The FTC’s Revised COPPA Rules (Stanford Presentation)

The FTC’s Revised COPPA Rules: Practical Impacts and Compliance Challenges

10th Annual Stanford E-Commerce Best Practices Conference June 28, 2013

Jennifer Hanley, Family Online Safety Institute

Shai Samet, kidSAFE Seal Program Jennifer Sanders, formerly Nickelodeon Kids and Family Games Group

Heather Zachary, WilmerHale

Attorney Advertising

WilmerHale 2

Overview of Panel Discussion Topics Expanded definition of “personal information”

Application of expanded definition of “personal information”

Strict liability for child-directed websites and services

Third-party liability and the “actual knowledge” standard

Third-party social media plug-ins, ad networks, and analytics

Age screening

Mechanisms for obtaining parental consent

Practical impacts of the COPPA rules (e.g., on content, parents, states)

Privacy policy and parental notice requirements

Security and retention of children’s personal information

Other issues

© 2014 Wilmer Cutler Pickering Hale and Dorr LLP

WilmerHale 3

Expanded Definition of “Personal Information” Prior to the amendments, “personal information” included: full name,

physical address, online contact information, telephone number, social security number, information concerning a child or that child’s parents when combined with another element of personal information

The FTC added four types of information to the definition:

– Geolocation information sufficient to identify the street name and the name of the city/town; the FTC clarified that this information is covered by the existing rule (FAQs A4, F1 to F4)

– Photos, videos, or audio files that contain a child’s image or voice (FAQs E1 to E5)

– Screen or user names that function like “online contact information”

– “Persistent identifiers” that can be used to recognize a user over time and across different sites or services (e.g., cookies, device IDs, IP addresses) (FAQs C6, H2)


WilmerHale 4

Application of Personal Information Definition In some cases, these definitional changes affect information that already has been

collected from children, especially when such information is combined with newly-collected information (FAQ A4)

When an operator collects a persistent identifier and no other personal information, there is no notice or consent requirement when the identifier “is used for the sole purpose of providing support for the internal operations of the Web site or online service.” (Rule 312.5(c)(7); FAQs C6, H2, I5)

“Support for the internal operations” includes: maintaining or analyzing the functioning of a site or service; performing network communications; authenticating users or personalizing content on the site or service; serving contextual advertising (but not behavioral advertising); capping the frequency of ads; protecting the security or integrity of the site or service; ensuring legal or regulatory compliance; and fulfilling certain types of requests from a child (FAQs I5 to I8; Rule 312.2)


WilmerHale 5

Strict Liability for Child-Directed Websites and Services A child-directed site or service generally cannot permit a third-party plug-in or ad

network to collect personal information without notice and consent (FAQs A5, D6, D8)

Such collection is deemed to be “on behalf of” the operator, even if the third party does not share such information with the child-directed site or service.

The child-directed site or service is strictly liable for the integration of third-party features and must ensure that any collection of personal information complies with COPPA (FAQs D6, D8)

– There is no good-faith exception; operators must investigate whether any third-party plug-in or ad network collects information through the child-directed site or service.

On the other hand, the new rules relax the existing “100% deletion standard” and permit interactive features (such as chats and message-posting features) for children without parental consent if the operator takes “reasonable measures to delete all or virtually all” of children’s personal information before it is made public (Rule 312.2)


WilmerHale 6

Third-Party Liability and the “Actual Knowledge” Standard

A general-audience website or service must comply with COPPA when the operator has “actual knowledge” that it has collected personal information from a child (e.g., through a customer service interaction or a post on a monitored message board) (FAQs G4, G5)

A third-party plug-in, ad network, or other service that collects personal information through another site or service must comply with COPPA if it has “actual knowledge” that it is integrated into a child-directed site or service (FAQs A5, D5)

Unlike under the strict-liability standard for child-directed sites, there is no duty for third parties to investigate. Instead, FAQ D5 states that a third party has actual knowledge when: – The child-directed website or service directly communicates the nature of its

content to the third-party provider; or

– A representative of the third party recognizes the child-directed nature of the site


WilmerHale 7

Specific Third-Party Features Social media plug-ins (e.g., Facebook share) — FAQs H2, I10; Rule 312.5(c)(8)

– Generally must obtain parental consent to use these features on child-directed sites and services – Exception to notice and consent if: (1) the plug-in collects only a persistent identifier; (2) the

user interacts with the third party to trigger the collection; and (3) the third party has previously conducted an age-screen of the user, confirming that the user is not a child (FAQs H2, I10)

Ad networks (e.g., Google AdSense) — FAQs D7, I8 – Contextual ads are allowed without parental notice and consent in many circumstances – IP addresses or other persistent identifiers may be used for capping the frequency of ads,

provided they are not linked to other personal information – Behaviorally targeted or retargeted ads are not allowed without parental notice and consent

Analytics (e.g., Google Analytics) — FAQ I7 – No consent is needed if persistent identifiers are collected and used only for analytics on the

child-directed site or service (or for other “support for the internal operations”) – But such data cannot be linked to other personal information or used by the analytics vendor

or the operator for other purposes, such as behavioral ads


WilmerHale 8

Age Screening General audience sites and services need not age screen users

Child-directed sites and services that target children as their “primary audience” must assume that all users are under 13 and provide appropriate COPPA protections (FAQ D2)

