Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The time has long passed when companies of any size, in any industry can take a lax approach to privacy policies. Between California starting to enforce its online privacy law, and the FTC making changes to federal regulations regarding the online use of information from children, closer scrutiny than ever is being paid to this issue. And that scrutiny comes with hefty fines and legal implications that can ensnare any company with an online presence or mobile application. This article examines the compliance issues raised by California's Online Privacy Protection Act, and the FTC's recent changes to the federal Children's Online Privacy Protection Act, and what companies must do to ensure they are not in violation.
California's COPPA
The California Online Privacy Protection Act of 2003 (COPPA), is now being enforced by the California Attorney General's Office. Violations of COPPA carry a heavy penalty at $2,500 per violation. Especially when pertaining to mobile application downloads, such a hefty fine multiplies quickly. Yet, analysis of company's compliance level, and potential remediation if needed, can be easily achieved while still maintaining cost-consciousness. The key is to understand what is required by COPPA and to review existing policies accordingly, or to immediately implement new policies where necessary.
So, what does California's COPPA require? According to the Act, each commercial website operator that collects personal information about Californians who visit their web pages must post a distinctive and easily found link to the website's privacy policy. This policy must describe: 1) the types of information gathered; 2) the ways information may be shared with other parties; and, 3) the process whereby a user can review and modify his or her personal information. Finally, the policy must also state the effective date and describe any subsequent changes since the effective date.
Does It Apply?
COPPA is far-reaching. Although a California law, it is applicable to anyone who gathers information on people living in California. Presumably, this would be true even if a website owner did not know the person to whom the information applies lives in California. Enforcement by California officials on out-of-state or out-of-country website owners is a challenging issue, but for the potential monetary losses involved (especially given the relatively inexpensive costs of developing a legal privacy policy), it is simply not worth the risk of running a commercial website or having an online commercial application of any kind without a solid privacy policy.
Types of Information Gathered
Under COPPA, companies must maintain privacy policies which describe the categories of information gathered about Californians. Specifically, the categories must include the following types of “personally identifiable information” when collected and maintained by the company: 1) first and last name; 2) home or other physical address, including street name and name of a city or town; 3) e-mail address; 4) telephone number; 5) Social Security number; 6) any other identifier that permits the individual to be contacted in person or online; or 7) the combination of any of the foregoing categories. Ironically, at least some of the foregoing categories may be otherwise publicly available, yet COPPA contains no exemptions from compliance when that is the case. The safest course, then, is to conduct a full review of existing policies and to implement changes where necessary.
Information Sharing with Other Parties
Privacy policies must also specify which of the above categories of information may be shared with third parties, and must describe the categories of third parties with whom the information is shared. Importantly, COPPA does not prohibit or restrict the sharing of information with third parties. Instead, there simply must be disclosure in the privacy policies about the categories of receiving parties and the information shared.
User Modification of Personal Information
COPPA further requires privacy policies to describe the process whereby an individual can review, modify and remove his or her personal information. As with the description of categories above, the key to compliance is ensuring a removal and modification process exists and is disclosed. Equally critical is ensuring that internal company practices follow the described process. In other words, if the policy says the company will remove information upon written request, but in practice nothing is ever removed, then COPPA may have been violated nonetheless. To combat this potential disconnection, it is highly recommended that compliance be centralized and adequate training be given to all personnel responsible for compliance.
Effective Date
The privacy policy must identify the original effective date, subsequent amendment dates and, if amended, a description of the changes made since the original policy was implemented. As a practical matter, this provision requires internal diligence to track revisions as they are made.
Conspicuous Posting
Finally, the privacy policy must be conspicuously posted. This requires a link to the policy on the company's homepage or first page with significant substance. Since the latter option is undefined in COPPA, caution dictates that a link to the policy simply be place on the company's main landing page. COPPA is also explicit in its requirements for hyperlinking to the policy. To be compliant, the hyperlink must at least include the word “privacy,” be written in capital letters equal to or greater in size than the surrounding text, or be written in larger type than the surrounding text, in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The intent is to ensure an individual's attention is easily drawn to the privacy policy.
FTC's COPPA
Second, the Federal Trade Commission recently announced new rules under the Federal “Children's Online Privacy Protection Act of 1998″ (also, confusingly, known as “COPPA” ' for purposes of this article, the “FTC COPPA”). The general rule under FTC COPPA hasn't changed ' if a company knowingly collects information from children, or children self-report information and they are in fact minors, then FTC COPPA applies. The new rules, however, establish the new compliance categories.
