FTC Proposes, Seeks Comments on, Major Changes to Children's Privacy Rules

Date: Sep 15, 2011

The U.S. Federal Trade Commission ("FTC") released proposed revisions to its rules implementing the Children's Online Privacy Protection Act ("COPPA") on September 15, 2011, and is soliciting public comments on the updated rules. The FTC is proposing some very significant changes in certain definitions, interpretations, requirements, and exclusions, while proposing to maintain certain other key definitions or requirements, like the current age reference (under 13) and the "actual knowledge" standard. Comments are due by November 28, 2011. We review some of the more significant changes below.

Definition of "Personal Information." The FTC proposes to include "persistent identifiers" in the list of "personal information," a proposal sure to generate concern despite an exclusion for instances where these identifiers are used for the internal operations of the website. The FTC also proposes to include geolocation information and a photograph, video or audio file containing a child's image or voice to the definition of "personal information." While the FTC did not at this time propose including date of birth, gender or zip code alone in the list of items that constitute "personal information," it is soliciting comments on this point. Significant revisions to other definitions, such as "website directed to children," "collects or collection," and "online contact information," are also being proposed.

Verifiable Parental Consent. Another significant change proposed by the FTC likely to prove controversial is elimination of the widely-used "e-mail plus" method of parental consent. The Commission says that the availability of e-mail plus has hampered the development of more robust technologies. While it is proposing to accept scanned copies of signed parental consent forms or submittal of drivers license or truncated Social Security Numbers (verified against available databases and securely disposed of after verification), the Commission is not proposing to allow SMS text messaging or alternative payment methods. The FTC is, however, encouraging the development of new parental consent methods by establishing a voluntary 180-day notice and comment process under which parties can seek FTC approval of a particular consent mechanism.

Covered Websites and Online Services. With regard to covered services, the FTC takes the view that COPPA covers any service available over the Internet or that connects to the Internet – essentially all digital media. Specifically, the proposal suggests that mobile applications, Internet-enabled gaming platforms, Voice-over-Internet Protocol services, Internet-enabled location-based services, and retailer premium texting and coupon texting services are subject to COPPA if directed to children or the provider has actual knowledge it is dealing with a child.

Notices. The FTC is also proposing to modify the online and website notice requirements to rely more heavily on direct notices to parents. Some current disclosure statements will be eliminated, but notices must include contact information for all operators and operators must make reasonable efforts to directly notify parents of any material change in the collection, use or disclosure of information to which the parent previously consented.

Confidentiality and Security. Given heightened concern about confidentiality and security of data, the FTC proposes to require websites and online services to delete personal information when it is no longer reasonably necessary, and to do so using reasonable measures to protect against unauthorized access. Operators must also ensure that their service providers and other third parties have in place reasonable procedures to protect personal information.

Safe Harbor. Proposed changes are also being made to the current self-regulatory Safe Harbor program. These revisions would require annual audits of its participants' practices, submittal of periodic reports to the FTC, and a requirement that those seeking Safe Harbor status provide a description of their technical capabilities to run a program.

The proposed rule is available at: http://www.ftc.gov/opa/2011/09/coppa.shtm.

For more information on privacy and data security issues, please contact:    

Sheila Millar (+1 202.434.4143, millar@khlaw.com),
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com