FTC’s Proposed Changes to COPPA Hailed by Lawmakers

The FTC offered more than two dozen changes to COPPA and requested comment from industry members. The proposed changes addressed shifts in five areas of the legislation, definitions, parental consent mechanisms, security and the role of regulatory safe harbor programs. The 11-year-old rule that seeks to shield children from sexual predators and other online threats currently imposes requirements on operators of websites or online services directed to children under the age of 13.

Senate Communications Subcommittee Chairman John Kerry, D-Mass., called the proposed changes “necessary” and urged the FTC to present final privacy recommendations for Congress to consider. “In the online world, the nature of those threats changed significantly and parents need to have the power to control who has access to their kids’ information and for what purpose. These newly updated rules are necessary to keep pace with the way kids under 13 are interacting on the Internet and how online services are evolving.” Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., also praised the commission’s proposed rule changes as “a much needed update to the COPPA Rule. COPPA was passed over a decade ago, and the online and technological landscape has changed considerably since then. I think everyone would agree that we need to do more to protect our children’s online privacy, and today’s proposal helps in that effort."

Reps. Ed Markey, D-Mass., and Joe Barton, R-Texas, co-chairmen of the House privacy caucus, hailed the proposals. “The commission appropriately notes that teens should be provided with clear information about how their personal data is used and also empowered to exercise control over these uses,” said Markey. “The commission also proposes to add a child’s location information under the category of personal data that require a parent’s permission before it’s collected or used. Given the potential for this sensitive data to be misused to endanger a child, the commission’s proposal in this area is a much-needed step.” Barton agreed: “These new rules would go a long way in limiting kids’ exposure to online dangers and giving parents more control over what their kids see and who they communicate with on the computer. The FTC’s actions reveal that greater protection is indeed needed for our children.”

Among its proposed changes, the FTC sought six modifications to certain definitions in order to “streamline the rule’s language,” it said. One would amend Section 312.2 of the rule to expand online operators’ requests to collect children’s information to include prompts or encouragement to provide such information. The proposed rule change would make it clear that website operators who use automated data collection systems would still be liable for enforcement action under the rule, and would not be exempt under safe harbor provisions.

The FTC said it would not change the statutory definition of a child to include those over 13, saying the current definition “remains appropriate.” “The COPPA model would be difficult to implement for teenagers, as many would be less likely than young children to provide their parents’ contact information, and more likely to falsify this information or lie about their ages in order to participate in online activities,” the commission wrote. But the agency said it would separately explore “new privacy approaches that will ensure that teens -- and adults -- benefit from stronger privacy protections than are currently generally available.”

The current definition of “online services” is sufficient to include evolving technologies including mobile communications, interactive television, interactive gaming and other evolving media, the commission said. The agency said it will continue to assess emerging technologies to determine whether they constitute “websites located on the Internet” or “online services” subject to COPPA’s coverage, it said. The commission also sought to clarify the definition of disclosure to more specifically encompass websites’ dissemination of children’s information and further specified the “release of personal information” to include business to business information sharing.

The commission proposed new restrictions on when and how an online operator may collect and use children’s screen names, and persistent identifiers. The FTC sought to expand the definition of personal information to include screen names, user names, VoIP identifiers, photos, audio files, video chat identifiers and persistent identifiers like cookies, it said. Including persistent identifiers under the definition of personal information would require parental notification before websites use them to amass data on a child’s online activities, the document said.

The proposal would include unique device identifiers, such as those used in mobile devices, into the definition of personal information, the report said. This change marked a major shift to addressing Web use in the mobile environment and reflected some of the comments the FTC received last year when it asked the public to consider COPPA changes. Among the nearly 50 written responses the public sent in 2010, the proposed expansion of COPPA regulations to the mobile environment emerged as a major issue (WID July 14/10 p1). Consumer privacy groups like the Electronic Privacy Information Center said the rules should be expanded and broadened to cover mobile devices and social networking sites. But industry groups like CTIA and the National Cable and Telecommunications Association said expanding such regulations to the mobile environment could upset the status quo and hurt the overall quality of programming.

The FTC proposed adding a stand-alone section to protect geolocation data that provides information at least equivalent to a “physical address,” as personal information. But the commission did not propose to add birth dates, gender or ZIP codes under the definition of personal information, it said.

The FTC offered revisions to parental notification requirements in the rule concerning website operators’ data collection procedures. Operators should provide parents with relevant contact information for any inquiries and eliminate exhaustive privacy statements among other proposals, the FTC said. Furthermore, website operators should verify the accuracy of parental information in their databases by comparing it with government-issued identification documents, it said. The commission also clarified how and by what means operators may contact parents to obtain prior consent and banned operators from notifying parents via SMS message.

One of the more significant changes in the proposal was the commission’s offer to eliminate the current “sliding scale” or “email plus” approach to parental consent. Adopted in 1999, the sliding scale approach requires operators who are collecting personal information for internal use to obtain parental consent through an email and one additional step that verifies the individual is actually the child’s parent. But the commission said “the continued reliance on email plus has inhibited the development of more reliable methods of obtaining verifiable parental consent.” As a result “email plus has outlived its usefulness and should no longer be a recognized approach to parental consent under the Rule,” the report said.

The FTC proposed new security requirements for operators, asking them to implement “reasonable measures” to strengthen the confidentiality, security and integrity of children’s personal information, it said. The proposal suggests that operators make an effort to reduce data retention time and implement new data deletion requirements. Furthermore, the commission expanded and clarified the terms of industry’s self-regulation requirements and safe harbor programs.

"In this era of rapid technological change, kids are often tech savvy but judgment poor,” said FTC Chairman Jon Leibowitz. “We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses.”

The Direct Marketing Association (DMA) said the proposed changes were unnecessary and criticized the proposal’s inclusion of unique device identifiers into COPPA’s definition of personal information. “DMA strongly believes that such a definition should include only information that in fact permits the direct communication with a specific, identifiable person —- not a device that could be used by multiple people, including children under 13 or adults,” the group said Thursday. The DMA also objected to the commission’s proposal to eliminate the “sliding scale” approach to requiring parental consent. “This approach has proven to be a sound means for protecting children online and supports retaining a system that strikes the right balance between providing parents with control and not inhibiting children’s beneficial Internet experiences,” it said.

Center for Democracy and Technology President Leslie Harris commended the FTC for choosing not to expand COPPA coverage to those over 13-years-old, but CDT Policy Counsel Emma Llansó derided the agency’s decision to obtain parental consent by using parent’s government-issued identification information. “This method for verification could create serious chilling effects on parents’ willingness to consent to their child’s use of a website and raises privacy concerns for parents without securing a greater level of certainty in parental consent,” said Llansó.

The Campaign for a Commercial-Free Childhood (CCFC) said: “The FTC’s proposed new rules would reinforce parents’ role as gatekeepers by providing them with tools for much-needed control over how and whether their children’s private information is used across digital platforms.” “Given that there are currently so few regulations protecting children from unscrupulous marketing techniques, it is critical that the rules for COPPA be updated to include new media, including mobile devices. Most important, companies could not track children online through cookies or other techniques used for behavioral advertising.”

Individuals, companies and organizations may submit comments at http://xrl.us/bmdivs by Nov. 28.