FTC Warns Companies of Children's Privacy Violations

On May 15, the Federal Trade Commission (FTC) sent letters to more than 90 businesses, informing them that they could potentially be in violation of the Children's Online Privacy Protection Act (COPPA) when changes to the law go into effect on July 1.

The FTC contacted both domestic and foreign companies making mobile apps that may be directed at children under age 13 about revisions to the privacy rule to 'help ensure you are aware of those changes and your compliance responsibilities.'

The two-page letter, signed by Maneesha Mithal, associate director of the Division of Privacy and Identity Protection, is quick to note that the FTC has 'not yet evaluated your apps or your company's practices.' Instead, the letter serves more as a heads-up about new standards for personal information collected from children. (A PDF of the letter is available at http://1.usa.gov/14chOt5.)

More 'Personal Information'

Under the old rule, 'personal information' meant things like a child's name, home address, telephone number or social security number. As of July 1, it will also include 'persistent identifiers,' such as cookies, IP addresses and mobile device IDs. In addition, it will include photographs or videos with a child's image, or an audio file that has a child's voice.
The new rule requires all developers of apps that are directed to children under 13 ' or that knowingly collect personal information from children under 13 ' 'to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing any 'personal information' from children,' according to the FTC.

The revised rule, which was finalized by the FTC in December 2012, also covers information collected by third parties, such as advertising networks. See, 'FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.”

Penalties

The penalties for violating the Act can be steep. In February, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. See, 'Path Social Networking App Settles FTC Charges it Deceived Consumers and Improperly Collected Personal Information from Users' Mobile Address Books.' And in October, Artist Arena, the operator of fan websites for music stars such as Justin Bieber, shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent. See, 'Fan Website Operator Agrees to Pay FTC $1M for Collecting Children's Personal Information,' The BLT.

Other prior COPPA penalties include $1 million paid by Sony BMG Music Entertainment in 2008 (see, 'Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children's Online Privacy Protection Act' , and $1 million by social networking website Xanga.com in 2006 (see, 'Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule.'

The FTC urged letter recipients 'to review your apps, your policies, and your procedures for compliance.'

Impact

Also in anticipation of the revised rule taking effect, and in addition to the letters, the FTC released a highly anticipated guidance document on April 25. See, 'Complying with COPPA: Frequently Asked Questions.”

The document stakes out 92 'Frequently Asked Questions' on the recently amended COPPA ' which not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.

The revised rule is 'not just about children, it's about privacy policy generally,' says John Feldman, a partner at Reed Smith who specializes in advertising regulation and consumer protection law. 'You're seeing a sea change.'

Considering an IP address to be personally identifiable information is a 'policy leap,' Feldman says. 'No court has defined it that way. Congress hasn't defined it that way. The FTC has defined it that way.'

The broader definition is likely to prompt compliance obligations for many companies, according to Manatt, Phelps & Phillips partner Linda Goldstein. 'Because of the expansive definition of personally identifiable information, it's hard to imagine that a kid-directed site wouldn't be collecting some kind of information that would trigger COPPA,' says Goldstein, who chairs the firm's advertising, marketing and media division.

Already, 19 trade groups ' including the Direct Marketing Association (DMA), the U.S. Chamber of Commerce, and the National Retail Federation (NRF) ' have told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement. See, 'DMA Leads Business Community in Asking FTC for Extension to Implement COPPA Rule Changes,' DMA.org.

The rule requires that a link to the privacy policy be displayed prominently and clearly for users. And website operators accustomed to placing such links at the bottom of their home page will probably have to rethink that strategy.

'They've explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent,' says Goldstein. 'They've essentially condemned the way most privacy policies are presented on a website.'

The larger challenge, though, will be for companies to 'truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information,' Savare says.
And these days, he adds, 'there are dozens, perhaps hundreds, of companies touching that real estate' on any given website.

Jenna Greene writes for Legal Times and Catherine Dunn writes for Corporate Counsel, both ALM affiliates of e-Commerce Law & Strategy.

