Children's Online Privacy Protection Act ("COPPA"): Proposed Updates and How They Could Impact Your Business

Posted: 
12/14/2011 - 4:30pm
Download PDF: 
Privacy_COPPA_Whitepaper_123011.pdf

The Children’s Online Privacy Protection Act of 2000 was passed in response to a 1998 Federal Trade FTC report that highlighted the growing concern for children’s privacy on the internet. In particular, the FTC was concerned about the collection of data from children via websites, message boards and other online venues. The final COPPA rules stipulated what must be included in a privacy policy, when and how to seek consent from a parent to collect a child’s personal information, and the responsibilities that a website operator has to protect children’s privacy and safety online.

In September 2011, the FTC concluded a lengthy review of the current applicability and efficacy of COPPA as part of a continuing initiative to review existing regulations and update them to keep pace with technological advancements. While the FTC concluded that the existing COPPA rule is mostly adequate as written, they did propose a number of changes and additions in order to continue to protect the privacy of children.

If enacted, the FTC’s proposed COPPA rule changes could have a significant impact on the way marketers obtain verifiable consent from the parents of the under-13 audience.

This article provides an overview of the existing COPPA regulations as well as the proposed changes and their potential impact on future integrated marketing campaigns.

APPLICATION OF THE RULE

EXISTING RULE

The existing COPPA regulations apply to websites and other online services that are either specifically directed to children under the age of 13 or where the site operator has “actual knowledge” that they are collecting information from children under age 13. In general, the Rule requires that a website operator get parental consent prior to collecting, using, or disclosing personal information from children under the age of 13.

A website or online service could be considered to be “directed” to children under 13 based on a number of factors including: subject matter, visual or audio content, use of animated characters, age of the models used or other criteria that could be appealing to children.

The term “actual knowledge” is intentionally vague and could mean different things depending upon context. However, the underlying criteria is that data exists that could be used to identify someone’s age regardless of how that data is being (or will be) used. Thus, any site or service that collects data on age, birthday, grade level or similar information could be subjected to COPPA regulations, including sites that are intended for children over 13.

PROPOSED RULE CHANGES

During its review the FTC discussed potential changes to the cutoff age of 13, providing more detail around the terms “website” and “online service” as well as what constitutes “actual knowledge” but concluded that no changes were needed to the existing definitions.

However, the FTC is proposing slight modifications to the definition of a site that is directed towards children. In particular, they would like to add music (current pop music for instance) and the use of child celebrities to the list of items that might indicate that a site is directed towards children. Thus, a celebrity news site featuring the latest gossip about young pop stars might be directed to children under the law even if it isn’t clearly targeted to children.

COLLECTION OF INFORMATION

EXISTING RULE

The current COPPA rules state that “collection” broadly covers any gathering of information from a child including requesting submission of information online, enabling children to make private information public on a forum, message board or other mechanism or the passive tracking of a child through the use of a cookie.

On the other hand, the current Rule exempts operators from COPPA if they delete all PII submitted/posted by children before it is made public and also delete it from their records. (I.E. if an operator realizes a child under 13 has submitted information without parental consent, the operator can delete it and assuming it was not made public, will not run afoul of COPPA).

PROPOSED RULE CHANGES

The FTC would like to slightly broaden the definition of collecting information from requesting (or requiring) a child to submit information to use to the site to “encouraging” them to submit personal information on the site. In addition, they would like to broaden the definition of a passive tracking mechanism by specifically removing “cookie” as an example and changing it to any tool that accomplishes the same objective.

Conversely, the FTC is proposing a more lenient standard for the exemption from COPPA for website operators. The proposed update would state that operators have not collected personal information from children if they “employ technologies reasonably designed to capture (I.E. identify and delete) all or virtually all personal information inputted by children”. The FTC is attempting to establish a reasonable exemption standard for websites that are not directed to children but want to proactively block the submission of children’s information. In essence, if you employ a reasonable system to identify and filter out information submitted by children then you will be exempt from COPPA (presumably even if some data leaks through to your data storage system or is posted on your website).

