16 September 2011

COPPA

The US Federal Trade Commission (FTC) is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule.

That FTC Rule gives effect to the Children’s Online Privacy Protection Act [COPPA], US federal legislation requiring operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, to obtain verifiable consent from parents before collecting, using, or disclosing such information from children.

The Rule implementing COPPA came into effect in 2000. It was reviewed in 2005; with another review last year. The FTC is expected to release final recommendations for broader online privacy regulations later this year.

The proposed amendments - some 122 pages [PDF] - seek to ensure that the Rule "continues to protect children’s privacy ... as online technologies evolve", through modifications in five areas -
• definitions, including the definitions of "personal information" and "collection"
• parental notice
• parental consent mechanisms
• confidentiality and security of children's personal information
• the role of self-regulatory "safe harbor" programs.
The expression of concern regarding parental consent coincides with the EU work on consent, e-marketing and data protection noted earlier this month and discussed in a forthcoming article in Privacy Law Bulletin.

The FTC summarises the major changes as follows.
Definitions

The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.

Parental Notice

The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy.

Parental Consent Mechanisms

The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule.

The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.

Confidentiality and Security Requirements

To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.

Safe Harbor

Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits.
Among other areas of interest the amendments indicate that -
The Commission believes that, with respect to the subset of websites and online services directed to children or having actual knowledge of collecting personal information from children, broader Rule coverage of photos is warranted. In addition, the Commission believes that the Rule’s definition of “personal information” should be expanded to include the posting of video and audio files containing a child’s image or voice, which, similarly to photos, may enable the identification and contacting of a child.

Therefore, the Commission proposes to create a new paragraph (i) of the definition of “personal information” that states: A photograph, video, or audio file where such file contains a child’s image or voice;

This proposed change will ensure that parents are given notice and the opportunity to decide whether the posting of images or audio files is an activity in which they wish their children to engage.
The amendments document also states that -
In recent years, geolocation services have become ubiquitous features of the personal electronics market. Numerous commenters raised with the Commission the issue of the potential risks associated with operators’ collection of geolocation information from children.

Some commenters urged the Commission to expressly modify the Rule to include geolocation information, given the current pervasiveness of such technologies and their popularity among children. Others maintained that geolocation information is already covered by existing paragraph (b) of the Rule’s definition of “personal information,” which includes “a home or other physical address including street name and name of a city or town.”

Technologies that collect geolocation information can take a variety of forms and can communicate location with varying levels of precision. Generally speaking, most commonly used location tracking technologies are capable of revealing a person’s location at least down to the level of a street name and the name of a city or town. In the Commission’s view, any geolocation information that provides precise enough information to identify the name of a street and city or town is covered already under existing paragraph (b) of the definition of “personal information.” However, because geolocation information may be presented in a variety of formats (e.g., coordinates or a map), and in some instances may be more precise than street name and name of city or town, the Commission proposes making geolocation information a standalone category within that definition.

Those commenters who opposed the inclusion of geolocation information within COPPA’s definition of “personal information” argued that such information cannot be used to identify a specific individual, but only a device. However, as discussed above, the Commission finds this argument unpersuasive. Physical address, including street name and name of city or town, alone is considered personal information under COPPA. Accordingly, geolocation data that provides information at least equivalent to “physical address” should be covered as personal information.