FTC Proposing New Rules to Protect Children’s Online Privacy

The FTC has just announced proposed changes to its existing rules protecting children’s online privacy and is currently accepting public comment to the proposed rules through September 10, 2012.  The proposed changes would amend the Children’s Online Privacy Protection Rule (“COPPA”).

In particular, the FTC is seeking to make modifications to the following language:

  • Revise the definitions of “operator” and “website or online service directed to children”  in order to specify that the operator of a child-directed site or service which incorporates into the site or service any plug-ins that collect personal information from visitors to the site  should itself be subject to COPPA.
  • Revise the definition of “website or online service directed to children” to specify that (a) plug-ins or ad-networks are covered by COPPA if they know or have reason to know that they are collecting personal information through a child-directed website or online service;  (b) websites that appeal to both adults and children under 13 years of age may screen all visitors’ ages in order to provide COPPA’s protections only to users under age 13; and (c)  all child-directed sites or services that knowingly target children under 13 or whose content primarily appeals to children under 13 must treat all users as children.
  • Revise the definition of “personal information” to clarify that a persistent identifier will be treated as personal information “where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than internal operations,” and revise the definition of “support for internal operations” in order to specify that activities such as “site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft” will not constitute as the “collection of personal information,”  provided that the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

The full text of the proposed new rules is attached here.

In all honesty, while I’m all in favor of protecting children on the Internet, I’ve never been a big fan of COPPA.  In my role as counsel to start-ups and small businesses, clients often come to me for advice on COPPA compliance, and the truth of the matter is that the language is cumbersome to read and interpret, and the rules are difficult to implement.  Moreover, I question the practical application of COPPA in this day and age where kids are so wired at a very young age and there is so much quality educational content available to kids.

So, with that being said, I think further clarification of how the FTC is reading the rules on the enforcement end is welcome and long overdue.

However, at the same time, the FTC is clearly trying to expand the reach of COPPA, and if implemented, any expansion is going to pose an additional hardship on affected start-ups and small businesses.   Huffington Post writer Larry Magid argues that the FTC has greatly underestimated the number of businesses that would potentially be affected by these new rules.  I know in my practice alone I’ll have a number of start-up and small business clients who would be affected by any new rules in this space.  Are the changes really going to have the effect of better protecting kids or are they just going to add to the administrative burden already facing start-ups and small businesses in the website and software services space?

The good news is that there is still time to review the proposed language and communicate your thoughts to the FTC, so I would encourage website and software service providers to get involved in the process and voice your opinions while this is still just a proposal.