FTC Releases Expanded COPPA Rules
December 19, 2012. A divided Federal Trade Commission (FTC) released a notice, to be published in the Federal Register, that announces, describes, recites, and sets the effective date of, its new rules related to the COPPA and the regulation of privacy related online business practices.
This notice states that these new rules are "consistent with the requirements of the Children's Online Privacy Protection Act", which the Congress hastily enacted back in 1998. However, whether these new rules are indeed consistent with the COPPA will likely be subjected to judicial review.
FTC Chairman Jonathan Leibowitz stated that "the Internet of 2012 is vastly different from the Internet of more than a decade ago, when we first issued the COPPA Rule. Since then, we have seen the rise of smartphones, tablets, social networks, and more than a million apps", which "exacerbate the privacy risks to children".
Leibowitz (at right) said that the new rule expands the definition of personal information to include geolocation information, photographs, and videos. He said that the new rule covers "persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers."
He also said the new rules closes "a loophole that allowed apps and websites to permit third parties to collect personal information from our children -- through plug-ins -- in ways that they could not have done themselves without parental consent. And we extend coverage in some of those cases to the third parties doing the collection too". See, statement.
In contrast, FTC Commissioner Maureen Ohlhausen dissented, arguing that the FTC has exceeded its statutory authority.
And, Daniel Castro of the Information Technology and Innovation Foundation (ITIF) stated in a release that "Due in part to FTC rule making, the Internet has failed to live up to its potential in bringing forth a new era of compelling and educational child-friendly websites. This recent announcement is just another example of how federal child privacy laws harm children more than help them."
The Statute. The COPPA, which is codified at 15 U.S.C. §§ 6501-6506, bans operators of web sites and online services that are directed to children from collecting information from children under thirteen without parental consent.
The COPPA was S 2326 in the 105th Congress. S 2326 was enacted into law as part of a large omnibus appropriations bill in October of 1998. See, TLJ story titled "Internet and Tech Bills Become Law", October 22, 1998. See also, TLJ web page titled "Children's Online Privacy Protection Act" (1998).
The statute, at 15 U.S.C. § 6502, states that "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b) of this section." (Emphasis added.)
The statute, at 15 U.S.C. § 6501, defines "operator" as "any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce". (Emphasis added.)
This definitional section also provides that "website or online service directed to children" means "(i) a commercial website or online service that is targeted to children; or (ii) that portion of a commercial website or online service that is targeted to children."
FTC Rules. The FTC adopted rules in 2000, pursuant to subsection (b).
In September 2011, the FTC issued a notice of proposed rulemaking. See, Federal Register, Vol. 76, No. 187, Tuesday, September 27, 2011, at Pages 59803-59833. See also, story titled "FTC Proposes Changes to COPPA Rule" in TLJ Daily E-Mail Alert No. 2,302, September 21, 2011.
The FTC released another notice [43 pages in PDF] on August 1, 2012. See, story titled "FTC Releases COPPA Further NPRM" in TLJ Daily E-Mail Alert No. 2,418, August 2, 2012.
The FTC notice states that "The final amended Rule includes modifications to the definitions of operator, personal information, and website or online service directed to children. The amended Rule also updates the requirements set forth in the notice, parental consent, confidentiality and security, and safe harbor provisions, and adds a new provision addressing data retention and deletion."
The FTC asserted in a release that the new rules will "close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent".
The FTC release also states that the new rules will "extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA" and "extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs".
Ohlhausen Dissent. FTC Commissioner Maureen Ohlhausen wrote a dissent. She wrote that "a core provision of the amendments exceeds the scope of the authority granted us by Congress in COPPA, the statute that underlies and authorizes the Rule".
Ohlhausen (at right) explained that "The proposed amendments construe the term ``on whose behalf such information is collected and maintained´´ to reach child-directed websites or services that merely derive from a third-party plug-in some kind of benefit, which may well be unrelated to the collection and use of children's information (e.g., content, functionality, or advertising revenue)." (Parentheses in original.)
"I find that this proviso -- which would extend COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party -- does not comport with the plain meaning of the statutory definition of an operator in COPPA, which covers only entities ``on whose behalf such information is collected and maintained.´´" (Footnote omitted.)
"In other words, I do not believe that the fact that a child-directed site or online service receives any kind of benefit from using a plug-in is equivalent to the collection of personal information by the third-party plug-in on behalf of the child-directed site or online service."
These new rules are likely to be challenged in court. The court will likely apply Chevron deference. Ohlhausen, anticipating this, quoted from Chevron: the FTC "must give effect to the unambiguously expressed intent of Congress".
Congressional Reaction. Rep. Joe Barton (R-TX) stated in a release that "The final rules proposed by the FTC are needed and necessary."
Rep. Henry Waxman also praised the new rules in a release. He said that "Congress was well aware that technology can change quickly and gave the FTC enough flexibility and discretion to make sure the law could evolve with technology.
Sen. John Rockefeller (D-WV) praised the rules. He said in a release that "The new COPPA Rule captures this new online reality."
More Reaction. Morgan Reed of the Association for Competitive Technology (ACT) stated in a release "While we appreciate the efforts of Chairman Leibowitz, we are particularly concerned with his expectation that the industry will simply find a solution to the new rules. It is akin to jumping off a cliff with the plan to build the parachute on the way down."
Reed added that "In the mobile space, companies like Apple and Microsoft are giving parents the ability to control directly app downloads, app use, and data collection and sharing regardless of decisions made by the app developer. These tools make the need for such drastic changes to the COPPA rules completely unnecessary."
The Center for Democracy and Technology (CDT) stated in a release that "we are concerned that the updated definition of when a website is ``directed to children´´ could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them."
The CCT elaborated that "This uncertainty will likely prompt more sites to take advantage of the Commission's new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children."
(Published in TLJ Daily E-Mail Alert No. 2,494, December 19, 2012.)