FTC Updates COPPA

“The world of COPPA compliance has just gotten considerably bigger,” says Jim Halpert, a partner at DLA Piper who helped draft the 1998 law.

“The major thing the FTC was concerned about was different forms of tracking children online that didn't involve collecting their names and addresses,” says Halpert.

Rather, the agency focused on the collection of information that can be used in behavioral advertising, or to track children across different websites, Halpert explains. Under the new definition, PII includes photos, videos, geolocation, IP addresses and device identifiers ' and it can't be collected without parental consent.

“Behavioral advertising is now out for those sites,” says Halpert. “They can no longer do behavioral advertising without verifiable parental consent.”

Liability for Third Parties

Another significant change makes operators liable for COPPA compliance of third parties on their sites. “A website operator is going to be held strictly liable for any service provider that is plugging into [its] site,” says Reed Smith partner John Feldman, who specializes in advertising regulation and consumer protection law.

e-Commerce counsel should examine their company's relationships with third parties, Feldman says, “because of the strict liability and the responsibility you have for the actions of others.”

He adds: “Your contracts are going to have to be carefully worded, and your due diligence is going to have to be done to understand what is collected.”

The regulations also warn companies against holding onto children's data for longer than is necessary ' which Linda Goldstein, a partner at Manatt, Phelps & Phillips, can see becoming an enforcement priority down the line.

“The FTC will undoubtedly take a hard look at their data-retention policies if they're collecting data from kids” under 13, says Goldstein, who chairs the firm's advertising, marketing and media division.

The big picture for companies in this space is that “they need to take a look at what they're collecting,” Goldstein says. “They need to take a much closer look at who they're passing it on to, and they need to take a look at their data-retention policies.”

According to Halpert, the FTC enforces COPPA frequently, and there is some stigma attached to running afoul of those rules. “This is something that should be a compliance priority for companies,” Halpert says.

Apps and Kids' Data

The “Mobile Apps for Kids” report issued by the FTC in December, supra, sends a message to mobile app makers that track children's online movements: We're watching you, too.

The report cited companies for “disappointing” efforts to inform parents about how children's data is collected, following a review of 400 smartphone and tablet apps sold in the Apple and Google Play app stores.

“Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to that data,” the report states. “Even more troubling, the results showed that many of the apps shared certain information ' such as device ID, geolocation, or phone number ' without disclosing that fact to parents.”

The FTC said it's not only urging the mobile app industry to incorporate better privacy protections into their products, but that it is “launching multiple nonpublic investigations to determine whether certain entities in the mobile app marketplace have violated [COPPA]” or the FTC Act's ban on unfair and deceptive trade practices, according to the report.

“The clear message to marketers is you better ' quickly ' review your apps,” says Goldstein.

The report said that while agency staff allowed “generous parameters” in identifying an app's privacy disclosures, “only 20[%] (81) of the apps reviewed disclosed any information about the app's privacy practices.”

FTC staff members also tested whether app developers, advertising networks and analytics companies collected user-specific information such as geolocation, birth date, phone number or a device identifier ' the string of numbers or letters that uniquely identify a mobile device. The FTC found that “59[%] (235) of the 400 apps transmitted some information from a user's mobile device back to the developer or to a third-party.”

This is the second such mobile app survey conducted by the FTC, which has focused closely on privacy.

More types of apps may fall within COPPA's reach, says Goldstein. And more big-name companies ' not just the lesser-known app developers ' could start feeling the heat, too. Considering “how many brands are developing their own apps as a major marketing vehicle, the potential exposure to brands now is really significant,” Goldstein says.

Goldstein says this latest report “will help support an argument that stronger rules are required to protect privacy” of children under 13 who are using apps on mobile devices.

Just a week after the Federal Trade Commission released a harsh report on the state of mobile applications' privacy protections for children (see, “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” http://1.usa.gov/Voh3ZE), the agency on Jan. 17 issued stricter rules under the Children's Online Privacy Protection Act (COPPA) (www.ftc.gov/ogc/coppa1.htm). See, “FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information By Amending Children's Online Privacy Protection Rule,” http://1.usa.gov/10PwBM5.

