Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On May 15, the Federal Trade Commission (FTC) sent letters to more than 90 businesses, informing them that they could potentially be in violation of the Children's Online Privacy Protection Act (COPPA) when changes to the law go into effect on July 1.
The FTC contacted both domestic and foreign companies making mobile apps that may be directed at children under age 13 about revisions to the privacy rule to 'help ensure you are aware of those changes and your compliance responsibilities.'
The two-page letter, signed by Maneesha Mithal, associate director of the Division of Privacy and Identity Protection, is quick to note that the FTC has 'not yet evaluated your apps or your company's practices.' Instead, the letter serves more as a heads-up about new standards for personal information collected from children.'
More 'Personal Information'
Under the old rule, 'personal information' meant things like a child's name, home address, telephone number or social security number. As of July 1, it will also include 'persistent identifiers,' such as cookies, IP addresses and mobile device IDs. In addition, it will include photographs or videos with a child's image, or an audio file that has a child's voice.
The new rule requires all developers of apps that are directed to children under 13 ' or that knowingly collect personal information from children under 13 ' 'to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing any 'personal information' from children,' according to the FTC.
The revised rule, which was finalized by the FTC in December 2012, also covers information collected by third parties, such as advertising networks. See, 'FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.”
The penalties for violating the Act can be steep. In February, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. See, 'Path Social Networking App Settles FTC Charges It Deceived Consumers and Improperly Collected Personal Information from Users' Mobile Address Books.' And in October, Artist Arena, the operator of fan websites for music stars such as Justin Bieber, shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent. See, 'Fan Website Operator Agrees to Pay FTC $1M for Collecting Children's Personal Information,' The BLT.
Other prior COPPA penalties include $1 million paid by Sony BMG Music Entertainment in 2008 (see, 'Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children's Online Privacy Protection Act'), and $1 million by social networking website Xanga.com in 2006 (see, 'Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule.'
The FTC urged letter recipients 'to review your apps, your policies, and your procedures for compliance.'
The agency also hinted that it will give credit to companies just for making an effort. 'As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective,' the letter stated.
Impact
Also in anticipation of the revised rule taking effect, and in addition to the letters, the FTC released a highly anticipated guidance document on April 25. See, 'Complying with COPPA: Frequently Asked Questions.”
The document stakes out 92 'Frequently Asked Questions' on the recently amended COPPA ' which not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.
The revised rule is 'not just about children, it's about privacy policy generally,' says John Feldman, a partner at Reed Smith who specializes in advertising regulation and consumer protection law. 'You're seeing a sea change.'
Considering an IP address to be personally identifiable information is a 'policy leap,' Feldman says. 'No court has defined it that way. Congress hasn't defined it that way. The FTC has defined it that way.'
The broader definition is likely to prompt compliance obligations for many companies, according to Manatt, Phelps & Phillips partner Linda Goldstein. 'Because of the expansive definition of personally identifiable information, it's hard to imagine that a kid-directed site wouldn't be collecting some kind of information that would trigger COPPA,' says Goldstein, who chairs the firm's advertising, marketing and media division.
Already, 19 trade groups ' including the Direct Marketing Association (DMA), the U.S. Chamber of Commerce, and the National Retail Federation (NRF) ' have told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement. See, 'DMA.org Leads Business Community in Asking FTC for Extension to Implement COPPA Rule Changes,' DMA.org.
Goldstein says brands will want to focus both on the content of their privacy policies and the manner in which those policies are disclosed on their website. The FAQs 'reiterated' the agency's view that privacy policies be clear and concise, and without extraneous or promotional material, according to Goldstein. 'The message from the FTC is: streamline it,' she says.
The rule requires that a link to the privacy policy be displayed prominently and clearly for users. And website operators accustomed to placing such links at the bottom of their home page will probably have to rethink that strategy.
'They've explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent,' says Goldstein. 'They've essentially condemned the way most privacy policies are presented on a website.'
Other areas highlighted in the FAQ are likely to prove challenging for companies, too.
Take the collection of geolocation data, which falls under the definition of personally identifiable information. The commission is saying, 'if you collected geolocation data previously, you need to get consent now ' for data that you already have,' explains Goldstein, adding: 'That was a bit of a surprise.'
Or FAQ 26, which discusses the requirement that a child-directed website provide a 'complete list' of 'all the operators collecting information' on the site, which could include advertisers, sponsors, and even plug-ins used to display content. Matt Savare, a partner with Lowenstein Sandler, is used to working on advertising deals between website operators, or publishers, and advertising networks, and calls that requirement 'untenable. The advertiser could change on a second-by-second basis,' he says. 'How does one disclose something that changes on a second-by-second basis?'
The larger challenge, though, will be for companies to 'truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information,' Savare says.