On May 15, the Federal Trade Commission (FTC) sent letters to more than 90 businesses, informing them that they could potentially be in violation of the Children's Online Privacy Protection Act (COPPA) when changes to the law go into effect on July 1.

The FTC contacted both domestic and foreign companies making mobile apps that may be directed at children under age 13 about revisions to the privacy rule to 'help ensure you are aware of those changes and your compliance responsibilities.'

The two-page letter, signed by Maneesha Mithal, associate director of the Division of Privacy and Identity Protection, is quick to note that the FTC has 'not yet evaluated your apps or your company's practices.' Instead, the letter serves more as a heads-up about new standards for personal information collected from children. (A PDF of the letter is available at http://1.usa.gov/14chOt5.)

More 'Personal Information'

Under the old rule, 'personal information' meant things like a child's name, home address, telephone number or social security number. As of July 1, it will also include 'persistent identifiers,' such as cookies, IP addresses and mobile device IDs. In addition, it will include photographs or videos with a child's image, or an audio file that has a child's voice.
The new rule requires all developers of apps that are directed to children under 13 ' or that knowingly collect personal information from children under 13 ' 'to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing any 'personal information' from children,' according to the FTC.

The revised rule, which was finalized by the FTC in December 2012, also covers information collected by third parties, such as advertising networks. See, 'FTC Strengthens Kids' Privacy, Gives Parents Greater Control over Their Information by Amending Children's Online Privacy Protection Rule.”

Penalties

The penalties for violating the Act can be steep. In February, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. See, 'Path Social Networking App Settles FTC Charges it Deceived Consumers and Improperly Collected Personal Information from Users' Mobile Address Books.' And in October, Artist Arena, the operator of fan websites for music stars such as Justin Bieber, shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent. See, 'Fan Website Operator Agrees to Pay FTC $1M for Collecting Children's Personal Information,' The BLT.

Other prior COPPA penalties include $1 million paid by Sony BMG Music Entertainment in 2008 (see, 'Sony BMG Music Settles Charges Its Music Fan Websites Violated the Children's Online Privacy Protection Act' , and $1 million by social networking website Xanga.com in 2006 (see, 'Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule.'

The FTC urged letter recipients 'to review your apps, your policies, and your procedures for compliance.'

Impact

Also in anticipation of the revised rule taking effect, and in addition to the letters, the FTC released a highly anticipated guidance document on April 25. See, 'Complying with COPPA: Frequently Asked Questions.”

The document stakes out 92 'Frequently Asked Questions' on the recently amended COPPA ' which not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.

The revised rule is 'not just about children, it's about privacy policy generally,' says John Feldman, a partner at Reed Smith who specializes in advertising regulation and consumer protection law. 'You're seeing a sea change.'

Considering an IP address to be personally identifiable information is a 'policy leap,' Feldman says. 'No court has defined it that way. Congress hasn't defined it that way. The FTC has defined it that way.'

The broader definition is likely to prompt compliance obligations for many companies, according to Manatt, Phelps & Phillips partner Linda Goldstein. 'Because of the expansive definition of personally identifiable information, it's hard to imagine that a kid-directed site wouldn't be collecting some kind of information that would trigger COPPA,' says Goldstein, who chairs the firm's advertising, marketing and media division.

Already, 19 trade groups ' including the Direct Marketing Association (DMA), the U.S. Chamber of Commerce, and the National Retail Federation (NRF) ' have told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement. See, 'DMA Leads Business Community in Asking FTC for Extension to Implement COPPA Rule Changes,' DMA.org.

The rule requires that a link to the privacy policy be displayed prominently and clearly for users. And website operators accustomed to placing such links at the bottom of their home page will probably have to rethink that strategy.

'They've explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent,' says Goldstein. 'They've essentially condemned the way most privacy policies are presented on a website.'

The larger challenge, though, will be for companies to 'truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information,' Savare says.
And these days, he adds, 'there are dozens, perhaps hundreds, of companies touching that real estate' on any given website.

Jenna Greene writes for Legal Times and Catherine Dunn writes for Corporate Counsel, both ALM affiliates of e-Commerce Law & Strategy.