The US Federal Trade Commission ("FTC") is proposing new amendments to the Children's Online Privacy Protection Act ("COPPA"), the federal scheme for regulating children' s online and mobile privacy. COPPA's underlying intent is to provide reasonable and practical safeguards to foster efforts to protect young children from being contacted online in the absent of parental consent.
The challenge is how to strike a proper balance between protecting children when online, recognizing the practicalities and challenges of operating within an online or mobile environment, and the importance and benefits of the Internet, mobile media and e-commerce to consumers, including children.
The new proposals would ease some burdens for publishers and advertisers, but would still required require parent to provide verified consent, and at higher level than the current standard before companies can collect certain information from children under 13 years old.
A new proposal on mixed audience sites would give more flexibility to family-friendly site operators that want to treat children and adults on the same site differently. The new rules would impose liability on operators who fail to age screen on sites that do not intend to target children, but nevertheless have a user population that includes children under 13 in an amount that is disproportionately large when compared to the amount of such children in the general population. COPPA protection would apply to children using the site.
The FTC has invited public comments on proposals to remove the widely used e-Mail Plus method of parental verification for collection of personal information for company internal uses, to tighten exceptions to parental consent requirements, and to expand the scope of the definition of personal information to include items such as photos, which will make compliance more burdensome. The FTC also seeks to hold responsible both site operators and third party service operators, such as ad networks, for third party data collection on a site.
Key points, issues and challenges
Who should be responsible for third party data collection via a site or service?
Currently, operators which both collects information and has ownership control and access to a site or service directed at children under 13 years old would be responsible for COPPA compliance (e.g. obtaining parental consents). But the circumstances in which an operator merely hosts children's information collected by a third party are not covered by the proposals.
The FTC proposes to hold both the third party collecting personal information and the site operator allowing such collection by third parties responsible, but with different standards of responsibility.
Should sites and services for both children and adults be able to age screen users and treat only those that self-identify as under 13 as children?
The FTC wants to change the definition of "website or online service directed to children" to permit mixed audience sites (those "with child-oriented content appealing to a mixed audience, where children under 13 are likely to be an over-represented group") to apply the COPPA-mandated protections only to children under 13.
Mixed audience sites such as Disney would screen its users and can treat those that self-identify as 13 or over as adults, so long as it prevents the collection, use, or disclosure of personal information from users who identify as under age 13 without first obtaining verifiable parental consent.
The change could impose new requirements on sites that do not age screen, even if children are not the primary audience, if the percentage of users under 13 is greater than that in the general population. This would be a move away from holding general audience sites to an actual knowledge standard of liability.
One resulting issue will likely be how to deal with multiple users of a family computer.
When should parental consent be required to associate persistent identifiers with users?
The FTC intends to change proposals to treat persistent identifiers used to recognize a user over time or across sites as personal information (e.g., an IP address, mobile device identifier, or other identifier associating a computer with a cookie) by excluding those persistent identifiers used only for certain internal activities (site maintenance and analysis, authentication of users, setting of user preferences, severing contextual advertisements, protecting against fraud, and responding to certain requests of users), so long as the information is not used to contact a specific individual.
When should parental consent be required to associate screen names or user names with children?
The Commission suggests that it will modify its proposal to treat user names and screen names as personal information requiring verified parental consent to collect, but only if that identifier is associated with a functionality that permits the person to be contacted online (e.g., it functions as an instant message or e-mail address). This would give some relief to operators who use user names for internal administrative purposes, to operators of a service accessible by multiple platforms and devices, and to operators of a family of sites or applications.