Proposed COPPA Amendments Address Geolocation, Behavioral Ads

Congress passed the Children's Online Privacy Protection Act (COPPA) (www.coppa.org/comply.htm) more than a decade ago to address the unique privacy risks of children under 13 years of age when they access the Internet. The law places certain requirements upon qualifying websites and providers and gives parents tools for overseeing their children's online interactions. Since its enactment, COPPA has undoubtedly achieved some success in accomplishing its privacy and safety goals while still preserving the dynamic nature of the Internet.

However, the rapid-fire pace of technological change ' including an explosion in children's use of mobile devices and participation in social networking sites and interactive video games ' has prompted the Federal Trade Commission (FTC) to propose amendments to the law to address the novel online interactions of the new decade. Indeed, as FTC Chairman Jon Leibowitz recently commented about the need for updated regulations: “[K]ids are often tech savvy but judgment poor.”

This article discusses COPPA generally, recent enforcement actions, and the issues surrounding the proposed amendments to the COPPA regulations, including whether COPPA's definition of “personal information” should be expanded to cover geolocation and behavioral advertising data, and what new methods of parental notice should be adopted.

COPPA Generally

COPPA, 15 U.S.C. ”6501, and its implementing regulations, 16 C.F.R. Part 312 (COPPA Rule), require operators of websites or online services directed to children under 13, or general audience websites or online services with actual knowledge that they are collecting personal information from children under 13, to obtain “verifiable parental consent” before collecting, using or disclosing such information from children. The COPPA Rule sets out a number of factors for determining whether a website is directed to children beyond mere statistics about the actual and intended ages of the website's visitors, including whether its subject matter is child-oriented, whether the site uses animated characters, or whether Web advertising is directed to children. See, 16 C.F.R. '312.2.

Generally speaking, COPPA requires that a covered website operator:

• Post a website privacy policy describing its information practices for children's personal information and otherwise maintain the confidentiality and security of information collected from children;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
• Give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties;
• Provide parents access to their child's personal information and the opportunity to delete the information and opt out of future collection and use of the information; and
• Not condition a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

“Verifiable parental consent” means that the method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. When the FTC issued the COPPA Rule, it adopted a sliding scale approach to obtaining verifiable parental consent. Under such an approach, more reliable measures are required for parental consent if an operator intends to disclose a child's information to third parties or the public (e.g., social network or blogging service) than if the operator only uses the information internally. For example, more reliable methods include a printable form signed by the parent, credit card transaction, a toll-free telephone number staffed by trained personnel staff, or consent via a parent's e-mail that contains a digital signature or other digital confirmation. On the other hand, under current regulations, if a website intends to use children's personal information for internal purposes only, then it may use any of the aforementioned methods, or the so-called “e-mail plus” mechanism that permits operators to request that the parent provide consent via e-mail, followed by some act of confirmation that it was, in fact, the parent who provided consent (the “plus” factor).

COPPA also contains a safe harbor provision enabling industry groups or others to submit to the FTC for approval self-regulatory guidelines to implement the statute's protections (e.g., The Children's Advertising Review Unit (CARU) safe harbor program).

Enforcement Actions

Under the Act, the FTC and state attorneys general may bring enforcement actions and impose civil penalties for violations of the COPPA Rule. In the last several years, the FTC has seemingly taken a more aggressive stance toward violations involving social media websites. For example, in 2006, social blogging site Xanga.com agreed to pay a $1 million civil penalty over allegations that it collected personal information from 1.7 million young users without first obtaining parental consent. See, United States v. Xanga.com Inc., No. 06-6853 (S.D.N.Y. Settlement Announced Sept. 7, 2006).

Similarly, in 2008, the FTC obtained a consent order and levied a multimillion-dollar civil penalty against a general audience music fan site over the improper collection of personal information from underage children. In 2009, the owner of several youth-oriented apparel brands settled FTC charges that it knowingly collected, without parental consent, personal information from children as part of sweepstakes contests and brand promotion efforts, and allowed young users to post personal stories and photos online.

More recently, the FTC announced that children's growing embrace of mobile Internet technology and the latest social networking sites, without the development of more practical age verification technologies, presented new challenges for COPPA compliance and enforcement. For example, in United States v. Godwin, No. 11-03846 (N.D. Ga. Proposed Consent Decree Nov. 8, 2011), the operator of a youth-oriented social media website agreed to settle FTC charges that he collected personal information from thousands of children without obtaining prior parental consent and also made deceptive claims about information collection practices in the site's privacy policy. The FTC alleged that the privacy policy claimed that the site required users to provide a parent's e-mail address as a requirement for registration, but that the site registered children and permitted them to engage in social networking activities without first obtaining parental consent.

