Yesterday, the FTC staff released its latest round of updated Frequently Asked Questions (“FAQs”) for its Rule implementing the Children’s Online Privacy Protection Act (“COPPA Rule”). These new FAQs address the circumstances in which third parties may obtain “actual knowledge” that they are collecting personal information from a child-directed site or service and whether parental consent is needed for child-directed sites and apps that enable user-generated content to be emailed or shared via social media.
As we previously reported, the FTC enacted sweeping changes to the COPPA Rule in December 2012 that became effective July 1, 2013. In the last several months, the FTC staff have provided several updates to the informal FAQs.
“Actual Knowledge” Standard for Third Parties
Third parties such as plugins and ad networks are liable under the new COPPA Rule only if they have actual knowledge that they are collecting personal information from a child under 13 years old or through sites and services that are directed to such children. Most of the new FAQs try to resolve lingering questions about when a third party has “actual knowledge”:
- Third parties can designate specific employees as the points of contact to receive COPPA notices, rather than having actual knowledge imputed to the entire company through any employee.
- The third party will not be deemed to have “actual knowledge” — and will have no duty to investigate — if it simply receives a list of URLs of purportedly child-directed websites from which it is collecting personal information.
- If the third party receives “screenshots or other forms of concrete information” about sites on which the third party’s service are integrated, such information could provide actual knowledge:
- If, based on the screenshots or other concrete information, the third party is “uncertain” whether a site or service is child directed, it ordinarily may rely on representations from the first-party site about whether the site is child-directed. These representations could be provided in the form of a technological COPPA signal or “flag,” which industry has been working to develop since the idea was proposed by the FTC’s Chief Technologist in a blog post earlier this year.
- If, based on the screenshots or other concrete information, it is clear that the site or service is child directed, then any representations made by the first-party site would be overridden and the third party would be deemed to have actual knowledge.
Ultimately, this approach requires third parties to make complicated legal determinations about whether the first-party sites or services are directed to children based on incomplete and potentially misleading information. The COPPA Rule contains a 12-factor test for determining whether a site is child directed, and the Commission has emphasized repeatedly that “no single factor will predominate over another.” See e.g., 78 Fed. Reg. 3972, 3984. However, in the circumstances described above the third party generally will not have access to all of the information relevant for these factors, such as information about the intended audience of a first-party website or statistics about a website’s actual audience. And although the screenshots and other evidence may seem “concrete” on their face, they may provide only a small, cherry-picked, and misleading sampling of the overall nature of the site. Because a wrong conclusion could result in COPPA liability for the third party, there is an incentive for third parties to pull their services from child-directed sites and services.
In addition, this approach could discourage participation in the industry’s self-regulatory COPPA signaling solution. Companies may be less willing to invest in such a system if the COPPA signal or flag can be overridden by a few screenshots or other “concrete” evidence.
If a third party discovers that it has been collecting personal information from a child-directed website, it must obtain verifiable parental consent before using or disclosing personal information, unless the information previously was disassociated with the child-directed website. For example, if the third party associated the persistent identifier with an interest category and the persistent identifier is no longer associated with the site from which it was collected, then verifiable parental consent is not required. In such circumstances, the third party must comply with a parent’s request to delete the personal information, although it is not clear whether this will be technologically feasible or workable.
Social Plugins and Email Sharing on Child-Directed Sites and Mobile Apps
New FAQ D.9 addresses the scenario where a child-directed site or mobile app allows children to create user-generated content, such as drawings, locally and then share the content, along with a comment, via email or a social network. The FAQ requires parental consent prior to sharing user-generated content through such features and does not explicitly differentiate between child-directed sites and apps that target children as a primary audience and those that do not. Based on the text of the COPPA Rule, operators who do not target their sites and services to children should be able to age gate and enable sharing for users who identify themselves as 13 or older. In contrast, sites and mobile apps with children as the primary audience must obtain parental consent before enabling the child to share the user-generated content along with a comment.