COPPA One Year Later. PPSNY14_COPPA_PP… · is used for retargeting, ... about the intended target...

Post on 18-Aug-2020

0 views 0 download

Transcript of COPPA One Year Later. PPSNY14_COPPA_PP… · is used for retargeting, ... about the intended target...

COPPA One Year Later

Sheila A. Millar Partner

Keller and Heckman, LLP 1001 G Street, NW

Suite 500 West Washington, DC 20001

+1 202.434.4143 millar@khlaw.com www.khlaw.com

Key Questions on COPPA Compliance

IAPP Practical Privacy Series

November 5, 2014

Reed Freeman Partner

Morrison & Foerster, LLP 2000 Pennsylvania Ave, NW

Washington, DC 20006 +1 202.887.6948

rfreeman@mofo.com www.mofo.com

• The Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6508) and its implementing rule promulgated by the Federal Trade Commission (16 C.F.R. Part 312) – Substantial revisions took effect July 1, 2013

• Intended to give parents notice of and control over the online collection of personal information from and about their children

• Generally requires a company to obtain verifiable parental consent before collecting personal information online from a child under 13 – “Online” includes through websites, mobile sites, apps and

other online services

What is COPPA?

• Defined very broadly under the amended rule to include – Name, address, phone number, social security number, or

a photo, video or audio file that contains a child’s image or voice

– Online contact information: an email address or similar identifier (IM identifier, video chat user identifier, etc.) that permits direct contact with a person online.

• Also includes geo-location information sufficient to identify street name and city – Typically collected, for example, through GPS or Wi-Fi – Does not extend to location determined via IP address

What is Personal Information?

• A screen or user name, if it functions as “online contact information” – It is “personal information” if it permits users to privately communicate with one another,

such as through an in-site messaging service – It is not “personal information” if it is used, for example:

• In a leaderboard or other public display • To otherwise identify users to each other (such as in a multi-player game) • To personalize content • In a chat room, where the operator takes reasonable measures to delete all or virtually all personal

information before it is made public • For the operator to communicate with the user within the service • As log-in credentials to provide a user with seamless access to content across multiple properties

and/or devices

– Practice Tip: If you let a child create a screen or user name, include a statement advising against the use of a real name, email address or other identifier

• A persistent identifier, such as a customer number held in a cookie, an IP address, a device serial number or UDID that can be used to recognize a user over time and across different sites or services

What Else is Personal Information?

• COPPA’s parental notice and consent obligations are not triggered if a persistent identifier is used solely to support the site’s internal operations, provided that the information is not used or disclosed to contact a user (including through behavioral advertising) or to amass a profile on him or her

• So, for example, you do not have to comply with COPPA’s notice and consent obligations if: – The identifier is used only within your site or across sites within your family of companies,

provided that the affiliate connection is clear to users – The identifier is used only for first-party analytics, optimization, payment and delivery

functions, spam protection, statistical reporting, intellectual property protection and de-bugging

– You serve advertising on your site, but it is not served based on the use of a persistent identifier across different sites

• But you do have to comply if: – The identifier tracks a user over time and across different sites, and the information collected

is used for retargeting, other online behavioral advertising or the creation of a profile on a particular user (such as to draw inferences about that user)

Does your Persistent Identifier Trigger COPPA?

• COPPA applies to sites that collect personal information and are directed to children under 13

• COPPA also applies to general audience sites that have actual knowledge that they collect personal information from children under 13

When Does COPPA Apply?

• The way that you comply depends on whether your site: – Targets children under 13 as its primary audience; – Is directed to children (using the factors discussed above) but does not target

children under 13 as its primary audience; or – Is directed to a general audience but requests age

• A site that targets children under 13 as its primary audience

– Subject matter to which individuals 13 and older are unlikely to be drawn – Dora the Explorer, Club Penguin, Barbie

• A site that is directed to children but does not target children under 13

as its primary audience – Subject matter that appeals across older demographics but will attract

children under 13 – Justin Bieber, Katy Perry, Miley Cyrus, iCarly

How to Comply with COPPA

• If you target children under 13 as your primary audience, treat all users as children under 13. This means that you must either: – Not collect any personal information or permit any third party (such as

Facebook, Twitter or an ad network) to collect personal information, or – Obtain parental consent for, and otherwise comply with COPPA with respect

to, every user

• If the site is directed to children under 13 but does not target them as its primary audience, age screen users and treat only those who submit an age under 13 as subject to COPPA – The FTC also recommends age-screening for sites directed to teens

• If the site is directed to a general audience and requests age, age screen users and treat those who submit an age under 13 as subject to COPPA

How to Comply, Cont.

• How do we tell if a site or app is child-directed?

• If the developer makes a reasonable judgment about the intended target but a site or app generates significant visits by children, what are the implications?

What’s Child-Directed?

• What are best practices for age-screening?

– General audience sites and age-screens

– Sites “secondarily” targeted to children

– Entry age screens (sweepstakes and contests)

– Sites or apps targeting pre-literate children

Age-Screening

• COPPA establishes a strict liability scheme for all data collection at your site or app

– What level of due diligence is required?

– How do we track the trackers?

– Analytics v. IBA v. plug-ins

Due Diligence and Tracking the Trackers

• What is the scope of support for the internal operations?

• What’s the difference between personalization and creating a profile?

Support for Internal Operations

• What are the rules for managing push notifications? Aren’t they often simply contextual ads?

• Text messaging

Push Notifications, Text Messaging

• Do the new methods of VPC provide real benefits?

• Are they practical?

Verifiable Parental Consent

• What are the advantages and disadvantages of safe harbors?

• What is the potential impact of FOIA requests targeting safe harbor organizations?

Safe Harbors

• FTC and California AG have taken the position that COPPA does not preempt state law. What are the implications?

Preemption

• FTC starts enforcing

– Yelp

– TinyCo

• Role of AG’s

Enforcement

• In-app purchases and payment issues – FTC exercises unfairness authority in cases against Apple, Google

• Kid-directed advertising: subject to the Children’s Advertising Review Unit Guidelines

– CARU also enforces COPPA, even where advertiser is not part of its safe harbor program

Beyond COPPA

Sheila A. Millar Partner

1001 G Street, NW Suite 500 West

Washington, DC 20001 +1 202.434.4143

millar@khlaw.com

Thank you!

Reed Freeman Partner

2000 Pennsylvania Ave, NW Washington, DC 20009

+1 202.887.6948 rfreeman@mofo.com