New Provisions
The new FTC compliance categories further complicate an already murky area of law by implementing new subparts of FTC COPPA by rule and, therefore, new potential pitfalls. Presumably, the intent of the new subparts is to further expand the applicability of FTC COPPA to companies that have found ways to sidestep the previous rules. But, the danger for kid-oriented companies and their vendors and suppliers is the risk of heightened enforcement by the FTC for non-compliance. This wouldn't be of great concern if the subparts clearly articulated what is required and of whom ' but they don't. Instead, the new subparts are unclear and, therefore, subject kid-oriented companies to heightened scrutiny without being able to accurately predict how to behave in advance to comply. That said, the subparts are as follows:
Subpart A: Appeal to 12 and Under
This provision of FTC COPPA applies when site/app content appeals to kids 12-and-under. The factors in determining appeal are expanded, but this definition isn't new. It is sufficient for the purposes of this article to understand that child-specific applications have unique requirements, the details of which must be reserved for later discussion.
Subpart B: Actual Knowledge of Another Website
When a service “has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children” this provision applies. The intent is to cover third party vendors who attempt to reach kids. Even assuming the intent is noble, it remains unclear how to determine whether or not the other website's service is “directed to children.
Subpart C
This provision applies to services “directed” to kids even when they are not targeted as the primary audience. The definition, however, is circular since the rules define “directed” to kids as “targeted” to kids, thus obliterating any meaningful difference.
Compliance
The express compliance requirements of FTC COPPA are yet more complicated than COPPA. Where applicable (Subparts A, B and C), website operators must: 1) provide notice to parents; 2) obtain verifiable parental consent prior to collecting using, or disclosing personal information from children; 3) keep information collected from children secure; and 4) prohibits conditioning children's participation in activities on the “collection of more personal information than is reasonably necessary to participate in such activities.” So, the best practical rule is this: If your company collects information identifying users as under 13 years old, or has web content or applications that might appeal to children, further legal review should be mandatory before “going live.”
Conclusion
Whether governed by COPPA or FTC COPPA, or simply seeking to implement best corporate practices, implementing sloppy privacy policies is not worth the potential risks of non-compliance. Copying and pasting another company's policies rather than undertaking a site-specific review is a call for enforcement officials to investigate ' a call than can be and should be avoided.
David J. Shaw is a shareholder with Kirton McConkie in Salt Lake City, where devotes his practice to e-commerce and technology matters. He can be reached at 801-328-3600 or at [email protected].
The time has long passed when companies of any size, in any industry can take a lax approach to privacy policies. Between California starting to enforce its online privacy law, and the FTC making changes to federal regulations regarding the online use of information from children, closer scrutiny than ever is being paid to this issue. And that scrutiny comes with hefty fines and legal implications that can ensnare any company with an online presence or mobile application. This article examines the compliance issues raised by California's Online Privacy Protection Act, and the FTC's recent changes to the federal Children's Online Privacy Protection Act, and what companies must do to ensure they are not in violation.
California's COPPA
The California Online Privacy Protection Act of 2003 (COPPA), is now being enforced by the California Attorney General's Office. Violations of COPPA carry a heavy penalty at $2,500 per violation. Especially when pertaining to mobile application downloads, such a hefty fine multiplies quickly. Yet, analysis of company's compliance level, and potential remediation if needed, can be easily achieved while still maintaining cost-consciousness. The key is to understand what is required by COPPA and to review existing policies accordingly, or to immediately implement new policies where necessary.
So, what does California's COPPA require? According to the Act, each commercial website operator that collects personal information about Californians who visit their web pages must post a distinctive and easily found link to the website's privacy policy. This policy must describe: 1) the types of information gathered; 2) the ways information may be shared with other parties; and, 3) the process whereby a user can review and modify his or her personal information. Finally, the policy must also state the effective date and describe any subsequent changes since the effective date.
Does It Apply?
COPPA is far-reaching. Although a California law, it is applicable to anyone who gathers information on people living in California. Presumably, this would be true even if a website owner did not know the person to whom the information applies lives in California. Enforcement by California officials on out-of-state or out-of-country website owners is a challenging issue, but for the potential monetary losses involved (especially given the relatively inexpensive costs of developing a legal privacy policy), it is simply not worth the risk of running a commercial website or having an online commercial application of any kind without a solid privacy policy.
Types of Information Gathered
Under COPPA, companies must maintain privacy policies which describe the categories of information gathered about Californians. Specifically, the categories must include the following types of “personally identifiable information” when collected and maintained by the company: 1) first and last name; 2) home or other physical address, including street name and name of a city or town; 3) e-mail address; 4) telephone number; 5) Social Security number; 6) any other identifier that permits the individual to be contacted in person or online; or 7) the combination of any of the foregoing categories. Ironically, at least some of the foregoing categories may be otherwise publicly available, yet COPPA contains no exemptions from compliance when that is the case. The safest course, then, is to conduct a full review of existing policies and to implement changes where necessary.
