FTC Proposes Additional Revisions to the Children's Online Privacy Protection Rule | Practical Law

FTC Proposes Additional Revisions to the Children's Online Privacy Protection Rule | Practical Law

On August 1, 2012, the FTC issued additional proposed revisions to the Children's Online Privacy Protection Rule. The proposed revisions modify the definitions of various terms in an effort to clarify the scope of the Rule and to strengthen its protections for the online collection, use and disclosure of children's personal information.

FTC Proposes Additional Revisions to the Children's Online Privacy Protection Rule

Practical Law Legal Update 9-520-7086 (Approx. 4 pages)

FTC Proposes Additional Revisions to the Children's Online Privacy Protection Rule

by PLC Intellectual Property & Technology
Published on 01 Aug 2012USA (National/Federal)
On August 1, 2012, the FTC issued additional proposed revisions to the Children's Online Privacy Protection Rule. The proposed revisions modify the definitions of various terms in an effort to clarify the scope of the Rule and to strengthen its protections for the online collection, use and disclosure of children's personal information.
On August 1, 2012, the FTC issued a press release announcing a supplemental notice of proposed rulemaking for the Children's Online Privacy Protection Rule. The Rule implements the Children's Online Privacy Protection Act of 1998 (COPPA). The proposed revisions are intended to clarify the scope of the COPPA Rule and strengthen its protections for the online collection, use or disclosure of children's personal information. These proposed revisions are in response to the FTC's enforcement experience and review of public comments to a September 2011 Notice of Proposed Rulemaking.
Specifically, the FTC proposes modifying the definition of the following terms contained in the COPPA Rule:
The FTC is accepting public comments on the proposed changes through September 10, 2012.

Personal Information

In its September 2011 Notice, the FTC proposed modifying the COPPA Rule's definition of personal information to include persistent identifiers and screen or user names other than where they are used to support internal operations.
The additional proposed revisions would clarify that a persistent identifier is considered personal information where it can be used to recognize a user over time or across different sites or services. The FTC also proposes to modify the definition of "support for internal operations" to explicitly state that certain activities will not be considered to be collecting "personal information" as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose. These activities may include:
  • Site maintenance and analysis.
  • Performing network communications.
  • Use of persistent identifiers for authenticating users.
  • Maintaining user preferences.
  • Serving contextual advertisements.
  • Protecting against fraud and theft.
The proposed modifications to the personal information definition would also specify that screen and user names are included in the definition of personal information only when they rise to the level of online contact information.

Website or Online Service Directed to Children

The FTC has proposed additional modifications to the definition of "website or online service directed to children." Specifically, the proposed changes would:
  • Clarify that a website or online service that "knows or has reason to know that it collects personal information from children through a child-directed website or online service" is itself directed to children.
  • Permit a website or online service that is designed for both children and adults to comply with COPPA without having to treat all of users as children. It would also clarify that child-directed sites or services that knowingly target children as their primary audience or feature overall content likely to attract children as their primary audience must treat all users as children.
The intent of the first change is to make clear that third-party information-collecting sites or services that appear as part of child-directed sites and services may be liable under the COPPA Rule. This may include advertising networks, social networking features or downloadable software kits ("plug-ins"). The FTC notes that these sites or services often collect personal information directly from users. Unlike child-directed sites, these entities would not be strictly liable for the collection of personal information from children, but would be liable if they know or have reason to know that their services are directed toward children.
The intent of the second proposed change is to allow sites that attract both children and adults to screen users by asking their age and providing privacy protections only to those who say they are underage. The current COPPA Rule requires sites to assume that all visitors are underage and this assumption would still apply to sites whose primary audience is children.

Operator

The FTC has proposed adding a proviso to the definition of "operator" that is intended to clarify that an operator of a child-directed site or service that integrates third-party services that collect personal information from its visitors should itself be considered a covered "operator" under the COPPA Rule.
The proposed proviso specifies that personal information is collected or maintained on behalf of an operator when it is collected in the interest of, as a representative of or for the benefit of the operator.
The effect of this change and the changes to the definition of "website or online service directed to children" would be to hold both child-directed sites or services and related information-collecting sites or services responsible under the COPPA Rule as co-operators.

Practical Implications

Both website operators and third-party information collecting sites and services should consider the impact of the FTC's proposed changes and consider commenting on the proposed changes if appropriate.
Website operators should consider that under the proposed changes to the operator definition they may be liable for the actions of third parties providing services on their site. Responsibility for third-party activities would therefore need to be considered when integrating third-party sites or services, negotiating the terms of integration and reviewing relevant third parties' practices, in particular when and after the proposed rules become effective.
Under the proposed changes to the definition of "website or online service directed toward children," third-party information collectors may need to consider whether any sites on which their services are featured are in fact directed toward children.