And these days, he adds, 'there are dozens, perhaps hundreds, of companies touching that real estate' on any given website.
Jenna Greene writes for Legal Times and Catherine Dunn writes for Corporate Counsel, both ALM affiliates of Internet Law & Strategy.
'
SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to Internet Law & Strategy for only $299. Click here, select Digital Only and use promo code'INLSOL299'at checkout.This offer is valid for new subscribers only.
'
On May 15, the Federal Trade Commission (FTC) sent letters to more than 90 businesses, informing them that they could potentially be in violation of the Children's Online Privacy Protection Act (COPPA) when changes to the law go into effect on July 1.
The FTC contacted both domestic and foreign companies making mobile apps that may be directed at children under age 13 about revisions to the privacy rule to 'help ensure you are aware of those changes and your compliance responsibilities.'
The two-page letter, signed by Maneesha Mithal, associate director of the Division of Privacy and Identity Protection, is quick to note that the FTC has 'not yet evaluated your apps or your company's practices.' Instead, the letter serves more as a heads-up about new standards for personal information collected from children.'
More 'Personal Information'
Under the old rule, 'personal information' meant things like a child's name, home address, telephone number or social security number. As of July 1, it will also include 'persistent identifiers,' such as cookies, IP addresses and mobile device IDs. In addition, it will include photographs or videos with a child's image, or an audio file that has a child's voice.
The new rule requires all developers of apps that are directed to children under 13 ' or that knowingly collect personal information from children under 13 ' 'to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing any 'personal information' from children,' according to the FTC.
The revised rule, which was finalized by the FTC in December 2012, also covers information collected by third parties, such as advertising networks. See, 'FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.”
The penalties for violating the Act can be steep. In February, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. See, 'Path Social Networking App Settles FTC Charges It Deceived Consumers and Improperly Collected Personal Information from Users' Mobile Address Books.' And in October, Artist Arena, the operator of fan websites for music stars such as Justin Bieber, shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent. See, 'Fan Website Operator Agrees to Pay FTC $1M for Collecting Children's Personal Information,' The BLT.
Other prior COPPA penalties include $1 million paid by Sony BMG Music Entertainment in 2008 (see, 'Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children's Online Privacy Protection Act'), and $1 million by social networking website Xanga.com in 2006 (see, 'Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule.'
The FTC urged letter recipients 'to review your apps, your policies, and your procedures for compliance.'
The agency also hinted that it will give credit to companies just for making an effort. 'As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective,' the letter stated.
Impact
Also in anticipation of the revised rule taking effect, and in addition to the letters, the FTC released a highly anticipated guidance document on April 25. See, 'Complying with COPPA: Frequently Asked Questions.”
The document stakes out 92 'Frequently Asked Questions' on the recently amended COPPA ' which not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.
The revised rule is 'not just about children, it's about privacy policy generally,' says John Feldman, a partner at
Considering an IP address to be personally identifiable information is a 'policy leap,' Feldman says. 'No court has defined it that way. Congress hasn't defined it that way. The FTC has defined it that way.'
The broader definition is likely to prompt compliance obligations for many companies, according to
Already, 19 trade groups ' including the Direct Marketing Association (DMA), the U.S. Chamber of Commerce, and the National Retail Federation (NRF) ' have told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement. See, 'DMA.org Leads Business Community in Asking FTC for Extension to Implement COPPA Rule Changes,' DMA.org.
Goldstein says brands will want to focus both on the content of their privacy policies and the manner in which those policies are disclosed on their website. The FAQs 'reiterated' the agency's view that privacy policies be clear and concise, and without extraneous or promotional material, according to Goldstein. 'The message from the FTC is: streamline it,' she says.
The rule requires that a link to the privacy policy be displayed prominently and clearly for users. And website operators accustomed to placing such links at the bottom of their home page will probably have to rethink that strategy.
'They've explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent,' says Goldstein. 'They've essentially condemned the way most privacy policies are presented on a website.'
Other areas highlighted in the FAQ are likely to prove challenging for companies, too.
Take the collection of geolocation data, which falls under the definition of personally identifiable information. The commission is saying, 'if you collected geolocation data previously, you need to get consent now ' for data that you already have,' explains Goldstein, adding: 'That was a bit of a surprise.'
Or FAQ 26, which discusses the requirement that a child-directed website provide a 'complete list' of 'all the operators collecting information' on the site, which could include advertisers, sponsors, and even plug-ins used to display content. Matt Savare, a partner with
The larger challenge, though, will be for companies to 'truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information,' Savare says.
And these days, he adds, 'there are dozens, perhaps hundreds, of companies touching that real estate' on any given website.
Jenna Greene writes for Legal Times and Catherine Dunn writes for Corporate Counsel, both ALM affiliates of Internet Law & Strategy.
'
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.