COPPA Rule Brings Regs Up to Date . . . but Who Must Comply?
Just in time for the holidays, the Federal Trade Commission’s long-awaited revision to the Children’s Online Privacy Protection Rule (the COPPA Rule) has finally been released. The new Rule, which aims to update the federal requirements for data collection by operators of websites directed to children under 13, includes a number of changes that should give parents a better idea about the types of information being collected about their children by site operators and provide them with more modern means of providing their consent.
Changes to the definition of “personal information” – including the addition of IP address and geolocation information – reflect the changing reality of online data collection since COPPA was first enacted, but we have persistent concerns that changes to the definition of sites “directed to children” significantly expand COPPA’s scope.
First, the positives: the Commission has made a substantial effort to bring COPPA into the modern age. The original statute was passed in 1998, when websites were static and “collecting personal information” typically required users to input data directly into a form. Since then, we’ve seen a dramatic change not just in the ways information is collected and the number of entities who might collect it, but also in the ubiquity of Internet-connected devices. All of this makes for a complex privacy landscape for users to navigate, which can generate anxiety among parents. COPPA’s original intent was to both encourage parents to be more involved in their children’s Internet use, and to provide parents with information they need to make informed decisions about whether to permit their children’s personal information to be collected online. Many of the Commission’s changes speak directly to this intent.
The Commission streamlined the form of direct notice parents will receive when an operator seeks permission to collect personal information from their child. The update puts a renewed focus on clearly laying out the intended use of any personal information collected and the steps a parent may take to give (or revoke) consent. This model of providing clear just-in-time notice in simplified language (along with a link to the operator’s comprehensive data use policy) is critical to enabling users to make informed decisions about their use of online services. We’re pleased to see it incorporated into the COPPA framework.
The Commission also updated the procedures for obtaining verified parental consent, retaining the popular “email plus” method and introducing video chat and submission of scanned signed permission forms to the list of approved methods. Importantly, the Commission also reminded operators that it hopes to encourage innovation in the field of consent mechanisms; to that end, it has created a process for operators to seek public review and Commission approval of new methods. Obtaining verified parental consent is one of the more onerous obligations for operators under the COPPA Rule, and the development of lower-cost consent methods that are both reliable and easier for operators to implement could foster the growth of rich online content designed for children.
Another key modernization of the COPPA Rule may not be as well-received by all operators: the revision of the definition of “personal information” to include “a persistent identifier that can be used to recognize a user over time and across different websites or online services.” Critically, this addition, which requires operators to obtain parental consent before collecting information such as an IP address or a device identifier from a child, is coupled with an exemption when that information is used only for the “support for internal operations” of the site or service. Early in the COPPA Rule review, CDT cautioned against a blanket inclusion of IP addresses in the Rule due to the fundamentally functional role such information plays. An operator must “collect” a user’s IP address in order to have any contact (to display the webpage, or send an email to a parent requesting consent) with the user at all. Of course, IP address and other persistent identifiers can in many cases be linked back to an individual, and in recent years there has been a general recognition that at some level they are personal information. For this reason, we’ve supported in other contexts efforts to give users control over how this information is shared and used.
Overall, we think the Commission achieved a good balance in the revised Rule, treating persistent identifiers as COPPA-covered personal information when used to track a user over time and across websites, but providing for a series of exempted uses that will allow operators to continue to use identifiers to maintain and analyze site performance, maintain the security and integrity of the site or service, and serve contextual advertising. Of course, while a regulation needs to be specific enough to give operators a clear sense of what conduct is covered and what isn’t, regulations itemizing certain technical uses can quickly become outdated. Anticipating this challenge, the Commission has also introduced a review process through which operators can request approval or clarification of whether their intended use of a persistent identifier falls under the exemption.
The Commission also introduces an important data minimization requirement, stating that data must be deleted or anonymized after it’s no longer needed for the purpose for which it was originally collected. In an era where companies increasingly keep old data around in the off-chance it might become useful, it is important to establish reasonable data minimization requirements, especially for sensitive personal information like children’s data.
Directed, but not targeted, to children”?
While the new Rule contains many important updates to the COPPA framework, we remain concerned that the Commission’s changes to the definition of site or service “directed to children” expand the scope of the Rule to cover a much wider range of sites and will leave operators uncertain about their obligations under the law. The Commission has rightfully jettisoned earlier proposed language regarding sites likely to attract an audience “disproportionately” composed of children, which many commenters noted was too vague to provide operators with a clear idea of when they would incur COPPA obligations. Instead, the Commission has retained its “totality of the circumstances” test, where a site is deemed to be “directed to children” based on an examination of the content, language, and subject matter of the site.
