The Implications of the FTC's New COPPA Rule

On December 19th the Federal Trade Commission released its much awaited revisions to the Rule that supplements the Children's Online Privacy Protection Act. The new text has divided opinion among industry, privacy advocates and app developers and the impact of the changes will be felt not just in the United States but around the world.

In 1998 when the Children's Online Privacy Protection Act (COPPA) was debated in Congress Senator Richard Bryan observed the necessity of the Act, and its corresponding Rule, working "in a manner that preserves the interactivity of children's experience on the Internet and preserves children's access to information in this rich and valuable medium." Since the release of the new COPPA Rule real concern has been expressed regarding the potential impact on the availability of online content for children under the age of 13. However, with increasing legislative and parental attention being focused on children's online well-being and safety does less content matter if children's privacy is protected?

The Federal Trade Commission (FTC) commenced the process of reviewing the Rule in 2010 and has held multiple roundtables, discussions and two public comment periods. The review was initiated owing to the changing way in which children were accessing the Internet, with the growth in smartphones and apps, and the new services that they were using online, such as social networks. The revisions to the Rule encompass many of the existing provisions from the definition of ‘operator' to the safe harbour regime and from the types of websites subject to the Rule to the methods of obtaining parental consent.

While some of the changes have been welcomed by industry and privacy advocates alike, other provisions have resulted in considerable consternation. The promotion of just-in-time notifications makes sense and will assist parents in making informed decisions about what their kids are doing online. The retention of email plus provides websites and apps with an easy, cost-effective way of obtaining verifiable parental consent, while the Rule also opens up the possibility of innovating novel consent methods through the new 120-day FTC approval process. The opportunity for creating common consent platforms and subjecting them to the notice and comment period is left open. The annual audits of the safe harbor programs are appreciated as it ensures that those covered remain in compliance with the Rule. Finally, the expansion of the "support for internal operations" definition allows operators to collect the necessary information for the running of their services without going through expensive and time consuming consent procedures.

However, app developers, small businesses and large companies have all raised concerns regarding the cost and feasibility of compliance with some of the new terms and specifically the affect that the new Rule is going to have on the production of a wide variety of content for children. There are also legal considerations and the question as to whether or not the new Rule has exceeded the scope of the original Act. Additionally, there are assertions that the cost of compliance has been massively underestimated by the FTC and will result in many organizations ceasing to create any material for children, especially those under 13.

It is generally acknowledged that the Commission has worked hard to understand new technologies. In 1998 the term "collecting personal information" tended to refer to data being entered into a form on a purely static website. Now websites, apps and plug-ins are obtaining information in an ever increasing number of ways and for a multitude of purposes. However, the FTC must be sure to balance the protection of personal information against the need for educational and innovative content for the under 13s, so as to ensure that children do not circumvent the protections that are in place in order to access more exciting and dynamic services.

The FTC decided to make substantial changes to the definition of "operator" under the Rule. Firstly, they imposed a strict liability standard on websites or services that incorporated a third party service, such as social networking plug-ins or advertising networks. The Commission reasoned that the child-directed content providers derived significant benefit, financial or otherwise, from the third party service. In addition they stated that the first party site was best placed to know the age of their users and to request the relevant consent from parents. Any additional burdens that this places on the first party website have been said by the FTC to be eased by the "support for internal operations" and the more limited definition of persistent identifiers.

Critics have raised numerous objections primarily that this revision goes beyond the scope of the original Act and the FTC is exceeding their statutory authority, as supported by the dissenting statement of Commissioner Ohlhausen. The new standard could also result in situations where despite agreements to the contrary a third party service collects data from a child, the first party will still be contravening the COPPA Rule and subject to enforcement actions. The additional responsibility placed on child-directed properties will also decrease those offered to children initially, and will certainly decrease the additional content offered on the sites or services given the increased liability.

It is not just that first party sites or services will be reluctant to incorporate third party plug-ins, the plug-ins and advertising networks themselves are now subject to the COPPA Rule in their own right. "Website or online service directed to children" now includes plug-ins where they have "actual knowledge" that they are collecting information from a child-directed property. What constitutes "actual knowledge" remains unclear, the Commission suggested that it may be obtained either when a child-directed content provider communicates that fact to the third party service or where a representative of the third party service recognizes the child-directed nature of the content. More details on this knowledge standard are expected when the FTC publishes new responses to FAQs on their website, but conversations with staff have subsequently affirmed that it is "very unlikely" that the receipt of a child-directed URL by email would constitute "actual knowledge" without independent information. How this will work in practice remains to be seen but it expands the scope of the Rule considerably.

The definition of "personal information" was further enlarged to cover persistent identifiers, where they are not being used solely for internal operations of the site and where they can recognize a user over time and across different websites. It now includes screen or user names, photos and videos as well as geolocation data.

When the Supplemental Notice of Proposed Rulemaking was published in September 2012 it included a novel provision whereby sites that appealed to adults and children alike would be able to age-gate their users so as to only be COPPA compliant in the areas that the under 13s would visit. This was subject to considerable debate with privacy advocates alleging that it provided a loophole to circumvent COPPA protections for children and industry stating that it unlawfully extended the reach of COPPA and would result in a First Amendment challenge.

The final Rule makes a distinction between child-directed sites and those services that target children as a primary audience. As a result those sites or services that are not targeting children, rather to whom they may be appealing, are only required to obtain verifiable parental consent from those who self-identify as being under 13. The FTC have been keen to make clear that, far from expanding the remit of COPPA the revision allows for the possibility of age-gating in order to make compliance with the Rule more tailored and applicable only to relevant content. Free speech campaigners have warned that excessive caution may lead to more websites requesting the age of visitors and thus could impinge on freedom of expression laws.

It remains to be seen whether COPPA will go the way of many previous laws including the Children's Online Protection Act (COPA) and be the subject of a court challenge on statutory or Constitutional grounds but it is imperative that the FTC engages in an educational program for all content creators to ensure that they fully understand the Rule and are able to comply by the deadline of July 1, 2013. Furthermore, the FTC must endeavour to inform parents on the purpose and functioning of COPPA. It is only through a combined effort that children's privacy can be comprehensively protected. However, unease remains that the new COPPA Rule has increased uncertainty and diminished innovative and educational content production without resulting in tangible benefits to online privacy for children.