The Federal Trade Commission (“FTC”) has released a new set of proposed amendments in its ongoing review of its Children’s Online Privacy Protection Act (“COPPA”) regulations. These amendments would alter key definitions in the COPPA regulations, modifying the FTC’s original proposal from September 2011. If finalized, the FTC’s proposals to date will significantly change who and what COPPA covers and when COPPA applies. Comments are due by September 10, 2012.

WHO is responsible for COPPA compliance: The FTC has clarified its proposals for how COPPA compliance responsibility would be assigned in situations when third parties collect data through websites or online services (“sites” or “services”) operated by other entities. There are two sides to this equation:

• First, the FTC intends to add a proviso that will make sites and services responsible, in many cases, for executing COPPA requirements for third parties on their online properties. Examples of third parties are ad networks and social plug-ins. Sites and services would be “operators” if a third party collects “personal information” in the interest of, as a representative of, or for the benefit of the site or service where the data is collected. This broad proviso would encompass, for example, any data collection that benefits a site or service by supplying ad revenue, content, or functionality.

• At the same time, the FTC would limit which third-party data collectors would be directly responsible for COPPA compliance. By statute, COPPA applies to operators of sites or services that are directed to children or have actual knowledge that they are collecting personal information from children. Recognizing that third parties face challenges in controlling or monitoring how their services are deployed, the FTC would provide that third-party operators would be “directed to children” only if they know, or have reason to know, that they are collecting “personal information” through another site or service that is directed to children.

WHEN a site or service is “directed to children”:

• In addition to addressing third-party data collectors, the FTC would redefine when first-party sites and services are “directed to children.” Currently, numerous factors determine whether a site or service is “targeted to” children. While these factors would be retained, the new “directed to children” definition would include sites and services that either “knowingly target” or are “likely to attract” children as a primary audience.

• The FTC also proposes a new approach for sites and services with mixed audiences of children along with teenagers or adults. Any site with a “disproportionately large” percentage of children in its audience would now be “directed to children,” but would have more flexibility in complying with the law. Such mixed-audience sites could either fulfill COPPA requirements for all users, or could age-screen all users and then fulfill COPPA requirements only for children. Coupled with the FTC’s proposed new definition of “personal information,” this provision could significantly expand the reach of COPPA.

WHAT “personal information” COPPA covers:

• The FTC is attempting to clarify when “persistent identifiers” count as “personal information.” Currently, persistent identifiers are “personal information” only when combined with certain other types of data. Under the FTC’s new proposal, “personal information” would include persistent identifiers that can be used to recognize users over time or across different sites or services, unless such identifiers are used only to support internal operations. The FTC would define a list of acceptable “support” activities; using identifiers for any purpose that is not listed would trigger COPPA.

• Last year, the FTC proposed to add any “screen or user names” to the list of “personal information” under COPPA. The FTC now states that screen or user names should be “personal information” only when they function as online contact information.

• The FTC has not retreated from its 2011 proposals to expand “personal information” to include, for example, audio and video files, photographs, certain geolocation information, and other “online contact information” such as VOIP and video chat identifiers. Taken together, these proposals would apply COPPA, for the first time, to many data elements that sites and services previously collected in order to avoid requesting more identifiable details from children.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Julia Kernochan Tama

As a co-chair of Venable’s Privacy and Data Security Group, Julia Tama is a trusted advisor and advocate for large and small companies in a dynamic legal area. Julia helps clients resolve privacy and security compliance challenges and zealously defends companies against government…

As a co-chair of Venable’s Privacy and Data Security Group, Julia Tama is a trusted advisor and advocate for large and small companies in a dynamic legal area. Julia helps clients resolve privacy and security compliance challenges and zealously defends companies against government inquiries and enforcement actions. Her team is at the forefront of legal issues involving innovative technologies, including artificial intelligence (AI), machine learning, and connected vehicles. She takes a tailored, practical approach rooted in a fluent understanding of relevant technologies and each client’s unique business model and goals.

Emilio W. Cividanes

One of the country’s first privacy lawyers, Milo Cividanes focuses his practice on assisting companies to develop and implement regulatory, government relations, and litigation strategies to preserve and expand their use of data in connection with 21st century business models. He has…

One of the country’s first privacy lawyers, Milo Cividanes focuses his practice on assisting companies to develop and implement regulatory, government relations, and litigation strategies to preserve and expand their use of data in connection with 21st century business models. He has repeatedly been acknowledged globally as a leading authority on data protection and as an effective problem solver. Milo co-leads the eCommerce, Privacy, and Cybersecurity Group, which has been recognized as one of the top privacy practices and top advertising practices in the United States.

Stuart P. Ingis

Stu Ingis is chairman of Venable. Stu is a nationally recognized attorney who has earned a reputation among peers and the industry as a thought leader in crisis management, privacy, marketing, advertising, consumer protection, eCommerce, and Internet law. Stu’s leadership in developing cutting-edge…

Stu Ingis is chairman of Venable. Stu is a nationally recognized attorney who has earned a reputation among peers and the industry as a thought leader in crisis management, privacy, marketing, advertising, consumer protection, eCommerce, and Internet law. Stu’s leadership in developing cutting-edge industry self-regulation and coalition building has placed him at the forefront of privacy and data security regulation and public policy. Clients rely on him as a trusted voice, confidant, and advocate before Congress, the Federal Trade Commission, state attorneys general, and other federal and state agencies.