POTENTIAL IMPACT:

Operators will greatly reduce their risk of COPPA violations if they implement a system to identify and remove children’s information at the time of data collection. This could lead to some innovative methods of screening information and simplify the retention of data as operators will not have to worry about combing their databases to identify and remove data. If adopted, this proposal could mandate retooling existing websites data collection methods however, the FTC will likely provide a lengthy grace period for implementing updates.

PERSONAL INFORMATION

EXISTING RULE

As stated above, the existing COPPA rules apply to any online operator that collects, uses or discloses personal information from children under the age of 13. Personal information has been defined as a first and last name, a physical address, telephone number, email address (or a screen name that discloses the an email address), social security number or any other persistent identifier (such as a cookie) that would allow direct contact with a child as well as any other information that the website collects on the child or parent that could be connected to the personal information.

Currently the Rule also contains a standalone definition of “online contact information” as an email address or similar identifier that permits direct contact with a person online (this could include a social media or message board alias).

PROPOSED RULE CHANGES

The proposed Rule would remove the specific reference of “email address” from the list of personal information and replace it with the term “online contact information.” However, the FTC also proposes that the definition of online contact information be modified to include “an email address or any other substantially similar identifier that permits direct contact with a person online including, but not limited to, an instant messaging user identifier, a voice over internet protocol identifier or a video chat user identifier.

In addition, the FTC would like to add more clarity to the treatment of screen names. As noted above, under the current Rule, screen names are only considered personal information if they reveal an email address. The FTC acknowledges that screen names are often used across multiple sites and venues which increases the possibility that they could be used to uniquely identify and individual. However, the proposal limits the inclusion of screen names as personal information to circumstances when other personal information is collected and connected to that screen name. In other words, if a website operator allows a child to set up a screen name solely for the purpose of supporting the functioning of the site, it will not be considered personal information unless other personal information is collected in addition to it.

The FTC also took a closer look at the use of persistent identifiers such as cookies, IP addresses, a unique device identifier and concluded that they would not be considered personal information if they were used solely to support the function of the website or online service. However, if these persistent identifiers are used to track the activities of a child across the internet or to deliver behavioral targeting ads to them, then they are considered personal information.

Finally, the FTC is also proposing that the definition of personal information include all photos, videos and audio files containing children’s images or voices as well as geo-location data sufficient to identify street name and name of city or town.

POTENTIAL IMPACT:

This could significantly increase the amount of information that is subject to the parental consent requirement and affectively eliminate targeted advertising to children without parental consent. Most information gathered or maintained by a child-oriented service would be subject to the parental consent under a broad interpretation of the proposed changes. Under such circumstances, it would often be easier for the service operator to default to mandatory parental consent for all data collection, including general tracking information, than to attempt to squeeze their practices into the narrow exemption for operations that are “necessary for the support for the internal operations of a site or service.”

Mobile-based content sharing services could be significantly impacted by the new definition of personal information if they save or display any sort of geo-location information. Children with mobile phones are heavy users of social media and content sharing and services such as Four Square could be directly impacted by an expanded definition.

PARENTAL CONSENT AND NOTICE

EXISTING RULE

Sites and services that are subject to COPPA are required to obtain parental consent before collecting or storing personal information from children under 13, regardless of the intended use of the information. Parents must be notified of the operator’s data collection and handling practices, have access to their child’s information and be provided the option of having the information deleted if they so desire.

Currently one of the most common ways for obtaining verifiable parental consent has been the “email-plus” method. Under this approach, a child provides their parent’s email address, an email is sent to the parent’s account asking for their consent to have their children’s data collected and the steps for providing their consent. If the parent takes the steps indicated, consent is given. In addition, the current Rule requires that the website operator provide the parent with direct notice of the type of information collected, why it was collected and what the operator intends to do with it. However, it has become common practice that the direct notice is typically provided via a link to the website operator’s online privacy policy.

While convenient and cheap for operators, the email-plus method is generally seen as a lackluster way of obtaining parental consent because it can easily be fooled by a child intent on impersonating their parent(s). Children often know email account passwords and other personal information that could allow them to complete the email-plus verification method without ever involving their parents.

PROPOSED RULE CHANGES

The FTC proposes changes to both the consent mechanism as well as the notice requirements. In particular, the text of the law would be updated to include scanned forms, video conferencing and government-issued ID checks in the non-exclusive list of “acceptable” methods of verifying parental consent.

