The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

Today, the Commission responded to the industry associations’ letter and informed them that it would retain the July 1, 2013 effective date.  The Commission acknowledged that the revised rule “does impose new obligations on child-directed sites and services,” but explained that, “in selecting an effective date of July 1, 2013, the Commission determined that six months would be adequate time for such operators to assess whether third parties collect personal information through their site or service.”    

Although the Commission did not extend the effective date, it did pledge to “exercise prosecutorial discretion in enforcing the Rule, particularly with respect to small business that have attempted to comply with the Rule in good faith in the early months” following July 1.

This requirement is subject to two important exceptions; websites, online services, online applications, and mobile applications would not be required to erase or eliminate content or information upon request (1) when other state or federal law requires that the site or service maintain the content or information, or (2) when the content or information is submitted by a third party other than the minor, or a third party republishes or resubmits content originally posted by the minor. 

Unlike the federal Children’s Online Privacy Protection Act (COPPA), which applies to children under the age of 13, the California bill would apply to any person under 18 years of age.  Under COPPA, parents may request that an operator delete their child’s personal information, but the California bill would give the right to the minor.  In addition, unlike COPPA, the California bill is not limited to “personal information” -- a term which has been the subject of extensive rulemaking proceedings and revisions -- and instead applies to all “content and information” submitted by the minor. 

The California bill also would limit the goods and services that could be marketed to minors.  Websites, online services, online applications, or mobile applications that are directed to minors or that have actual knowledge that a minor is using the site or service would be prohibited from marketing products to minors “if the minor cannot legally purchase the product or participate in the service” in California.  The text of the bill does not define when websites, online services, online applications, or mobile applications will be deemed to be “directed to minors” or discuss how “actual knowledge” would be obtained by a online services directed to a general audience.  Websites, online services, online applications, or mobile applications also would be prohibited from using, disclosing, or compiling personal information for marketing goods that the minor could not legally purchase or from knowingly allowing third parties to use, disclose, or compile information for marketing such goods.  Significantly, the bill does not define what qualifies as “personal information,” leaving an open question of whether such information would include persistent identifiers, which the Federal Trade Commission recently added to the definition of “personal information” in the revised COPPA rule.

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child's image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
3. Third-party services that are integrated on child-directed sites will be deemed to have "actual knowledge" if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC's Chief Technologist, Steve Bellovin.
4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child's facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don't forget to scrub for metadata as well -- photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
5. A third party who is integrated on a child-directed site may rely on the "support for internal operations" exception to support the third-party's own internal operations.  There actually was text in the final COPPA Rule's Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:

The revised COPPA Rule takes effect on July 1, 2013. Approximately twenty industry organizations have asked the FTC to grant a six-month extension of this deadline so that industry has adequate time to implement unanticipated changes that were adopted in the final COPPA Rule and to incorporate the additional guidance outlined in the revised COPPA FAQs. A coalition of consumer groups, in contrast, have argued that no additional time is needed. Speaking at a seminar hosted by the International Association of Privacy Professionals earlier yesterday, Peder Magee, a senior attorney in the FTC's Division of Privacy and Identity Protection, declined to comment on whether the extension requests were likely to be granted.

As a New York Times article published earlier this week also highlighted, the embrace of educational cloud services also raises interesting and important questions about the privacy and security of student data.  After all, these services by definition involve the movement of student and teacher communications, documents, or other data that used to be stored on-site and managed by school employees to the cloud.  Cloud computing services are operated by third-party vendors, and these vendors have a range of business models and practices with respect to the collection, use and disclosure of data. 

As they work to safeguard student data without inhibiting the benefits of educational technologies, we find that educational institutions increasingly are focusing on regulatory requirements and contractual protections for student data -- and in particular five principles that we describe after the jump.

