(This post is part two of a three-part series. Part one: “Sorry, tweens: No sweepstakes or contests until you’re 13.” Part three: "FTC issues long-awaited revisions to COPPA rules.")
The Federal Trade Commission wants to bolster the law that prohibits the disclosure of children’s personal information online. The Children’s Online Privacy Protection Act (COPPA) is designed to ensure that children under the age of 13 do not disclose any personal information about themselves without their parent’s permission. The COPPA rules were adopted in 2000. Because of the many technological changes and the increase in use of the Internet by young children since 2000, the FTC decided last year to review the Rule to see if it needed to be amended.
As part of this process, the Commission requested comments from the public and received nearly 200 comments from industry representatives, advocacy groups, academics, technologists, and individual members of the public in late 2011. The FTC proposed several amendments that are designed to strengthen the Rules and clarify their application to the Internet of 2012.
Some of the key proposed amendments include:
- The definition of “personal information” is expanded to include geolocation information and certain types of “persistent identifiers” used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. The Commission also proposed revising the definition of “collection” so website operators covered by the Rules may allow children to participate in interactive communities without parental consent so long as the operators take reasonable measures to delete virtually all children’s personal information.
- The FTC also added several new methods of obtaining verifiable parental consent, including the use of electronic scans of parental consent forms and video-conferencing. The FTC also approved a method where, if the parent’s identification is deleted immediately after verification, the website operator can check the parent’s government-issued ID card against a database. All of these methods are in addition to the methods currently included in the Rules.
- Another FTC amendment would delete one current method of parental consent, known as “email plus” which is available to operators who collect personal information only for internal use. Right now this method allows operators to obtain consent through an email to the parent, coupled with one other step, such as sending a subsequent email confirmation to the parent after receiving initial consent.
The Commission also suggests adding a requirement that if operators disclose any child’s personal information to a service provider or third party, those entities must have a reasonable procedure in place to protect the information. Operators also must retain the information only for as long as reasonably necessary and must delete it by taking measures to protect against access to the data during its disposal.
Finally, the FTC recommends strengthening its self-regulatory “safe harbor” programs by requiring these groups to audit their members at least once each year and report the result of those audits to the Commission.
It is difficult to predict when the FTC will adopt these amendments. But Commission staffers have mulled the public comments since November 2011, so it’s likely the amendments may be presented to the Commissioners in the fairly near future.
The Sweepstakes Law Blog will let you know as soon as the FTC releases the rule changes.
This post was written by retired Thompson Coburn partner Dale Joerling. If you have any questions about the topics discussed in this post, please contact Thompson Coburn partner Hap Burke.