The Federal Trade Commission (“FTC”) recently released an additional question and answer as part of its revised COPPA FAQs, which provide guidance on the FTC staff’s interpretations of the rule implementing the Children’s Online Privacy Protection Act (“COPPA”). As we previously reported, the FTC published substantial revisions to the COPPA FAQs in April in order to account for recent changes to the COPPA rule.
New FAQ #80 addresses whether operators must obtain parental consent before sending push notifications. According to the new FAQ, the “information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule.” As a result, the FTC explains that the operator will need to obtain parental consent before collecting information from a child’s device in order to send push notifications, unless an exception to COPPA’s parental consent regime applies. The multiple-contact exception may excuse the operator from the parental consent requirement if the child has consented to receiving push notifications, the operator provides parents with direct notice of the collection and an opportunity to opt out, and the information used to send the push notifications is not combined with other personal information collected from the child.
New FAQ #80 appears to be inconsistent with prior FTC guidance from the statement of basis and purpose that accompanied the January 2013 revisions to the COPPA rule. There, the FTC stated that operators can use anonymous screen and user names for providing operator-to-user communications without obtaining parental consent. Push notifications are, by definition, operator-to-user communications. Separately, where a persistent identifier such as a device identifier (e.g., UDID) is used to send push notifications, it would be exempt from the need to obtain parental consent because sending push notifications fits within the definition of “support for the internal operations of the Web site or online service,” which includes activities necessary to “Perform network communications” or “Maintain or analyze the functioning of the Web site or online service.” Even where push notifications include advertising, collecting and using the information necessary to send these messages would appear to qualify as “support for internal operations” because the definition of that term includes first party, “contextual advertising.” By contrast, the new FAQ does not differentiate between using screen names, persistent identifiers, or other information to send push notifications and replaces it with a categorical statement that any information used for sending push notifications would necessarily rise to the level of “personal information.”
Last week, FTC Commissioner Maureen Ohlhausen told Law360 that her preference is not to immediately begin enforcing the revised COPPA rule on the July 1 effective date and instead to encourage companies to work diligently to come into compliance by the end of the year. While significant, this is the view of one commissioner and the FTC recently declined to delay the COPPA rule’s July 1 effective date.