Information Sharing with Other Parties
Privacy policies must also specify which of the above categories of information may be shared with third parties, and must describe the categories of third parties with whom the information is shared. Importantly, COPPA does not prohibit or restrict the sharing of information with third parties. Instead, there simply must be disclosure in the privacy policies about the categories of receiving parties and the information shared.
User Modification of Personal Information
COPPA further requires privacy policies to describe the process whereby an individual can review, modify and remove his or her personal information. As with the description of categories above, the key to compliance is ensuring a removal and modification process exists and is disclosed. Equally critical is ensuring that internal company practices follow the described process. In other words, if the policy says the company will remove information upon written request, but in practice nothing is ever removed, then COPPA may have been violated nonetheless. To combat this potential disconnection, it is highly recommended that compliance be centralized and adequate training be given to all personnel responsible for compliance.
Effective Date
The privacy policy must identify the original effective date, subsequent amendment dates and, if amended, a description of the changes made since the original policy was implemented. As a practical matter, this provision requires internal diligence to track revisions as they are made.
Conspicuous Posting
Finally, the privacy policy must be conspicuously posted. This requires a link to the policy on the company's homepage or first page with significant substance. Since the latter option is undefined in COPPA, caution dictates that a link to the policy simply be place on the company's main landing page. COPPA is also explicit in its requirements for hyperlinking to the policy. To be compliant, the hyperlink must at least include the word “privacy,” be written in capital letters equal to or greater in size than the surrounding text, or be written in larger type than the surrounding text, in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The intent is to ensure an individual's attention is easily drawn to the privacy policy.
FTC's COPPA
Second, the Federal Trade Commission recently announced new rules under the Federal “Children's Online Privacy Protection Act of 1998″ (also, confusingly, known as “COPPA” ' for purposes of this article, the “FTC COPPA”). The general rule under FTC COPPA hasn't changed ' if a company knowingly collects information from children, or children self-report information and they are in fact minors, then FTC COPPA applies. The new rules, however, establish the new compliance categories.
New Provisions
The new FTC compliance categories further complicate an already murky area of law by implementing new subparts of FTC COPPA by rule and, therefore, new potential pitfalls. Presumably, the intent of the new subparts is to further expand the applicability of FTC COPPA to companies that have found ways to sidestep the previous rules. But, the danger for kid-oriented companies and their vendors and suppliers is the risk of heightened enforcement by the FTC for non-compliance. This wouldn't be of great concern if the subparts clearly articulated what is required and of whom ' but they don't. Instead, the new subparts are unclear and, therefore, subject kid-oriented companies to heightened scrutiny without being able to accurately predict how to behave in advance to comply. That said, the subparts are as follows:
Subpart A: Appeal to 12 and Under
This provision of FTC COPPA applies when site/app content appeals to kids 12-and-under. The factors in determining appeal are expanded, but this definition isn't new. It is sufficient for the purposes of this article to understand that child-specific applications have unique requirements, the details of which must be reserved for later discussion.
Subpart B: Actual Knowledge of Another Website
When a service “has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children” this provision applies. The intent is to cover third party vendors who attempt to reach kids. Even assuming the intent is noble, it remains unclear how to determine whether or not the other website's service is “directed to children.
Subpart C
This provision applies to services “directed” to kids even when they are not targeted as the primary audience. The definition, however, is circular since the rules define “directed” to kids as “targeted” to kids, thus obliterating any meaningful difference.
Compliance
The express compliance requirements of FTC COPPA are yet more complicated than COPPA. Where applicable (Subparts A, B and C), website operators must: 1) provide notice to parents; 2) obtain verifiable parental consent prior to collecting using, or disclosing personal information from children; 3) keep information collected from children secure; and 4) prohibits conditioning children's participation in activities on the “collection of more personal information than is reasonably necessary to participate in such activities.” So, the best practical rule is this: If your company collects information identifying users as under 13 years old, or has web content or applications that might appeal to children, further legal review should be mandatory before “going live.”
Conclusion
Whether governed by COPPA or FTC COPPA, or simply seeking to implement best corporate practices, implementing sloppy privacy policies is not worth the potential risks of non-compliance. Copying and pasting another company's policies rather than undertaking a site-specific review is a call for enforcement officials to investigate ' a call than can be and should be avoided.
David J. Shaw is a shareholder with
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.