The proposed settlement, among other things, barred future misrepresentations about the collection of children's information, ordered the site to destroy information collected in violation of the COPPA Rule, and, for a period of time, requires the operator to retain an online privacy professional or join an FTC-approved safe harbor program to oversee any COPPA-covered website under his control.

Smartphones

Moreover, this past summer, an iPhone app developer settled charges that it improperly collected and disclosed personal information from tens of thousands of children under the age of 13 without their parents' prior consent. See, United States v. W3 Innovations, LLC, No. 11-03958 (N.D. Cal. Consent Decree Aug. 12, 2011, http://bit.ly/A0TQRJ). What makes this settlement notable is that this was the agency's first case involving smartphone applications (apps). The FTC complaint charged that the developer's youth-oriented apps allowed children to post personal information on message boards without first obtaining parental consent. Under the terms of the consent decree, the developer was obligated to pay a $50,000 civil penalty, follow the COPPA Rule in the future and delete all personal information from users collected in violation of the Rule.

This enforcement action reaffirms that the agency remains concerned about the new uses of mobile technologies by children and will take action even before the COPPA Rule is updated. [Editor's Note: In February, the FTC released a staff report titled "Mobile Apps for Kids: Current Privacy Disclosures are Disappointing." It concluded that: "The mobile app marketplace is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development. ' [A]pp stores should provide a more consistent way for developers to display information regarding their app's data collection practices and interactive features.” The report can be found at http://1.usa.gov/xDkJu4.].

Proposed Amendments

Given the changes to the online environment, including the increasing use of mobile technology to access the Internet, the FTC decided to expedite its periodic re-examination of the COPPA Rule. In that regard, the agency announced proposed amendments to the COPPA Rule last Fall. Among other changes, the FTC proposes expanding the definition of “personal information,” approving new parent consent methods, and tightening the standards surrounding data security.

Definitions. The COPPA Rule requires covered operators to obtain parental consent before collecting “personal information” from children, which includes traditional identification data such as name, address, telephone number, or “any other identifier that the Commission determines permits the physical or online contacting of a specific individual.” See, 15 U.S.C. '6501(8)(F). Currently, providers are not required to obtain parental consent to collect browser cookie or IP address data.

However, the FTC is seeking to expand the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising. Generally speaking, behavioral advertising is the tracking of a consumer's online activities to deliver advertising targeted to that individual consumer's interests. In many cases, the data collected and digital profiles compiled are not personally identifiable in the traditional sense and are “anonymized” by the data collectors ' that is, the information does not include the consumer's name, physical address, or similar identifier that could be readily used to identify the consumer in the offline world.

A number of technology companies have filed objections to this proposed amendment. They have argued that such an expansive definition will harm the model of free website content and services funded by targeted online advertising and consequently shrink the range of online services available to children. These companies also contend that the new expansive definition would actually degrade children's privacy by compelling website operators to collect more personally identifiable information from users (e.g., names and e-mail addresses) to comply with the COPPA Rule's consent procedures, instead of merely collecting anonymized browser cookie information from young users.

Parental consent mechanisms. The FTC announced new parental consent methods that reflect the latest technologies, including electronic scans of signed parental
consent forms, video conferencing, and use of government-issued identification cards cross-referenced against a database (provided that the identification data is deleted after verification). However, the agency proposes to eliminate the less-reliable consent method known as “e-mail plus,” for information collected for internal use only. In the agency's opinion, e-mail plus has “outlived its usefulness” and all collections of children's information merit stronger, more verifiable parental consent. In this same vein, the FTC declined to add SMS text messaging to the enumerated list of parental consent mechanisms, given that there is no reliable way to verify that the mobile phone number supplied would be that of a parent rather than the child's own number.

To encourage the development of innovative consent methods, the agency also outlined a voluntary 180-day notice and comment process whereby parties could seek approval of a new consent mechanism. Website operators already participating in an approved safe-harbor program could also use a method permitted by that program.

Confidentiality and security requirements. COPPA currently requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, but it is silent on the data security obligations of third parties. The FTC is seeking to add a requirement that website operators ensure that any service providers or third parties to whom they disclose a child's personal information undertake reasonable data security procedures and retain such information only as long as reasonably necessary. In its public comments, one social network provider suggested that the proposed security requirements were ambiguous and sweep too broadly, particularly in regard to user-generated content, and as such, should be limited to outside providers and third parties with which the website operator has a contractual relationship.