• FERPA generally prohibits the disclosure by schools of personally identifiable information from a student’s education records, unless the educational institution has obtained signed and dated written consent from a parent or eligible student or one of FERPA’s exceptions applies.  
• COPPA, in contrast, governs operators of websites and online services that are directed to children under the age of 13 and operators of general audience websites or online services that have actual knowledge that a user is under 13.  Notably, the Federal Trade Commission has clarified that if an educational institution contracts with a cloud service provider that uses the students’ data for advertising or marketing purposes, then COPPA is triggered. 
• Some state governments and local school districts have other requirements or policies in place that must be followed.  For example, Maryland regulations restrict third-party access to student records, unless necessary to serve “legitimate and recognized educational ends.”  Md. Code Regs. 13A.08.02.04.

Aside from ensuring regulatory compliance, educational institutions may look to contractual protections to ensure proper stewardship of student data in the cloud.  Indeed, the Department of Education itself has encouraged educational institutions to view FERPA as a floor and not a ceiling. Another public sector actor, the International Association of Chiefs of Police, has issued guidance suggesting that members require by contract that “[t]he cloud provider should not capture, maintain, scan, index, share with third parties, or conduct any other form of data analysis or processing of law enforcement data for such purposes as advertising, product improvement, or other commercial purposes.”  Given their role in safeguarding student data, schools may embrace similar contractual norms. 

While educational institutions should always consult with counsel when evaluating their legal obligations or the terms of a cloud services agreement, we understand that many institutions are taking into account the following principles:   

1. Maintain control of student data.  The exception under FERPA that is relied upon to allow disclosure of data by schools to their cloud service providers―known as the “school official” exception― applies only if the cloud service provider remains under the “direct control of the educational institution” with respect to the use and maintenance of education records.  The concept of “direct control” is not specifically defined in FERPA, but it is interpreted to encompass imposing restrictions via contract on the service provider’s conduct.  In particular, educational institutions may elect to define key terms in their cloud service contracts (such as the definition of an “education record” and what is “personally identifiable information” versus “non-personally identifiable information”), rather than providing the service provider discretion to interpret these terms.  Additionally, direct control anticipates that the educational institution will clearly specify in the contract what the cloud service provider can and cannot do with student data. 
2. Expressly prohibit the mining of student data for advertising and marketing purposes.  Here again, for purposes of FERPA the cloud service provider acts as a “school official” in its receipt of student data.  Just as a school administrator or teacher wouldn’t track a students’ classroom communications, homework, and educational interests for advertising or marketing purposes, schools expect that their cloud service providers will not engage in such activities.  Express contractual terms preventing use of student data for marketing and advertising purposes can help to avoid any confusion or mishaps on this point.  
3. Enter into a comprehensive agreement covering all of the cloud services provided to the educational institution. Cloud service providers may offer different services to educational institutions, businesses, and consumers.  The specific terms and conditions for one service might vary significantly from another service.  This is often the case where a vendor offers some services under a negotiated or contracted arrangement with the institution and others under individual “click thru” terms to students and teachers as they access and use the service.  As a result, schools may reasonably expect either (i) to have a negotiated contract or series of contracts that cover all services provided by the vendor to the school, or (ii) that the “click thru” terms of any services not covered by a negotiated enterprise contract meet applicable regulatory requirements and institution contracting norms. 
4. Consider how providers may use “anonymized” data.  FERPA allows educational institutions to use or disclose de-identified data without consent.  There are debates, however, concerning what it takes to de-identify data.  Researchers repeatedly have discussed how individuals may be reidentified using large sets of “anonymized” data.  Given these ambiguities, educational institutions may decide to prohibit any use of data that the cloud provider obtains in providing the service to the school―whether or not anonymized―other than uses specifically allowed by the contract.  
5. Conduct due diligence into the cloud service provider’s practices with respect to student data.  Educational institutions are under pressure by parents and regulators to ensure that student and institution data is properly safeguarded.  In discussing new technologies with parents and other stakeholders, educational institutions may be asked to answer key questions such as how the cloud service provider will collect, use, and disclose student data; whether teachers, school administrators, and parents are able to review and order deletion of the student’s data; the data security measures that the cloud service provider has implemented; and the cloud service provider’s data retention and deletion policies.  

