be logged in to submit a comment.