FTC Proposes More COPPA Rule Changes Based on Comments Received to Date

Last week, the FTC proposed additional changes to its rules implementing the Children’s Online Privacy Protection Act (COPPA). These changes come in response to the more than 350 comments the FTC received after publishing a comprehensive set of proposed revisions in September 2011. All of the new proposed changes concern specific definitions in the COPPA regulations, which are critical in determining the regulations scope of application.

The specific changes the FTC is now proposing would amend the definitions of "operator," "personal information," and "Web sites or online services directed to children" and would create a new definition of "support for internal operations of the Website or online service."

Perhaps the most significant change is the proposed new definition of "Web site or other online service directed to children." The current definition includes all sites "targeted to children," with certain limitations. The 2011 proposed revisions would have amended this definition very slightly. Now, however, the FTC proposes a substantially revised definition that adds a knowledge component and otherwise narrows the circumstances in which the FTC will require a website operator or online service to treat all its visitors as if they were children under 13. The new definition has four parts, such that a "Web site or online service directed to children" includes any of the following:

1. A site/service that knowingly targets children under 13 as its primary audience,
2. A site/service that is likely to attract children under 13 as its primary audience, or
3. A site/service that is likely to attract "a disproportionately large percentage of children under age 13" unless such site/service screens all users for age and obtains parental consent before collecting personal information from users who identify themselves as under 13.
4. A site/service that "knows or has reason to know that it is collecting personal information through any Web site or online service" described in any of parts (1) through (3) above.

As the FTC notes, this proposed new definition largely reflects the agency's position to date, as applied in enforcement actions it has taken under the current regulations. The FTC has, in its enforcement guidances and elsewhere, encouraged websites and online services to use age-screening as a means to ensure that parental consent can be sought prior to collecting information from children under age 13. The proposed codification of age screening as a requirement for sites/services with mixed audiences clarifies the FTC's policy and practice in this regard.

The inclusion of a site/service that "knows or has reason to know" that it is collecting personal information through a site or service directed to children would help cabin the responsibility of online services such as advertising networks or downloadable "plug-ins," which often are not logistically capable of controlling or monitoring which sites incorporate their online services. In discussing this proposed change, the FTC clarified that the proposed new definition would not impose on an online service a duty to monitor or investigate whether it is incorporated into a child-directed site, but neither would it allow a service provider to ignore credible information that it is collecting information from children.

The other definitional changes the FTC is newly proposing are:

• Revising the definition of "operator" so that both the provider of an information-collection service (such as a social networking plug-in or advertising network) and the website or online service in which such service is integrated are responsible under COPPA. Under the FTC's current interpretation of the COPPA rules, the information collection service provider is solely responsible for its information collection activities. The FTC is proposing this change on the ground that the main website operator benefits from the information-collection activity and is in the best position to know if its site is directed to children, to control what plug-ins and advertising networks are integrated into its site, and to give notice to and obtain consent from parents.

• Narrowing the definition of "personal information" so that it would include a screen name or user name only if that name is "online contact information" – i.e., an identifier that allows direct online contact with the user. The September 2011 proposal would have treated a screen or user name as "personal information" if it were used for anything other than a site's internal technical operations. That prompted objections from certain commenters on the grounds that screen names are importantly used to permit certain site uses by children, such as transitioning between devices or platforms via a single screen or user name, without unnecessarily collecting personal information. In its new proposal, the FTC acknowledges the benefits of screen and user names in place of individually identifiable information for such uses.

• Clarifying the definition of "persistent identifier" (which is now "personal information" under the rules) to make clear that it does not include identifiers used solely to support internal site operations and to define what qualifies as "support for internal operations."

The FTC is accepting comments on these proposed changes until September 10, 2012.

© Arnold & Porter Kaye Scholer LLP 2012 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.