Congress passed the Children's Online Privacy Protection Act (COPPA) (www.coppa.org/comply.htm) more than a decade ago to address the unique privacy risks of children under 13 years of age when they access the Internet. The law places certain requirements upon qualifying websites and providers and gives parents tools for overseeing their children's online interactions. Since its enactment, COPPA has undoubtedly achieved some success in accomplishing its privacy and safety goals while still preserving the dynamic nature of the Internet.

However, the rapid-fire pace of technological change ' including an explosion in children's use of mobile devices and participation in social networking sites and interactive video games ' has prompted the Federal Trade Commission (FTC) to propose amendments to the law to address the novel online interactions of the new decade. Indeed, as FTC Chairman Jon Leibowitz recently commented about the need for updated regulations: “[K]ids are often tech savvy but judgment poor.”

This article discusses COPPA generally, recent enforcement actions, and the issues surrounding the proposed amendments to the COPPA regulations, including whether COPPA's definition of “personal information” should be expanded to cover geolocation and behavioral advertising data, and what new methods of parental notice should be adopted.

COPPA Generally

COPPA, 15 U.S.C. ”6501, and its implementing regulations, 16 C.F.R. Part 312 (COPPA Rule), require operators of websites or online services directed to children under 13, or general audience websites or online services with actual knowledge that they are collecting personal information from children under 13, to obtain “verifiable parental consent” before collecting, using or disclosing such information from children. The COPPA Rule sets out a number of factors for determining whether a website is directed to children beyond mere statistics about the actual and intended ages of the website's visitors, including whether its subject matter is child-oriented, whether the site uses animated characters, or whether Web advertising is directed to children. See, 16 C.F.R. '312.2.

Generally speaking, COPPA requires that a covered website operator:

• Post a website privacy policy describing its information practices for children's personal information and otherwise maintain the confidentiality and security of information collected from children;
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children;
• Give parents the choice of consenting to the operator's collection and internal use of a child's information, but prohibiting the operator from disclosing that information to third parties;
• Provide parents access to their child's personal information and the opportunity to delete the information and opt out of future collection and use of the information; and
• Not condition a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.

“Verifiable parental consent” means that the method must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. When the FTC issued the COPPA Rule, it adopted a sliding scale approach to obtaining verifiable parental consent. Under such an approach, more reliable measures are required for parental consent if an operator intends to disclose a child's information to third parties or the public (e.g., social network or blogging service) than if the operator only uses the information internally. For example, more reliable methods include a printable form signed by the parent, credit card transaction, a toll-free telephone number staffed by trained personnel staff, or consent via a parent's e-mail that contains a digital signature or other digital confirmation. On the other hand, under current regulations, if a website intends to use children's personal information for internal purposes only, then it may use any of the aforementioned methods, or the so-called “e-mail plus” mechanism that permits operators to request that the parent provide consent via e-mail, followed by some act of confirmation that it was, in fact, the parent who provided consent (the “plus” factor).

COPPA also contains a safe harbor provision enabling industry groups or others to submit to the FTC for approval self-regulatory guidelines to implement the statute's protections (e.g., The Children's Advertising Review Unit (CARU) safe harbor program).

Enforcement Actions

Under the Act, the FTC and state attorneys general may bring enforcement actions and impose civil penalties for violations of the COPPA Rule. In the last several years, the FTC has seemingly taken a more aggressive stance toward violations involving social media websites. For example, in 2006, social blogging site Xanga.com agreed to pay a $1 million civil penalty over allegations that it collected personal information from 1.7 million young users without first obtaining parental consent. See, United States v. Xanga.com Inc., No. 06-6853 (S.D.N.Y. Settlement Announced Sept. 7, 2006).

Similarly, in 2008, the FTC obtained a consent order and levied a multimillion-dollar civil penalty against a general audience music fan site over the improper collection of personal information from underage children. In 2009, the owner of several youth-oriented apparel brands settled FTC charges that it knowingly collected, without parental consent, personal information from children as part of sweepstakes contests and brand promotion efforts, and allowed young users to post personal stories and photos online.

More recently, the FTC announced that children's growing embrace of mobile Internet technology and the latest social networking sites, without the development of more practical age verification technologies, presented new challenges for COPPA compliance and enforcement. For example, in United States v. Godwin, No. 11-03846 (N.D. Ga. Proposed Consent Decree Nov. 8, 2011), the operator of a youth-oriented social media website agreed to settle FTC charges that he collected personal information from thousands of children without obtaining prior parental consent and also made deceptive claims about information collection practices in the site's privacy policy. The FTC alleged that the privacy policy claimed that the site required users to provide a parent's e-mail address as a requirement for registration, but that the site registered children and permitted them to engage in social networking activities without first obtaining parental consent.