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. 

The Path settlement is one of several recent efforts to improve mobile app developers’ privacy practices, particularly in the area of children’s privacy.  On the same day that the Path settlement was announced, the FTC released new mobile app privacy guidelines.  These guidelines follow two FTC reports analyzing whether child-directed apps are providing adequate notice about their privacy practices, and the FTC has actively enforced COPPA against mobile app developers.  In addition to the FTC’s efforts, the Department of Commerce and State Attorneys General in California and New Jersey have been focused on mobile privacy issues as well.

• Phyllis Marcus, Senior Staff Attorney, Federal Trade Commission.  Phyllis is one of the primary architects of the FTC’s implementation of COPPA, which was updated significantly in December 2012.  She has been at the FTC in several capacities since 1998, prior to which she was legal director for The Appleseed Foundation.  Phyllis holds a JD from the University of Michigan (1993) and a BA in International Relations from the University of Pennsylvania (1990).
• Angela J. Campbell, Co-Director, Institute for Public Representation and Professor of Law, Georgetown University.  Angela joined the Georgetown faculty in 1988 from the Department of Justice.  She has focused on children’s privacy and related issues in both her legal scholarship and her advocacy.  She is the author, for example, of "Ads2Kids.com: Should Government Regulate Advertising to Children on the World Wide Web?," published in the Gonzaga Law Review, and she recently has represented a coalition of public-interest organizations led by the Center for Digital Democracy in filing complaints alleging COPPA Rule violations against several companies.
• Joseph A. Wender, Legislative Director, Congressman Edward J. Markey (D-Mass).  Joseph takes the lead in handling privacy issues for Congressman Markey, who is a Co-Chair of the Congressional Bi-Partisan Privacy Caucus and co-author of the “Do Not Track Kids Act,” a proposal to strengthen online safeguards for children and teens that has drawn nearly 50 co-sponsors in a tightly divided Congress.

The session will be moderated by Kurt Wimmer, co-chair, Global Privacy and Data Security Practice, Covington & Burling, with assistance from Covington colleagues including Matt DelNero, Lindsey Tonsager and other members of the InsidePrivacy.com team.

The session will be held on January 28, 2013, from 10:00 a.m. to noon at Covington & Burling, 1201 Pennsylvania Avenue, N.W., 11th Floor, Washington, D.C.  There is no charge, but please RSVP to Stephanie Herndon (sherndon@cov.com) by January 18 if you wish to attend.

The Commission retained the “e-mail plus” consent method and supported a number of new parental consent methods, streamlined the notice requirements, and encouraged the use of automatic filtering tools.  Although the Commission pushed forward with its proposal to define “personal information” to include persistent identifiers, it also broadened the definition of support for internal operations.  Below is a summary of the highlights. 

The final rule will become effective July 1, 2013.

Definitions.

