The Federal Trade Commission (“FTC”) recently reiterated its support for the use of “common consent” mechanisms that permit multiple operators to use a single system for providing notices and obtaining verifiable consent under the Children’s Online Privacy Protection Act (“COPPA”). COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they are collecting personal information from children under 13 to provide notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.   The FTC’s regulations implementing COPPA (the “COPPA Rule”) do not explicitly address common consent mechanisms, but in the Statement of Basis and Purpose accompanying 2013 revisions to the COPPA Rule, the FTC stated that “nothing forecloses operators from using a common consent mechanism as long as it meets the Rule’s basic notice and consent requirements.”

The FTC’s latest endorsement of common consent mechanisms appeared in a letter explaining why the FTC was denying AgeCheq, Inc.’s application for approval of a common consent method.  The COPPA Rule establishes a voluntary process whereby companies may submit a formal application to have new methods of parental consent considered by the FTC.  The FTC denied AgeCheq’s application because it “incorporates methods already enumerated” in the COPPA Rule: (1) a financial transaction, and (2) a print-and-send form.   The implementation of these approved methods of consent in a common consent mechanism was not enough to merit a separate approval from the FTC .  According to the FTC, the COPPA Rule’s new consent approval process was intended to vet new methods of obtaining verifiable parental consent rather than specific implementations of approved methods.  While AgeCheq’s application was technically “denied,” the FTC emphasized that AgeCheq and other “[c]ompanies are free to develop common consent mechanisms without applying to the Commission for approval.”  In support of common consent mechanisms, the FTC quoted language from the 2013 Statement of Basis and Purpose and pointed out that at least one COPPA Safe Harbor program already relies on a common consent mechanism.

Making good on its warnings that mobile apps will be an enforcement priority under the revised Children’s Online Privacy Protection Act (“COPPA”) Rule, the FTC has announced two settlements with mobile app developers:

  1. TinyCo., the developer of several child-directed mobile apps, will pay $300,000 to settle charges that it violated COPPA by collecting children’s email addresses through its mobile app without sufficient notice and parental consent.
  2. Yelp, the developer of a general-audience mobile app for user-generated reviews of restaurants and other businesses, will pay $450,000 to settle charges that a technical glitch allowed children under 13 to register without parental notice and consent.

While the settlements are getting a lot of attention in the press, the complaints are perhaps most interesting in that they continue the general trend of FTC enforcement actions addressing clear-cut cases of a company collecting children’s personal information (such as e-mail addresses) without providing parents notice or obtaining parental consent.  The FTC’s settlements to date have not included allegations related to online behavioral advertising, social plugins, or similar issues involving the integration of third-party services.

The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the FTC’s longstanding position that the agency’s list of approved verifiable parental consent mechanisms is not exhaustive and that companies can implement different methods as long as they meet the statutory standard of amounting to a “reasonable effort (taking into consideration available technology) . . . to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.” 15 U.S.C. § 6501(9).

Specifically, the revisions:

  • Confirm that a credit or debit card need not be charged to obtain parental consent if the collection of the card number is combined with “other safeguards.” In the revised COPPA Rule, the FTC reaffirmed its informal policy of requiring that, under the approved verifiable parental consent method for credit cards, the credit or debit card be charged so that the parent has a record of the transaction through the monthly credit card statement. This policy previously had been embodied in the informal COPPA FAQs. The update to COPPA FAQ H.5 does not change the FTC’s position that the collection of a credit or debit card number alone is insufficient under COPPA unless the credit card is charged.  But it clarifies that the collection of a credit card number in connection with a transaction is not the only way in which credit or debit cards can be used to obtain verifiable parental consent.  While there are a variety of other safeguards that should meet the statutory verifiable parental consent standard, the FTC staff lists as one option “supplement[ing] the request for credit card information with special questions to which only parents would know the answer and find[ing] supplemental ways to contact the parent.”
  • Reiterate that a mobile app developer can rely on an app store to obtain parental consent on its behalf.  The new COPPA FAQ retains the staff’s prior guidance that the entry of a parent’s app store account number or password is not itself sufficient to meet the verifiable parental consent standard, but that a parent’s app store account can be used as a COPPA-compliant parental consent method when coupled with other indicia of reliability and meets COPPA’s other requirements (such as the direct notice requirement).  The revisions make it clearer that, in such circumstances, a third party (i.e., the app store) obtains consent on the mobile app developer’s behalf.
  • Reiterate that third-party platforms, such as app stores, can develop “multiple-operator” parental consent solutions for the applications that run on top of the platform, while clarifying that such offerings do not expose platforms to legal liability under COPPA.  In its revised COPPA Rule, the FTC declined to add “platform” or “multiple-operator” methods to the list of approved parental consent methods, but spoke favorably of these types of common consent mechanisms and concluded that “nothing forecloses operators from using a common consent mechanism so long as it meets the Rule’s basic notice and consent requirements.”  78 Fed. Reg. 3972, 3990 (2013).  The revised COPPA Rule also made clear that “marketplace platforms” do not become subject to COPPA solely by enabling app developers to offer child-directed apps on the platform.  Id. at 3976.  New COPPA FAQ H.16 clarifies that, similarly, third-party platforms will not be exposed to legal liability under COPPA solely for developing and offering “platform” or “multiple-operator” parental consent solutions.

