by Julia Jacobson and Heather Egan Sussman
Parents worry not only about what their children are seeing and doing online, but also what personal information others, including businesses, are collecting about their children and what they are doing with the information collected. With or without a child’s knowledge, a website, mobile app or social media platform can collect all kinds of personal information: age, sex, height, weight, locations, friends’ names, favorite toys and purchasing histories. To protect the privacy of children online, the federal government enacted in 1998 the Children’s Online Privacy Protection Act (“COPPA,” 15 U.S.C. §§ 6501-6508). Effective July 1, 2013, new compliance obligations under COPPA will affect nearly all online service providers that collect personal information about children.
COPPA restricts how and what owners and operators of websites, social media plug-ins, mobile applications, advertising networks and other “Online Service Providers” can collect from children under age 13 without parental permission. The Federal Trade Commission (FTC) is responsible for enforcing COPPA and, in April 2000, implemented regulations known as the COPPA Rule (16 C.F.R. Part 312). In recognition of the increased use of mobile devices, social media and other evolving digital technologies, the FTC announced in 2010 its intent to update the COPPA Rule. After two years and several rounds of public comments, the FTC amended the COPPA Rule (available at http://www.ftc.gov/os/2012/12/121219copparulefrn.pdf), and those amendments take effect this July.
To assist online service providers in understanding their new compliance obligations under COPPA, the FTC released “Complying With COPPA: Frequently Asked Questions” (the FAQs are available at http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions). These 93 questions and answers provide helpful guidance to attorneys representing online service providers.
Attorneys and businesses should be aware of the following notable changes to the COPPA Rule:
- The definition of “personal information” is expanded to include: geo-location information that can identify street, city and state; photo, audio and video files that contain a child’s voice or image; screen or user names (if used for user-to-user contact); and persistent identifiers (e.g., a customer information held in a cookie, an IP address, a unique mobile device ID, etc.) that can be used to identify a user over time and across different websites or online services. The FAQs warn Online Service Providers that, if they continue to collect or use these new categories of personal information or associate new information with previously-collected personal information in these categories, the parental consent requirement will be triggered;
- An Online Service Provider may be held liable for collection of personal information by a third party if the third party is acting on behalf of the Online Service Provider or if the collection of personal information otherwise benefits the Online Service Provider;
- An Online Service Provider with “actual knowledge” that it is collecting personal information from users of another website or service directed to children (e.g., a social media plug-in or an ad network) now may be held liable under COPPA;
- The factors for determining whether a website or online service is “directed to children” are clarified in Section D of the FAQs but “directed to children” remains a highly fact-specific inquiry;
- An age-screening safe harbor for websites or online services that do not target children as their primary audience is available;
- The acceptable methods for obtaining verified parental consent are expanded.
Unfortunately, some important issues remain unaddressed by the amended COPPA Rule and FAQs. Most glaringly, the FAQs offer no guidance on how the FTC will consider and weigh the various factors in determining whether an Online Service Provider is directed to children and subject to a strict liability standard for COPPA compliance. Another issue about which the FAQs offer little guidance is how an Online Service Provider seeking to qualify for the “age screen safe harbor” can demonstrate that children under 13 are not its primary target audience. The FAQs indicate only that an operator should carefully analyze the intended, actual and likely audience for its site and/or services and that the FTC will consider “competent and reliable empirical evidence” supporting the analysis.
Although the FTC has indicated that it will delay enforcement of the amended COPPA Rule, ignoring the changes is not advisable. In the past five years, the FTC has investigated numerous violations of COPPA and imposed million-dollar fines on COPPA violators, including a $3M fine against Playdom (a Disney subsidiary) in 2011. To ensure compliance with the amended COPPA Rule and avoid substantial monetary penalties, Online Service Providers need to evaluate now their data collection activities with respect to children, including third-party activities on and through their website or online service as well as their activities on third-party website or online service.
Heather Egan Sussman is a partner at McDermott Will & Emery LLP. Heather co-chairs the Global Privacy & Data Protection Affinity Group and is a recognized leader in her field.
Julia Jacobson is a partner at McDermott Will & Emery LLP. Julia focuses her practice on data privacy and security, advertising and promotions, and licensing.