• “Operator.” Child-directed sites and services that integrate third-party services (such as ad networks or social plug-ins) will be strictly liable for complying with COPPA, even if they do not themselves collect any personal information. A third-party service provider that collects personal information directly from users of a child-directed site or service will be liable for complying with COPPA only where the third party has actual knowledge that the site is child-directed.
• “Support for internal operations.”
  • The Commission expanded the definition to include, for example, maintaining or analyzing the functioning of the site or service, performing network communications, personalizing content, serving contextual advertising or frequency capping, and legal or regulatory compliance. The Commission suggested that these categories should be interpreted broadly to include activities such as intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, or de-bugging.
  • The term does not, however, cover behaviorally targeted advertising to a specific child. The Commission stated that operators must obtain parental consent for the collection of persistent identifiers where used to track children over time and across sites or services. Operators “also may not use persistent identifiers to amass a profile on an individual child user based on the collection of such identifiers over time and across different websites in order to make decisions or draw insights about that child, whether that information is used at the time of collection or later.” The Commission cautioned that “the term ‘different’ means either sites or services that are unrelated to each other, or sites or services where the affiliate relationship is not clear to the user.”
• “Personal information.” The definition of “personal information” is greatly expanded under the final COPPA Rule: 
  • Persistent identifiers. The final rule includes persistent identifiers in the definition of “personal information” where they “can be used to recognize a user over time and across different websites or online services.”
  • Screen or user names. The definition includes “a screen or user name where it functions in the same manner as online contact information.”
  • Photo, video, and audio files. Photos, videos, and audio files containing children’s images or voices constitute “personal information” for purposes of COPPA.
  • Geolocation information. The definition includes geolocation information that is “sufficient to identify street name and name of a city or town.”
• “Website or online service directed to children.”
  • The multi-factor test that is used to determine whether a site or service is directed to children has been expanded to include musical content, the presence of child celebrities, and celebrities who appeal to children. The FTC emphasized that “no single factor will predominate over another.”
  • The Commission adopted a modified version of its proposal for “mixed audience” sites. Explaining that it “did not intend to expand the reach of the Rule to additional sites and services,” the Commission clarified that it first will apply its traditional multi-factor test to determine whether the site or service (or any portion thereof) is directed to children.
    • Where the site or service is directed to children, but does not target children as its primary audience, the operator may use an age screen and obtain consent for users who self-identify as under 13 years old.
    • Where the site or service is directed to children, but targets children as its primary audience, the operator must presume that all users are children and provide notice and obtain parental consent for every user, even if that user is a teen or an adult.
• “Collects or collection.” Entities that provide interactive forums, such as chat rooms and message boards, can avoid triggering COPPA’s requirements by deleting personal information from children’s posts before they are made public and from their internal records. The Commission adopted its proposal to replace the current “100 %” deletion standard, which requires all personal information to be removed, with a more flexible “reasonable measures” standard. This change encourages entities to use reasonable filtering technologies to delete or prevent the sharing of personal information in user-generated content.

Notice.

• Direct Notice To the Parent. The Commission adopted its proposal to make the direct notice to the parent more robust. The final COPPA Rule lists specific items that must be contained in the direct notice to the parent, depending on the circumstances under which the notice is being sent.
• Website Privacy Notice. The FTC streamlined what information must be included to encourage shorter website privacy notices. In addition, the FTC retained its multiple operator exception, which permits an operator to designate and provide the contact information for a single operator who is responsible for responding to parent inquiries, as long as the names of all operators collecting or maintaining personal information through the site or service are listed.

Parental Consent.

• E-mail Plus. The “e-mail plus” parental consent method has been retained as an acceptable consent method for operators collecting personal information for internal use only.
• New Recognized Methods. The Commission added the following parental consent methods to its non-exhaustive list of pre-approved methods: (1) scan-and-send forms; (2) video conferencing consent; (3) government-issued IDs, such as drivers’ license number or last four digits of the parent’s SSN, which are then checked against an available database; and online payment systems in lieu of credit card information, where the system provides the primary account holder notice of each discrete transaction.
• Other Parental Consent Methods. The Commission also spoke favorably about the following parental consent methods, suggesting that these methods, if properly designed, could meet the statutory standard of being a “reasonable effort (taking into consideration available technology)” to obtain the parent’s consent.
  • Electronic or Digital Signatures. The Commission stated that “the Rule would not prohibit an operator’s acceptance of a digitally signed consent form where the signature provides other indicia of reliability that the signor is an adult.”
  • Common Consent Methods. The Commission acknowledged that common consent methods, such as those offered across a platform, video game console, or a COPPA safe harbor program, can allow multiple operators to efficiently administer notice and consent.
• New Clearance Procedures for Obtaining Approval of New Parental Consent Methods: Companies may now submit detailed descriptions of proposed parental consent methods to the FTC for their approval. The proposals will be published in the Federal Register for public comment. If approved, the company will benefit from a parental consent “safe harbor.”
• New “Support for Internal Operations” Exception: Where an operator collects a persistent identifier for the sole purpose of providing support for its internal operations, the operator will have no notice or consent obligations.