The staff of the Federal Trade Commission (“FTC”) has released updated guidance on how the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations apply to schools and educational online services through revisions to the Frequently Asked Questions (“FAQS”) that are published on the FTC website.  For a comparison between the old and new school FAQs, please click here.  The FAQs constitute informal guidance, but they are useful for understanding how FTC staff interprets COPPA’s application in different contexts.  Here is a brief summary:

  • The revised FAQs do not change the circumstances under which schools can provide verifiable parental consent on behalf of parents, that is, when an operator collects personal information from students “for the use and benefit of the school, and for no other commercial purposes.”  Examples of prohibited commercial purposes include online behavioral advertising and “building user profiles for commercial purposes not related to the provision of the online service” to the school.
  • While the prior FAQs noted that, in such circumstances, operators should provide schools with robust notice about their data collection, use, and sharing practices, the revised FAQs suggest that these disclosures should track the direct notice requirements outlined in the COPPA Rule.  In COPPA FAQ M.1, FTC staff explains that “the operator must provide the school with all the required notices.”

Continue Reading FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

The Center for Digital Democracy (“CDD”) recently filed requests for investigation with the Federal Trade Commission (“FTC”) claiming that Marvel Entertainment and Sanrio Digital failed to comply with the Children’s Online Privacy Protection Act’s (“COPPA”) notice and consent requirements. 

  • Marvel.  The Marvel filing alleges that Marvelkids.com is a child-directed website that collects personal information, such as IP addresses, and shares this information with third party ad networks without obtaining verifiable parental consent.  The filing notes that the site’s privacy policy has not been updated since the revisions to the COPPA Rule and claims that it is confusing and contradictory.  CDD also highlights Marvel’s participation in the Children’s Advertising Review Unit (“CARU”) and TRUSTe and requests that the FTC “investigate CARU and TRUSTe to determine whether those self-regulation programs are misleading to the public” and whether they are “doing enough to ensure compliance with their guidelines.”
  • Hello Kitty.  The Sanrio filing is based on the Hello Kitty Carnival mobile app.  CDD alleges that the app collects personal information, such as device identifiers, photographs, and geolocation information, without obtaining verifiable parental consent.  Notably, CDD alleges that the app is child-directed despite Sanrio’s claim that the app does “not knowingly collect Personally Identifiable Information from persons under the age of 13.”   CDD focuses heavily on the third parties that appear to receive information from the Hello Kitty app and suggests that the FTC should also investigate their use of the information to see if any COPPA violations have occurred.  CDD also alleges that the app’s privacy policy is misleading and contradictory and that it fails to list third parties collecting personal information from the site.

We will continue to track these and other developments pertaining to children’s privacy.

The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”).  COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they are collecting personal information from children under 13 to provide notice and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.  The FTC’s regulations implementing COPPA (the “COPPA Rule”) outline certain approved methods of verifiable parental consent and establish a voluntary process whereby companies may submit a formal application to have new methods of parental consent considered by the FTC. 

On December 23, the FTC approved the application of Imperium, LLC and determined that KBA, when properly implemented, is an acceptable method of verifiable parental consent under the COPPA Rule.  KBA presents parents with dynamic, multiple choice “challenge” questions that test “out-of-wallet” information — information that is not ascertainable from the contents of an individual’s wallet and that would be difficult for someone other than the individual to know.  In order to qualify as a method of verifiable parental consent, the KBA questions must be sufficiently difficult that a child under 13 could not reasonably know the answers.  The questions are not general knowledge questions but rather questions about the specific person answering the questions.  For example, in its application, Imperium suggested that KBA questions might ask about old addresses or phone numbers. The FTC’s letter approving KBA notes that financial institutions and credit bureaus have used KBA for many years.

