01/03/2013 02:20:43 PM EST
Revamping Kids Privacy: FTC Finalizes COPPA Rule Changes
by Sheila Millar, Tracy Marshall, and Crystal
On December 19, 2012, the
Federal Trade Commission ("FTC" or "Commission") issued
final rule amendments concluding its review of the Children's Online Privacy
Protection Act ("COPPA") Rule ("final COPPA Rule"). The
FTC's review of the COPPA Rule began with a request for public comment in
April, 2010, followed by a public roundtable. The FTC subsequently released
initial proposed revisions to the COPPA Rule on September 15, 2011 through a Notice
of Proposed Rulemaking ("2011 NOPR"), and additional revisions on
August 6, 2012 through a Supplemental Notice of Proposed Rulemaking
("2012 Supplemental Notice"). Operators will be required to comply
with the final COPPA Rule beginning July 1, 2013.
The Commission made some significant changes to the COPPA Rule, including
revisions to the definitions of personal information, operator,
and website directed to children. The FTC also made important
substantive changes to the COPPA Rule in response to industry comments and
concerns about the compliance burden. These include: (i) maintaining the
"e-mail plus" mechanism as a method of parental consent; (ii)
replacing the "100% deletion standard" under the definition of collects
or collection with a "reasonable measures" standard to allow
filtered chat; (iii) defining screen or user names in the definition of
"personal information" only when it functions as "online contact
information"; and (iv) retaining the rule's requirements that the notice
include only the contact information for one operator. While some of these
changes reduce the potential impact on operators, compliance will nevertheless
pose significant burdens on websites directed to kids.
The eight (8) most important changes to the
COPPA Rule are provided below:
1. Personal Information: The final COPPA Rule expands the definition of personal
information in several important ways. The definition now includes persistent
identifiers linked to a device, "geolocation information
sufficient to identify a street name and name of a city or town," a
"photograph, video or audio file containing a child's image or
voice," and a screen or user name when it functions as online
The FTC modified
the description of persistent identifier to cover "a persistent
identifier that can be used to recognize a user over time and [not
"or"] across different websites or online services." This
includes a customer number held in a cookie, an Internet Protocol (IP) address;
a processor or device serial number, or a unique device identifier (UDID). This
revision will, of course, have a significant ripple effect throughout the
digital world, where personal information has always been thought to identify a
specific person, rather than a device that may be accessed by multiple users.
The FTC believes, however, that any added burden will be alleviated by allowing
the collection of persistent identifiers as support for internal operations
of the website or online service.
information is also considered
"personal information" when it is sufficient to identify a street
name and name of a city or town.
In addition, screen
or user names are personal information, but only when they function
in the same manner as "online contact information." The Commission
acknowledged that this definition of ascreen or user name permits
operators to use anonymous screen and user names in place of individually
identifiable information, including use for content personalization, filtered
chat, public display on a website or online service, or operator-to-user
communication via the screen or user name.
The Commission declined to include date of birth, gender, or zip code alone in
the list of items that constitute personal information. [footnotes omitted]
Access the full version of "Revamping Kids Privacy: FTC
Finalizes COPPA Rule Changes" with your lexis.com ID. Additional fees
may be incurred.
If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.
Lexis.com subscribers can access the complete
set of Emerging Issues Analyses for Cyber & E-Commerce Law and
the Cyber & E-Commerce Area of law page.
For more information about LexisNexis
products and solutions connect with us through our corporate site.
For more information on privacy
and data security issues, please contact Keller and Heckman attorneys: Sheila
Millar (+1 202.434.4143,firstname.lastname@example.org),
Tracy Marshall (+1 202.434.4234, email@example.com), or Crystal Skelton (+1