The revisions update the 1998 law for the era of mobile technology, social media and online data collection ' creating new liability for the operators of websites and services that are directed to children under the age of 13.

The definition of “personally identifiable information” (PII) ' which triggers parental consent requirements ' is now broader, and operators are responsible for how third parties collect user data on their sites. The new rules go into effect July 1, 2013.

“The world of COPPA compliance has just gotten considerably bigger,” says Jim Halpert, a partner at DLA Piper who helped draft the 1998 law.

“The major thing the FTC was concerned about was different forms of tracking children online that didn't involve collecting their names and addresses,” says Halpert.

Rather, the agency focused on the collection of information that can be used in behavioral advertising, or to track children across different websites, Halpert explains. Under the new definition, PII includes photos, videos, geolocation, IP addresses and device identifiers ' and it can't be collected without parental consent.

“Behavioral advertising is now out for those sites,” says Halpert. “They can no longer do behavioral advertising without verifiable parental consent.”

Liability for Third Parties

Another significant change makes operators liable for COPPA compliance of third parties on their sites. “A website operator is going to be held strictly liable for any service provider that is plugging into [its] site,” says Reed Smith partner John Feldman, who specializes in advertising regulation and consumer protection law.

e-Commerce counsel should examine their company's relationships with third parties, Feldman says, “because of the strict liability and the responsibility you have for the actions of others.”

He adds: “Your contracts are going to have to be carefully worded, and your due diligence is going to have to be done to understand what is collected.”

The regulations also warn companies against holding onto children's data for longer than is necessary ' which Linda Goldstein, a partner at Manatt, Phelps & Phillips, can see becoming an enforcement priority down the line.

“The FTC will undoubtedly take a hard look at their data-retention policies if they're collecting data from kids” under 13, says Goldstein, who chairs the firm's advertising, marketing and media division.

The big picture for companies in this space is that “they need to take a look at what they're collecting,” Goldstein says. “They need to take a much closer look at who they're passing it on to, and they need to take a look at their data-retention policies.”

According to Halpert, the FTC enforces COPPA frequently, and there is some stigma attached to running afoul of those rules. “This is something that should be a compliance priority for companies,” Halpert says.

Apps and Kids' Data

The “Mobile Apps for Kids” report issued by the FTC in December, supra, sends a message to mobile app makers that track children's online movements: We're watching you, too.

The report cited companies for “disappointing” efforts to inform parents about how children's data is collected, following a review of 400 smartphone and tablet apps sold in the Apple and Google Play app stores.

“Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to that data,” the report states. “Even more troubling, the results showed that many of the apps shared certain information ' such as device ID, geolocation, or phone number ' without disclosing that fact to parents.”

The FTC said it's not only urging the mobile app industry to incorporate better privacy protections into their products, but that it is “launching multiple nonpublic investigations to determine whether certain entities in the mobile app marketplace have violated [COPPA]” or the FTC Act's ban on unfair and deceptive trade practices, according to the report.

“The clear message to marketers is you better ' quickly ' review your apps,” says Goldstein.

The report said that while agency staff allowed “generous parameters” in identifying an app's privacy disclosures, “only 20[%] (81) of the apps reviewed disclosed any information about the app's privacy practices.”

FTC staff members also tested whether app developers, advertising networks and analytics companies collected user-specific information such as geolocation, birth date, phone number or a device identifier ' the string of numbers or letters that uniquely identify a mobile device. The FTC found that “59[%] (235) of the 400 apps transmitted some information from a user's mobile device back to the developer or to a third-party.”

This is the second such mobile app survey conducted by the FTC, which has focused closely on privacy.

More types of apps may fall within COPPA's reach, says Goldstein. And more big-name companies ' not just the lesser-known app developers ' could start feeling the heat, too. Considering “how many brands are developing their own apps as a major marketing vehicle, the potential exposure to brands now is really significant,” Goldstein says.

Goldstein says this latest report “will help support an argument that stronger rules are required to protect privacy” of children under 13 who are using apps on mobile devices.