On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act. The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities. The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).Continue Reading FTC Announces COPPA Settlement Against Ed Tech Provider Including Strict Data Minimization and Data Retention Requirements
The Ninth Circuit recently held that the Children’s Online Privacy Protection Act, which gives the Federal Trade Commission authority to regulate the online collection of personal information from children under the age of 13, does not preempt consistent state law, potentially increasing the risk of class action litigation based on alleged COPPA violations. See Jones v. Google LLC, No. 21-16281, — F.4th —- (9th Cir. 2022).
COPPA’s preemption provision states that “No State or local government may impose any liability . . . in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.” 15 U.S.C. § 6502(d). Based on the FTC-focused remedial scheme and the lack of a private right of action, the district court held that COPPA “does not leave room for state laws to impose additional liability” and dismissed state law privacy, consumer protection, and unjust enrichment claims premised on violations of COPPA. Hubbard v. Google LLC, 508 F. Supp. 3d 623, 630 (N.D. Cal. 2020); see also Hubbard v. Google LLC, 546 F. Supp. 3d 986 (N.D. Cal. 2021).
The Ninth Circuit reversed. Focusing on the preemption clause’s use of the word “inconsistent,” it explained that its precedents analyzing similar clauses bar only “contradictory state law requirements, or . . . requirements that stand as obstacles to federal objectives.” It rejected the argument that the use of the word “treatment” in COPPA’s preemption clause indicated an exclusive remedial scheme. As a result, the Ninth Circuit held that state law remedies for violations of state law overlapping with COPPA violations were not preempted in these circumstances.
The Ninth Circuit’s decision aligns with the Third Circuit’s decision in In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 292 (3d Cir. 2016), which also held that COPPA did not preempt consistent state law. Defendants faced with state-law claims overlapping with COPPA violations should continue to assess whether asserted claims may be inconsistent with COPPA or whether plaintiffs have proved all elements of the independent state law claims (and not just a COPPA violation), which could provide grounds to distinguish these decisions. See, e.g., H.K. through Farwell v. Google LLC, 595 F. Supp. 3d 702, 709-11 (C.D. Ill. 2022) (holding that COPPA preempts BIPA claims asserted by plaintiffs under age of 13 because BIPA and COPPA impose different substantive standards).
On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule. The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.Continue Reading FTC Unanimously Adopts Policy Statement on Education Technology and COPPA
Judge Freeman of the U.S. District Court for the Northern District of California dismissed a class action against Google and several YouTube channel owners alleging various violations under California state law. Plaintiffs alleged Defendants infringed their children’s privacy and consumer rights by collecting personal information and delivering targeted advertisements while they viewed child-directed YouTube videos. However, the court found that Plaintiffs’ claims were expressly preempted by the federal Children’s Online Privacy Protection Act (“COPPA”), and dismissed the case with leave to amend. Continue Reading California District Court Tosses Kids’ Data Collection Suit, Finds COPPA Preempts State Law
The FTC recently updated Complying with COPPA: Frequently Asked Questions, the set of FAQs meant to provide informal guidance for complying with the Children’s Online Privacy Protection Act and the Commission-issued COPPA Rule. In an accompanying blog post, the FTC staff emphasized that the revisions to the FAQs “don’t raise new policy issues” and that they were implemented primarily to streamline and reorganize the content “to make the document easier to use.” While the new FAQs generally only reinforce concepts from recent key settlements, enforcement policy positions, and separately-issued regulatory guidance, some of the updates also provide helpful additional context around specific issues such as mixed audience sites and services, age gates, and common consent mechanisms. Continue Reading Federal Trade Commission Updates, Streamlines COPPA FAQs
Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment. In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers. This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).
The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet. The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways. First, the definition now includes persistent identifiers, such as device IDs and IP addresses. Second, the definition now covers audio, video, and image files of children. Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function. (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)
The guidance does not, however, break new ground on COPPA’s substantive requirements. For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of “knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.
As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.
Under the Children’s Online Privacy Protection Act (COPPA), operators of certain websites, mobile applications, and other online services must provide parents notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13 online. The FTC has approved a new facial-recognition based method to comply with COPPA, under which parents may consent by submitting a picture of their government-issued ID and a picture of themselves (a “selfie”).
Jest8 Ltd., trading as Riyo, proposed the new “face match to verified photo identification” system to the FTC last July. According to the application, the parent begins by using a mobile phone or computer to take a picture of the parent’s photo identification (such as a driver’s license), which is authenticated by “computer vision technology, algorithms and image forensics” by examining “fonts, holograms, microprint, and other details coded in the document.” The parent then uses the Riyo software to take a picture of him- or herself. To ensure that the parent is physically present (as opposed to a child submitting another picture of the parent), the software detects slight facial movements. Finally, the live image and the image from the ID are compared by facial recognition algorithms and a live agent to validate that the person providing consent is the same person in the photo identification, after which the parent’s information is deleted.
The FTC granted Riyo’s application, analogizing it to the already-approved method of “[v]erifying a parent’s identity by checking a form of government-issued identification against databases of such information.” Indeed, the FTC found that the newly-proposed method was “more rigorous than the existing approved method” due to its inclusion of facial recognition technology to ensure the parent is “interacting with the system at [the] moment [of verification].” Further, the Commission highlighted Riyo’s statements that its software could capture and check the parent’s age from the submitted ID, that the software encrypts sensitive data, and that Riyo and its service providers would “promptly delete” any parental information within five minutes of verification.
To date, the FTC has only approved one other industry-proposed verification mechanism, which relies on asking the parent a series of challenge questions. Approval of Riyo’s facial-recognition approach may provide companies additional flexibility when designing new verifiable parental consent mechanisms because approved methods may be used by any company, not just the specific company who sought approval.
By Ani Gevorkian
The FTC has issued a request for public comment regarding Riyo’s application to recognize a new proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act Rule. The Rule, which implements the Children’s Online Privacy Protection Act (COPPA), requires certain website operators, mobile applications, and other online services to provide parents notice, and to obtain verifiable parental consent, before collecting, using, or disclosing personal information from children under the age of 13 online. The COPPA Rule includes a non-exhaustive list of approved methods for obtaining parental consent but also allows an interested party to propose voluntarily a new verifiable parent consent method for FTC consideration.
Jest8 Ltd., trading as Riyo, submitted such a proposal for a consent method that involves “validating a parent’s face against an online presentation of verified photo identification.” Riyo said the method is based on a fraud prevention tool currently in use in sensitive and regulated markets globally, and that the method differs from those enumerated in the COPPA Rule because it “uses computer vision technology, algorithms, image forensics, and multi-factor authentication to validate a parent’s identity . . . .” The parent begins by using a mobile phone or computer to take a picture of the parent’s photo identification (such as a driver’s license). The parent then uses the same device to take a picture of him- or herself. The two images are compared to validate that the person providing consent is the same person in the photo identification. (The application suggests all information in the photo identification is cropped out, except for the photo image.) Riyo states that the verification process can be completed within minutes, providing a real-time parental consent process for websites and mobile applications.
The Commission states that it is particularly interested in receiving comments that address whether: the proposed method is already covered by existing methods under the COPPA Rule; the method is reasonably calculated, in light of available technology, to ensure that the person providing the consent is actually the child’s parent; and the benefits of the program outweigh any risks to consumer’ personal information. Comments are due on or before September 3, 2015.
In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA. Continue Reading FTC Warns Foreign Mobile-App Developer To Comply With COPPA