There would also be an explicit elimination of the “email-plus” method as an acceptable verification method. The FTC believes there has been too much reliance on the “email-plus” method and that this has impeded innovation on alternative methods. To combat this, the FTC proposes creating a voluntary approval process that would allow operators to submit a proposal for a new consent mechanism to gain pre-approval of that mechanism by the FTC. In addition, they would also grant all safe-harbor program operators the authority to define acceptable verification methods for their participants.

Finally, the FTC seeks to simplify and clarify mandatory privacy notices to parents by requiring a simple short notice in the direct communication detailing the information collected from children and whether the information will be made publicly available, how the information will be used and the operator’s information disclosure practices. While it will still be necessary to provide a link to the online privacy policy, it will no longer be sufficient to limit the notice to just the link.

POTENTIAL IMPACT:

Banning the “email-plus” method could impact the majority of websites that collect information from children and finding a viable, widely acceptable alternative may prove time consuming for operators. Given that the email-plus method was initially intended to be a temporary solution by the FTC, it seems likely that it will in fact be banned in any COPPA revisions. Thus, it would be prudent for operators to start devising alternative methods as soon as possible in order to have a viable proposal ready for submission for approval to the FTC.

Most marketing agencies (Catalysis included) can anecdotally verify that there is indeed an over-reliance on the email-plus method and that its low cost of implementation has precluded the development of other consent mechanisms. Alternatives to email-plus must focus on personal information that children may know but cannot fully control. Information such as corporate email accounts (I.E. not a Hotmail, Yahoo, Gmail or other general email service) or credit card information (I.E. debit then credit a nominal amount so that something appears on the statement).

SECURITY

EXISTING RULE

COPPA currently requires operators to establish and maintain security measures that protect the personal information collected from children. However, it doesn’t specifically address the security policies and procedures of third parties that are handling the data.

PROPOSED RULE CHANGES

Under the proposed Rule, operators would be required to take reasonable measures to ensure the adequacy and compliance of the data handling practices of third parties to which they divulge children’s personal information. In addition, COPPA would be updated to include a mandate to retain children’s personal information only as long as is reasonably necessary and delete it in a way that prevents unauthorized access or exposure.

POTENTIAL IMPACT:

Given that these proposals are in line with generally accepted privacy principles it seems likely that they will both be adopted. Operators will thus be required to assume the onerous task of verifying the information practices of their third-party affiliates and conducting routine data deletion. This will surely increase the time required during the planning phase of any project that involves third-parties and the personal information of children.

Working with third-parties introduces an additional cost element to any project due to increased time spent on coordination and communication. If this proposed update is adopted, project managers should automatically plan for several additional hours of “due diligence” work any time a third party is involved with the transmission or storage of children’s data. Involving a privacy officer or legal representative early in the process could help to keep costs down and ensure that obligations are met from all parties.

SAFE-HARBOR PROGRAMS

EXISTING RULE

The original COPPA rules included a Safe-Harbor provision that would provide a group of operators to self-regulate under an FTC approved program. By participating in a Safe-Harbor program, operators were “deemed to be in compliance” with COPPA for purposes of enforcement.

PROPOSED RULE CHANGES

The FTC would like to strengthen the approval process for self-regulated Safe-Harbor programs and would require that applicants provide information on their ability to run the proposed program, establish stringent oversight requirements of their members and require those self-regulatory programs to submit periodic reports to the FTC.

POTENTIAL IMPACT:

Individual operators that participate in self-regulatory program may be required to provide more frequent or extensive reports to the program’s administrators and those administrators will face greater scrutiny and oversight of their programs.

NEXT STEPS

The FTC released its proposed Rule changes in September 2011 and presented them to the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade on October 5, 2011. They are seeking the public’s comments on their proposed revisions to COPPA by November 28, 2011.

ABOUT CATALYSIS

For nearly 20 years, Catalysis has specialized in the digital integration of award-winning marketing campaigns that drive connected, measurable results. Our clients include Microsoft, Moss Adams, Banner Mattress, Thunder Valley Casino, BabyLegs, and WineBid.

For more information, contact info@catalysis.com or visit our website at www.catalysis.com.

The information contained in this publication is general and is for informational purposes only. Catalysis makes no warranties, express or implied, in this material.