Confidentiality,  Security, and Integrity.

The final COPPA Rule imposes new data security requirements for operators who release children’s personal information to third parties. These operators must inquire about the third party’s security capabilities and, either by contract or otherwise, receive assurances from the third party about how children’s personal information will be protected.

Date Retention Limits.

The FTC added a new requirement that website operators only retain data for as long as reasonably necessary to fulfill the purpose for which it was collected.

Staff found the results of the second report "disappointing," concluding that many apps do not contain privacy disclosures that fully explain how the app collects, uses, and discloses children's data.  Among other things, the report focused on disclosures related to advertising, links to social media, and in-app purchases. 

Announcing the release of the report, Jessica Rich, Associate Director, FTC Division of Financial Practices, expressed concern that a number of the apps disclosed device identifiers to third parties, including ad networks and analytics companies.  She emphasized that the staff made no findings about how these third parties used the device identifiers, but noted that the FTC's proposed revisions to the Children's Online Privacy Protection Act (COPPA) Rule would treat this information as "personal information" for purposes of COPPA, unless the data is used to support internal operations.  (Ms. Rich declined to comment on the timing of the release of a final COPPA Rule; other FTC staff previously have suggested the final Rule might come in the next few weeks or early next year.) 

Ms. Rich also stated that the Commission is investigating whether the apps violate laws such as COPPA or Section 5 of the FTC Act.  At the same time, she emphasized that the issues raised in the second report are widespread and that the report is focused on identifying industry best practices.  She encouraged industry to accelerate self-regulatory efforts to improve mobile app disclosures.  In particular, she applauded recent efforts to develop icons and similar mechanisms to shorten privacy policies for mobile apps. 

On October 2, 2012, the Federal Trade Commission filed a proposed consent decree resolving claims that Artist Arena LLC violated the Children’s Online Privacy Protection Act (COPPA) by collecting and disclosing email addresses, birth dates and other personal information from more than 100,000 children younger than the age of 13 without obtaining proper parental consent.  Artist Arena will pay a civil penalty in the amount of $1,000,000 and comply with monitoring, reporting, and recordkeeping requirements administered by the FTC.

Artist Arena operated websites that served as fan clubs for young musicians, including Justin Bieber, Rihanna, Selena Gomez, and Demi Lovato.  Users could create profiles, communicate with friends, and sign up for musicians’ newsletters through the websites.  The FTC alleged that the websites gathered a host of personal information from children and granted them immediate access to the websites without first providing notice to parents and obtaining parental consent as required by COPPA.  Artist Arena also violated section 5 of the Federal Trade Commission Act by informing parents that the websites would not collect children’s’ personal information until after the adults had given their consent, even though the websites had already procured this information according to FTC officials. 

The FTC’s settlement comes at a time when the agency is deliberating over potential updates to its rule implementing COPPA, as reported in this blog (here, here, here, and here).  According to FTC Commissioner Edith Ramirez, the proposed rules would align requirements under COPPA with enforcement actions such as the one against Artist Arena.  Commissioner Ramirez also stated that the agency would remain vigilant in enforcing COPPA against all companies and not just companies in emerging technologies intended to be captured by the proposed rules.  “Although we are in the midst of updating COPPA to address groundbreaking new technology, we also need to ensure that well-established companies like [Artist Arena] employ familiar online tools in complying with COPPA requirements.  Plainly, more needs to be done to ensure that marketing departments are mindful of COPPA requirements.”

The FTC granted the extension after sixteen industry associations requested that the deadline be pushed back to October 15, 2012.  Among other reasons, the associations cited the complexity of the online and mobile ecosystems, the FTC’s requests for detailed comments, and the need to consider how the latest proposed changes interact with the FTC’s initial proposals. 

Earlier this morning, the FTC proposed additional revisions to the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  COPPA governs the online collection, use, and disclosure of children’s personal information by (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13.  The FTC initially proposed revisions to the COPPA Rule in September 2011, and based on comments that it received, is proposing additional changes for comment.  Comments to this supplemental proposed rule must be submitted by September 10, 2012.  No final rules were adopted at this time.