Yesterday, the FTC staff released its latest round of updated Frequently Asked Questions (“FAQs”) for its Rule implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).  These new FAQs address the circumstances in which third parties may obtain “actual knowledge” that they are collecting personal information from a child-directed site or service and whether parental consent is needed for child-directed sites and apps that enable user-generated content to be emailed or shared via social media. 

As we previously reported, the FTC enacted sweeping changes to the COPPA Rule in December 2012 that became effective July 1, 2013.  In the last several months, the FTC staff have provided several updates to the informal FAQs. 

“Actual Knowledge” Standard for Third Parties

Third parties such as plugins and ad networks are liable under the new COPPA Rule only if they have actual knowledge that they are collecting personal information from a child under 13 years old or through sites and services that are directed to such children.  Most of the new FAQs try to resolve lingering questions about when a third party has “actual knowledge”:

  1. Third parties can designate specific employees as the points of contact to receive COPPA notices, rather than having actual knowledge imputed to the entire company through any employee.
  2. The third party will not be deemed to have “actual knowledge” — and will have no duty to investigate — if it simply receives a list of URLs of purportedly child-directed websites from which it is collecting personal information. 
  3. If the third party receives “screenshots or other forms of concrete information” about sites on which the third party’s service are integrated, such information could provide actual knowledge:
    • If, based on the screenshots or other concrete information, the third party is “uncertain” whether a site or service is child directed, it ordinarily may rely on representations from the first-party site about whether the site is child-directed.  These representations could be provided in the form of a technological COPPA signal or “flag,” which industry has been working to develop since the idea was proposed by the FTC’s Chief Technologist in a blog post earlier this year. 
    • If, based on the screenshots or other concrete information, it is clear that the site or service is child directed, then any representations made by the first-party site would be overridden and the third party would be deemed to have actual knowledge.

Continue Reading FTC Releases Updated Guidance on New COPPA Rule

The Federal Trade Commission (“FTC”) recently released an additional question and answer as part of its revised COPPA FAQs, which provide guidance on the FTC staff’s interpretations of the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  As we previously reported, the FTC published substantial revisions to the COPPA FAQs in April in order to account for recent changes to the COPPA rule

New FAQ #80 addresses whether operators must obtain parental consent before sending push notifications.  According to the new FAQ, the “information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule.”  As a result, the FTC explains that the operator will need to obtain parental consent before collecting information from a child’s device in order to send push notifications, unless an exception to COPPA’s parental consent regime applies.  The multiple-contact exception may excuse the operator from the parental consent requirement if the child has consented to receiving push notifications, the operator provides parents with direct notice of the collection and an opportunity to opt out, and the information used to send the push notifications is not combined with other personal information collected from the child.

Continue Reading FTC Releases Additional COPPA FAQ to Address Push Notifications

The Federal Trade Commission (FTC) has voted unanimously to retain the July 1, 2013 effective date for its revisions to the rule implementing the Children’s Online Privacy Protection Act (COPPA).  As we previously wrote, the FTC adopted significant revisions to the COPPA rule in December 2012 and established a July 1, 2013 effective date.  In recent weeks, nineteen consumer groups signed a letter opposing any delay in the effective date, while approximately twenty industry associations signed a letter arguing in favor of extending the effective date.  In late April, the FTC published updated Frequently Asked Questions on its website to provide additional guidance for complying with the revised COPPA rule.

Today, the Commission responded to the industry associations’ letter and informed them that it would retain the July 1, 2013 effective date.  The Commission acknowledged that the revised rule “does impose new obligations on child-directed sites and services,” but explained that, “in selecting an effective date of July 1, 2013, the Commission determined that six months would be adequate time for such operators to assess whether third parties collect personal information through their site or service.”    

Although the Commission did not extend the effective date, it did pledge to “exercise prosecutorial discretion in enforcing the Rule, particularly with respect to small business that have attempted to comply with the Rule in good faith in the early months” following July 1.

The Federal Trade Commission has released its much anticipated revised COPPA FAQs.  Although these FAQs are not legally binding, they provide informal guidance to industry on staff’s interpretations of the COPPA Rule. 

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

  1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child’s image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
  2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
  3. Third-party services that are integrated on child-directed sites will be deemed to have “actual knowledge” if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC’s Chief Technologist, Steve Bellovin.
  4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child’s facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don’t forget to scrub for metadata as well — photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
  5. A third party who is integrated on a child-directed site may rely on the “support for internal operations” exception to support the third-party’s own internal operations.  There actually was text in the final COPPA Rule’s Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:

Continue Reading FTC Releases Revised COPPA FAQs: Here’s What’s New