The potential for operator confusion arises in part (c) of the new definition, which discusses sites that are “directed to children” but that do not target children as their primary audience. Historically, the Commission has brought COPPA enforcement actions against operators who have actual knowledge that they are collecting information from a child, or against operators of sites clearly aimed at an audience of children. This has provided functional clarity to the COPPA regime: operators that are affirmatively targeting children must undertake the burden of obtaining verified parental consent, while operators of general-audience sites or sites aimed at an older audience will not be surprised with COPPA obligations for users of indeterminate age. (Of course such a regime is vulnerable to manipulation by bad actors, but that is the inevitable result of age-based regulation of online activity. Requiring operators to divine the age of their users and treat different ages differently creates the opportunity for loopholes and the incentive to exploit them.)
The Commission’s updated definition, however, emphasizes its look-and-feel test for when the Commission decides a site is aimed at children, and de-emphasizes the operator’s own intent to target its site primarily to children. Instead, the Commission envisions COPPA obligations for “sites or services that target children only as a secondary audience or to a lesser degree” – a broad description that could encompass a huge range of teen- and young-adult-oriented or general-audience sites. The Commission says it does not intend to expand the reach of sites covered under COPPA, but rather to “create a new compliance option for a subset of websites and online services already considered directed to children under the Rule’s totality of the circumstances standard.” But the look-and-feel test is necessarily subjective, and operators of borderline sites can’t know with certainty how their sites will measure up until the Commission has evaluated them through the course of an enforcement action. If operators cannot rely on the certainty of making the decision to target children or not, they may face significant confusion about their obligations under the law.
Compounding our concerns, the Commission couples this confusing standard with an age-screening safe harbor, providing that operators of sites that might be deemed directed to children (but who aren’t intending to target children as their primary audience) can age-screen their users and only require COPPA notice-and-consent for those who self-identify as under 13. Operators in the uncertain gray areas are likely to implement age-screening mechanisms out of an abundance of caution. This could lead to many more sites demanding age or date-of-birth information from all users prior to allowing access to their sites, leading to the perverse result of encouraging operators to collect more data about users in order to protect user privacy. And as we’ve noted many times, government mandates conditioning access to constitutionally protected material on the provision of personal information infringes users’ First Amendment right to access information anonymously, as we saw in the litigation that brought down the Child Online Protection Act. While this new Rule is not a clear-cut age verification mandate, as COPA was, we’re concerned that the Commission is treading into very murky waters.
Finally, the Commission has expanded the definition of “directed to children” to include third-party operators of widgets and social plugins that have been incorporated into a first-party’s site, when the plugin operator has “actual knowledge it is collecting personal information directly from users of” a site that’s directed to children. While we’re glad to see the Commission move away from its earlier proposed “know or reason to know” standard, it’s not clear that this use of “actual knowledge” will provide the kind of clarity the Commission intends. It comes down to the difference between actual knowledge of specific information about a particular user, and “actual knowledge” about the Commission’s assessment of the nature and character of another website. Under the COPPA Rule, an operator incurs notice-and-parental-consent obligations when it obtains actual knowledge that a particular user is a child, which happens when it receives age/date-of-birth information from the user (or when the operator is informed by a third-party that a certain user is under 13).
This new use of “actual knowledge” is much more nebulous: the Commission envisions scenarios where the first-party operator communicates its child-directed nature to third-party plugin operators (means of doing so are not specified) or when “a representative of the online service recognizes the child-directed nature of the content.” It’s unclear who will count as a representative of the service, or what level of information will be considered sufficient for a plugin operator to have recognized the nature of the first-party site (particularly when the first-party operator himself may not be clear on the question). Is the Commission envisioning a DMCA-like notice-and-takedown regime, where third-party services will have to field and respond to allegations that their publishers are “directed at children”? This kind of approach will undoubtedly lead third parties to simply break their connections with first-party sites out of caution and a desire for certainty. The Commission goes on to note that it “does not rule out that an accumulation of other facts would be sufficient to establish actual knowledge” – a far cry from an actual knowledge standard based on the direct obtaining of a specific fact.
We urge the Commission to provide guidance to operators about the scope of the new definition of “directed to children,”to clarify the circumstances under which a site not targeting children as its primary audience may nevertheless be considered “directed to children.” Third-party plugin operators also need more guidance about when they will be held liable for “knowing” the character of the sites and services that incorporate their code. Otherwise, this lack of certainty for operators could lead to fewer sites and services for children, less willingness for third-party operators to work with potentially child-directed sites, and increased data collection from all users – consequences that are certainly not the Commission’s intent.