The supplemental proposed rule revises the definitions of several key terms, including “operator,” “website or online service directed to children,” “personal information,” and “support for internal operations.” 

• Operator:  The revisions would expand the definition of “operator” to include third parties, such as social plug-ins and ad networks, that know or have reason to know that they collect personal information through child-directed websites and online services.  The FTC previously had rejected a constructive knowledge standard.  The notice suggests that website operators and such third parties would be deemed  “co-operators” that would be jointly responsible for complying with COPPA.  
• Website or Online Service Directed to Children:  The revised definition would allow family friendly websites that are directed to both children and a broader audience to comply with COPPA without treating all users as children, instead providing COPPA protections only to users under the age of 13. 
• Screen and Usernames:  The revisions would clarify that screen or usernames would be covered only where they function as online contact information.   
• Personal Information: The new proposed definition would include persistent identifiers that can be used to identify users over time and across different sites and services.  
• Support for Internal Operations: Activities that are required to manage and operate a site will not be deemed to have collected personal information if they do not use or disclose the information for the purposes of contacting an individual.  

Among other things, the EDPS expressed support for: 

• The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
• Clear notice about the impact a change to a default setting would have on a child's privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the "extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings." 
• A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
• A restriction on industry's ability to create online behavioral advertising segments that target children.
• A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.

And with respect to age verification, the EDPS stated that volunteered age information may not be reliable, but also recognized that age verification models that are designed to infer a user's age or verify the user's identity may involve a disproportionate amount of data collection and processing and could be unreliable as well. Without taking a firm position on age verification, the EDPS stated that age verification tools must take care to collect and maintain only "necessary data" and indicated that a future opinion will address the proposed Regulation on electronic identification and trust services.

As background, EU law currently does not include specific requirements for children. Instead, data protection authorities have interpreted existing data protection laws to require children's privacy and data protection rights to be respected in a manner appropriate to the child's level of maturity and comprehension.

The proposed EU Data Protection Regulation, however, would include requirements specific to children and harmonize children's privacy laws across the member states. Article 4(18) of the proposed Regulation would define a child as a person under the age of 18 years. Among other things, data controllers would be required to provide information to children in a language that the child can easily understand, provide children with a "right to be forgotten" online, and provide children with certain default, age-appropriate privacy settings. In addition, the proposed Data Protection Regulation would require verifiable parental consent before personal data of children under the age of 13 could be processed in the context of information society services.

The state alleged that children were encouraged to submit their full names, along with a photograph, when they created user profiles, and that the apps disclosed the user's full name and the mobile device's unique device identifier ("UDID") to a third-party data analytics company.  According to the state's complaint, 24x7digital ran afoul of COPPA by failing to provide notice or obtain parental consent before collecting, using, and disclosing the children's personal information online. 

Under the statute, a state attorney general may sue for violations of COPPA on behalf of the residents of the state to (i) enjoin the practice; (ii) enforce compliance with the FTC's COPPA rule; (iii) obtain damage, restitution, or other compensation on behalf of the state's residents; or (iv) obtain such other relief as the court may consider to be appropriate.  However, before filing the action, the attorney general typically must notify the FTC and provide a copy of the complaint. The FTC then has the option of intervening in the case. 

Although this is not the first COPPA action that a state has brought (Texas sued three website operators in 2007), most states have left COPPA enforcement to the FTC. With an increased attention on the privacy practices of mobile apps, however, these kinds of cases may become more common. For its part, the New Jersey AG has stated that it will continue to investigate other mobile applications to determine if they are unlawfully sharing users' personal information. 

During their remarks, Congressmen Markey and Wasserman Shultz each expressed support for the Do Not Track Kids Act of 2011 (H.R. 1895), which we have blogged about here.  The bill would expand privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that website operators provide “eraser buttons” to enable the deletion of personal information shared publicly by minors.  Senator Blumenthal also indicated that he was supportive of the legislative proposal, which he described as “common sensical,” although he stated that there likely would be substantial concern among advertisers and other stakeholders about implementation issues.

