Yesterday, two Federal Trade Commission (“FTC”) attorneys addressed several key issues raised by the Commissions’ revised final rule implementing the Children’s Online Privacy Protection Act (“COPPA”). Speaking at a webinar sponsored by the International Association of Privacy Professionals, Mamie Kresses and Phyllis Marcus, both senior attorneys at the FTC who focus on COPPA issues, discussed when a third-party service obtains “actual knowledge” that it is integrated on a website or service directed to children, whether the final rule’s “primary audience” distinction in the definition of child-directed sites expands the scope of COPPA-covered entities, and how certain COPPA provisions apply to companies that collect persistent identifiers only for support for internal operations. Ms. Kresses and Ms. Marcus also emphasized that, under the revised final rule, “more companies will have to have the COPPA moment,” where they reassess their online offerings to determine whether they are child-directed and therefore subject to COPPA. In order to address the many issues raised by the revised final rule, industry can expect further guidance from the FTC leading up to the July 1, 2013 effective date, including updates to the COPPA Frequently Asked Questions on the FTC’s website.
Actual Knowledge for Third Party Services
Under the revised final rule, third party services, such as plug-ins and ad networks, are subject to COPPA if they have actual knowledge that they are collecting information on a website or service directed to children. In order to address uncertainty about when a third party will be deemed to have obtained “actual knowledge,” the FTC’s Statement of Basis and Purpose for the revised COPPA rule suggests that actual knowledge may be obtained when (1) a child directed content provider directly communicates the child-directed nature of its content to the third party service, or (2) a representative of the online service recognizes the child-directed nature of the content.
Yesterday, Ms. Kresses and Ms. Marcus said that, while the actual knowledge inquiry is highly fact specific, it is “very unlikely” that the mere receipt of a child-directed website’s URL would give a third party service “actual knowledge” that it was integrated on a child-directed site “without outside independent information” allowing the third party to determine the child-directed nature of the site or service on which it is integrated. However, they acknowledged that, if industry were to eventually develop a system for signaling the child-directed nature of sites and services and these signals were embedded in the URL, their position on this issue might evolve. Last week, FTC Chief Technologist Steve Bellovin discussed the possibility of such a signaling system in a blog post.
The Primary Audience Distinction Among Child-Directed Sites
Ms. Kresses and Ms. Marcus suggested that the revised final rule’s distinction between child-directed sites and services that target children as a primary audience and those that do not was not intended to expand the scope of entities subject to COPPA. Rather, the primary audience distinction “was intended to be a small carve-out” that would allow child-directed sites and services that appeal to both children and a mixed audience to age screen users and treat only users who state that they are under 13 as “children” subject to COPPA. Responding to concerns that the primary audience distinction nevertheless requires more sites and services to age screen, Ms. Kresses stressed that the “heavy preponderance” of general audience sites still should not need to age screen.
While Ms. Kresses and Ms. Marcus emphasized that, in their view, the revised final rule’s “primary audience” distinction does not expand COPPA’s definition of child-directed sites and services, their comments on future COPPA enforcement suggest that the “primary audience” distinction may ultimately expand the scope of companies that receive COPPA scrutiny from the Commission. Ms. Kresses explained that, now that certain mixed audience sites that appeal to children have an opportunity to age screen users and treat only certain users as children, the COPPA burden for these mixed audience sites should be less than before. Consequently, mixed audience sites that are also child-directed may draw more enforcement scrutiny from the Commission when those sites do not comply with COPPA. This further underscores the importance for many mixed-audience sites of re-evaluating whether some of their online offerings are child-directed in light of the revised final rule.
Scope of Support for Internal Operations Exemption
Ms. Kresses also suggested that companies that collect persistent identifiers only for the support for internal operations must nevertheless comply with all COPPA provisions other than the notice-and-consent provisions. Under the revised final rule, the FTC expanded the definition of “personal information” to include persistent identifiers that can be used to recognize a user over time and across different websites or services. Because persistent identifiers are often integral to the functioning of websites and services, the new rule exempted companies from COPPA’s notice and consent provisions when persistent identifiers are collected only for the “support for internal operations.” The rule is silent, however, about whether the other COPPA provisions–such as access, review, deletion, and data security provisions–continue to apply to these persistent identifiers when they are used only for support for internal operations. Responding to a question on this issue, Ms. Kresses noted that the new rule’s support for internal operations exemption applies only to COPPA’s notice and consent provisions and that operators “would be wise” to comply with COPPA’s other provisions.
Additional Issues and Further Guidance
Other portions of the presentation also stressed how the revised final rule creates obligations for industry. For example, the strict liability of website publishers for third party information collection on their sites and the obligation to list third parties operating on the site in an online privacy notice require website publishers to inform themselves about third parties operating on their webpage. Ms. Kresses also suggested that the new rule’s data security and retention provisions serve as a “notice of raising the bar” and are a “warning” to operators to re-evaluate their data retention and security practices.
Industry can expect further guidance from the FTC on these and other issues in the months leading up to the July 1, 2013 effective date of the new COPPA rule. Ms. Marcus suggested that this additional guidance will include updates to the COPPA FAQs, as well as other forms of industry guidance.