The Federal Trade Commission (“FTC”) has released a new set of proposed amendments in its ongoing review of its Children’s Online Privacy Protection Act (“COPPA”) regulations. These amendments would alter key definitions in the COPPA regulations, modifying the FTC’s original proposal from September 2011. If finalized, the FTC’s proposals to date will significantly change who and what COPPA covers and when COPPA applies. Comments are due by September 10, 2012.
WHO is responsible for COPPA compliance: The FTC has clarified its proposals for how COPPA compliance responsibility would be assigned in situations when third parties collect data through websites or online services (“sites” or “services”) operated by other entities. There are two sides to this equation:
• First, the FTC intends to add a proviso that will make sites and services responsible, in many cases, for executing COPPA requirements for third parties on their online properties. Examples of third parties are ad networks and social plug-ins. Sites and services would be “operators” if a third party collects “personal information” in the interest of, as a representative of, or for the benefit of the site or service where the data is collected. This broad proviso would encompass, for example, any data collection that benefits a site or service by supplying ad revenue, content, or functionality.
• At the same time, the FTC would limit which third-party data collectors would be directly responsible for COPPA compliance. By statute, COPPA applies to operators of sites or services that are directed to children or have actual knowledge that they are collecting personal information from children. Recognizing that third parties face challenges in controlling or monitoring how their services are deployed, the FTC would provide that third-party operators would be “directed to children” only if they know, or have reason to know, that they are collecting “personal information” through another site or service that is directed to children.
WHEN a site or service is “directed to children”:
• In addition to addressing third-party data collectors, the FTC would redefine when first-party sites and services are “directed to children.” Currently, numerous factors determine whether a site or service is “targeted to” children. While these factors would be retained, the new “directed to children” definition would include sites and services that either “knowingly target” or are “likely to attract” children as a primary audience.
• The FTC also proposes a new approach for sites and services with mixed audiences of children along with teenagers or adults. Any site with a “disproportionately large” percentage of children in its audience would now be “directed to children,” but would have more flexibility in complying with the law. Such mixed-audience sites could either fulfill COPPA requirements for all users, or could age-screen all users and then fulfill COPPA requirements only for children. Coupled with the FTC’s proposed new definition of “personal information,” this provision could significantly expand the reach of COPPA.
WHAT “personal information” COPPA covers:
• The FTC is attempting to clarify when “persistent identifiers” count as “personal information.” Currently, persistent identifiers are “personal information” only when combined with certain other types of data. Under the FTC’s new proposal, “personal information” would include persistent identifiers that can be used to recognize users over time or across different sites or services, unless such identifiers are used only to support internal operations. The FTC would define a list of acceptable “support” activities; using identifiers for any purpose that is not listed would trigger COPPA.
• Last year, the FTC proposed to add any “screen or user names” to the list of “personal information” under COPPA. The FTC now states that screen or user names should be “personal information” only when they function as online contact information.
• The FTC has not retreated from its 2011 proposals to expand “personal information” to include, for example, audio and video files, photographs, certain geolocation information, and other “online contact information” such as VOIP and video chat identifiers. Taken together, these proposals would apply COPPA, for the first time, to many data elements that sites and services previously collected in order to avoid requesting more identifiable details from children.