Privacy & Information Security Law Blog

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.

The FTC agreed with public input that new statutory definitions are not necessary because both the statute and the COPPA Rule are written broadly enough to encompass new technologies.  For example, the statute’s definition of “Internet” is not limited to particular devices.  Similarly, the term “online service” may be interpreted as covering applications that allow children to play network games, engage in social networking, shop online, receive behaviorally targeted advertisements, and interact with other content or services.  The FTC reserved judgment on whether messaging services such as SMS and MMS also may be considered “online services.”

In spite of the flexibility of the COPPA Rule, the FTC expressed the need to update some of the Rule’s provisions in the following areas:

• Definitions: Particularly noteworthy is the proposed expansion of the definition of “personal information” to include IP addresses, customer numbers held in cookies, and geolocation information.
• Notice: The proposed revisions would streamline the notice content requirement, but would require all operators of an online service or website to provide contact information (as opposed to designating one operator as the contact point, which ignores the possibility that children may interact with multiple operators on a single website).
• Parental Consent: The FTC has proposed eliminating the “email plus” method of obtaining parental consent.  Website operators would instead be able to seek FTC approval of alternate consent mechanisms.  The goal would be to allow for consideration of new forms of consent as the technology evolves, and to encourage innovation with respect to new methods of obtaining verifiable consent.
• Confidentiality and security of children’s personal information: Under the proposed amendment, an operator must ensure that any service provider or third party to whom it releases children’s personal information has reasonable procedures to maintain the confidentiality, security and integrity of such personal information.
• Safe harbor programs: The proposed changes would require approved safe harbor programs to report on their oversight of operators, and new safe harbor program applicants would have to provide more detail in their applications than currently is required.

In addition to these modifications, the FTC proposed adding a new section to the Rule addressing data retention and deletion.  The proposed provision requires that operators retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected and that operators must delete such information by taking reasonable measures to protect against unauthorized access to the information.

The FTC is soliciting public comment on the proposed COPPA Rule amendments.  Comments will be accepted through November 28, 2011.