Under the new rules, some sites and services now occupy a middle ground. They are directed to children, but they do not target children as their “primary audience” (FAQs D2 to D4, G2)

– May age screen prior to collecting personal information and either (1) provide COPPA protections to users under age 13, or (2) avoid collecting personal information from such users

– But cannot entirely block children under 13 from using the site or service

Age screening must be done neutrally (FAQ G3)


WilmerHale 9

Mechanisms for Obtaining Parental Consent The rules provide new ways to obtain parental consent: scans of signed consent

forms; video conferencing; government ID checked against a database; a debit card or online payment system that provides a notification of each transaction (FAQ H4)

Sites and services can participate in an FTC-approved safe harbor program (FAQ H13)

Consent through an app store account (e.g., an iTunes password) is not sufficient, even if linked to a credit card (FAQ H10)

“Email plus” remains a legitimate means of obtaining parental consent, but only for internal uses of personal information (i.e., no disclosure to third parties or the public is permitted) (FAQs H3, H4, H12; Rule 312.5(b)(2)(vi))

Schools can provide consent under certain circumstances (FAQs M1 to M4)

The list of approved mechanisms is not exhaustive, and parties can seek FTC approval for new methods (FAQs H14, H15)


WilmerHale 10

Practical Impacts of the COPPA Rules Some app developers and commenters have expressed concern that the

rules will negatively impact the content and features available to children

Many parents are confused about the purpose and mechanics of COPPA, and about how to protect their children online

– Many organizations are taking steps to educate parents and make them more engaged with respect to children’s online privacy (e.g., resources from FOSI and kidSAFE Seal)

The FTC is not the only government entity actively engaged in protecting children’s privacy

– States have undertaken efforts to enforce COPPA (FAQ B3)

– Some states have attempted to enact legislation or take additional measures to protect minors online and limit advertising to children


WilmerHale 11

Privacy Policy and Parental Notice Requirements The new rules streamline the elements that are required in a COPPA-

compliant privacy policy (FAQ C2; Rule 312.4(d))

A privacy policy must be posted on the home or landing screen of a child-directed website or mobile app (FAQs C7, C9; Rule 312.4(d)) – Posting on the app store page is not sufficient or required (but is recommended)

– The privacy policy must also be provided on any forms or features within the site or app that collect/upload personal information from children

– If personal information is collected as soon as an app is downloaded, notice and parental consent are required before the download is complete (e.g., at checkout or on a landing page appearing before the download ends)

The rules require fact-specific direct notices to parents: – The notices vary depending on the type of activity triggering the notice. A

detailed roadmap is provided in FAQ C11 and Rule 312.4(c)(1)-(4)

– The FTC has called for succinct and “just-in-time” notices (FAQs A5, C12)


WilmerHale 12

Security and Retention of Personal Information The new rules strengthen existing security protections and add new

obligations concerning data retention and deletion

Operators must take “reasonable steps” to release personal information only to vendors and other third parties that are capable of protecting it, and that provide assurances they will do so. Such steps include:

– Expressly addressing security expectations in contracts with service providers and third parties

– Using reasonable means, such as periodic monitoring, to confirm that any service providers or third parties are maintaining the confidentiality and security of personal information (FAQ K1)

Operators may retain children’s personal information for only so long as is reasonably necessary to fulfill the purpose for which it was collected and must take steps to safely delete personal information (FAQ A1)


WilmerHale 13

Other Issues Consent exceptions for one-time use and multiple contacts with children

(e.g., contests, newsletters) — FAQs H2, I1 to I3; Rule 312.5(c)

How to determine whether a site is “directed to children” — FAQs D1, D5; Rule 312.2

Mobile app push notifications — FAQ I9

Safe Harbor Programs — FAQs N1 to N3


Wilmer Cutler Pickering Hale and Dorr LLP is a Delaware limited liability partnership. WilmerHale principal law offices: 60 State Street, Boston, Massachusetts 02109, +1 617 526 6000; 1875 Pennsylvania Avenue, NW, Washington, DC 20006, +1 202 663 6000. Our United Kingdom offices are operated under a separate Delaware limited liability partnership of solicitors and registered foreign lawyers authorized and regulated by the Solicitors Regulation Authority (SRA No. 287488). Our professional rules can be found at www.sra.org.uk/solicitors/code-of-conduct.page. A list of partners and their professional qualifications is available for inspection at our UK offices. In Beijing, we are registered to operate as a Foreign Law Firm Representative Office. This material is for general informational purposes only and does not represent our advice as to any particular set of facts; nor does it represent any undertaking to keep recipients advised of all legal developments. Prior results do not guarantee a similar outcome. © 2014 Wilmer Cutler Pickering Hale and Dorr LLP

The FTC’s Revised COPPA Rules (Stanford Presentation)

Business

Transcript of The FTC’s Revised COPPA Rules (Stanford Presentation)