The proposed settlement, among other things, barred future misrepresentations about the collection of children's information, ordered the site to destroy information collected in violation of the COPPA Rule, and, for a period of time, requires the operator to retain an online privacy professional or join an FTC-approved safe harbor program to oversee any COPPA-covered website under his control.

Smartphones

Moreover, this past summer, an iPhone app developer settled charges that it improperly collected and disclosed personal information from tens of thousands of children under the age of 13 without their parents' prior consent. See, United States v. W3 Innovations, LLC, No. 11-03958 (N.D. Cal. Consent Decree Aug. 12, 2011, http://bit.ly/A0TQRJ). What makes this settlement notable is that this was the agency's first case involving smartphone applications (apps). The FTC complaint charged that the developer's youth-oriented apps allowed children to post personal information on message boards without first obtaining parental consent. Under the terms of the consent decree, the developer was obligated to pay a $50,000 civil penalty, follow the COPPA Rule in the future and delete all personal information from users collected in violation of the Rule.

This enforcement action reaffirms that the agency remains concerned about the new uses of mobile technologies by children and will take action even before the COPPA Rule is updated. [Editor's Note: In February, the FTC released a staff report titled "Mobile Apps for Kids: Current Privacy Disclosures are Disappointing." It concluded that: "The mobile app marketplace is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development. ' [A]pp stores should provide a more consistent way for developers to display information regarding their app's data collection practices and interactive features.” The report can be found at http://1.usa.gov/xDkJu4.].

Proposed Amendments

Given the changes to the online environment, including the increasing use of mobile technology to access the Internet, the FTC decided to expedite its periodic re-examination of the COPPA Rule. In that regard, the agency announced proposed amendments to the COPPA Rule last Fall. Among other changes, the FTC proposes expanding the definition of “personal information,” approving new parent consent methods, and tightening the standards surrounding data security.

Definitions. The COPPA Rule requires covered operators to obtain parental consent before collecting “personal information” from children, which includes traditional identification data such as name, address, telephone number, or “any other identifier that the Commission determines permits the physical or online contacting of a specific individual.” See, 15 U.S.C. '6501(8)(F). Currently, providers are not required to obtain parental consent to collect browser cookie or IP address data.

However, the FTC is seeking to expand the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising. Generally speaking, behavioral advertising is the tracking of a consumer's online activities to deliver advertising targeted to that individual consumer's interests. In many cases, the data collected and digital profiles compiled are not personally identifiable in the traditional sense and are “anonymized” by the data collectors ' that is, the information does not include the consumer's name, physical address, or similar identifier that could be readily used to identify the consumer in the offline world.

A number of technology companies have filed objections to this proposed amendment. They have argued that such an expansive definition will harm the model of free website content and services funded by targeted online advertising and consequently shrink the range of online services available to children. These companies also contend that the new expansive definition would actually degrade children's privacy by compelling website operators to collect more personally identifiable information from users (e.g., names and e-mail addresses) to comply with the COPPA Rule's consent procedures, instead of merely collecting anonymized browser cookie information from young users.

Parental consent mechanisms. The FTC announced new parental consent methods that reflect the latest technologies, including electronic scans of signed parental
consent forms, video conferencing, and use of government-issued identification cards cross-referenced against a database (provided that the identification data is deleted after verification). However, the agency proposes to eliminate the less-reliable consent method known as “e-mail plus,” for information collected for internal use only. In the agency's opinion, e-mail plus has “outlived its usefulness” and all collections of children's information merit stronger, more verifiable parental consent. In this same vein, the FTC declined to add SMS text messaging to the enumerated list of parental consent mechanisms, given that there is no reliable way to verify that the mobile phone number supplied would be that of a parent rather than the child's own number.

To encourage the development of innovative consent methods, the agency also outlined a voluntary 180-day notice and comment process whereby parties could seek approval of a new consent mechanism. Website operators already participating in an approved safe-harbor program could also use a method permitted by that program.

Confidentiality and security requirements. COPPA currently requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, but it is silent on the data security obligations of third parties. The FTC is seeking to add a requirement that website operators ensure that any service providers or third parties to whom they disclose a child's personal information undertake reasonable data security procedures and retain such information only as long as reasonably necessary. In its public comments, one social network provider suggested that the proposed security requirements were ambiguous and sweep too broadly, particularly in regard to user-generated content, and as such, should be limited to outside providers and third parties with which the website operator has a contractual relationship.