Senator Blumenthal emphasized the importance of having in place not only rules about when a company can intentionally share data, but also appropriate safeguards to protect personal information from unauthorized access.  He mentioned that he has introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 (S.1535), which would require companies to implement appropriate data security safeguards.  (We previously have discussed S. 1535 here.)  S. 1535 includes a provision authorizing private rights of action by consumers in the event of a violation, and Senator Blumenthal stated that he believes that private rights of action, not just FTC enforcement, should be a component of privacy and data security legislation.  Chairman Leibowitz noted that he supports providing the FTC civil penalty authority to fine those who fail to safeguard consumer data appropriately.

Researchers and health care professionals that participated in the panel discussions expressed the need for additional research―and funding to support such research―to help policymakers better understand the impact of marketing and media on children.  A third panel focused on the impact of media on body images for young women―a topic that Congresswoman Wasserman Schultz also discussed in her remarks.

In February 2012, the Children's Advertising Review Unit ("CARU") referred the Clearwater Aquarium's website to the FTC for review under COPPA after the Aquarium reportedly did not respond to CARU's inquiry.  CARU claimed that the site featured a “Kidzone” where visitors could sign up for an e-newsletter by entering their first and last names, mailing and email addresses, and cellphone numbers.  CARU was concerned that the Aquarium collected personally identifiable information from children under the age of thirteen without first obtaining parental consent and that the Aquarium's privacy policy -- which stated that it did not collect information from children under 18 without parental consent -- did not accurately reflect its actual privacy practices.

After reviewing the website, the FTC concluded "that the information collection practices that had triggered CARU's inquiry had been remedied."  The FTC declined to take any further action, instead referring the matter back to CARU. 

CARU, a division of the Council of Better Business Bureaus, is a self-regulatory body that monitors websites for compliance with COPPA.  Although CARU's self-regulatory program is completely voluntary, CARU may refer cases to the FTC if companies refuse to respond to inquiry letters.  The FTC reviews CARU's case referrals to determine whether enforcement action is appropriate.  Although the FTC has initiated enforcement actions in response to CARU referrals in the past, the Clearwater Aquarium case is a reminder that the FTC may decide no further action is necessary.  

As we blogged about here, the bill would expand the Children’s Online Privacy Protection Act ("COPPA").  In addition, the bill would introduce new privacy protections for minors under the age of 18, including a prohibition on the use of personal information for targeted marketing to minors and a requirement that operators of websites and online services provide "eraser buttons" that enable the deletion of personal information shared publicly by minors.

We will continue to monitor this legislation as these two senior, bipartisan members of the Committee press for a mark-up of their bill.  

The newly approved safe-harbor program, run by Aristotle International, Inc., is the fifth such program approved by the FTC.  The program sets out requirements for the format and content of participants’ privacy policies, parental notices, and procedures for obtaining verifiable parental consent. Among other provisions, COPPA requires websites and other online services that are directed at children or that have actual knowledge that a user is a child to notify a parent and obtain the parent’s verifiable consent before collecting, using, or disclosing personal information from a child.

Aristotle’s application highlights that program participants will have the option of using Aristotle’s proprietary system for obtaining parental consent.  The system provides several methods for confirming that the person giving consent actually is the child’s parent.  For instance, a parent can provide consent by e-mailing an electronically signed consent form along with a scanned copy of a government identification document, which Aristotle will check against its own databases.  The system also allows for verification using real-time videoconferencing over programs such as Skype.  

The FTC’s proposed revision of the COPPA rule would add videoconferencing and the use of government IDs as recognized consent methods, along with scanned copies of physically signed consent forms.  The FTC also sought comment on whether an electronically signed form could be made sufficiently reliable to serve as an effective consent on its own.  A decision on the FTC’s proposed revision of the rule is expected later this year.