Revamping Kids Privacy: FTC Finalizes COPPA Rule Changes

by Sheila Millar, Tracy Marshall, and Crystal Skelton

Excerpt:

On December 19, 2012, the Federal Trade Commission ("FTC" or "Commission") issued final rule amendments concluding its review of the Children's Online Privacy Protection Act ("COPPA") Rule ("final COPPA Rule"). The FTC's review of the COPPA Rule began with a request for public comment in April, 2010, followed by a public roundtable. The FTC subsequently released initial proposed revisions to the COPPA Rule on September 15, 2011 through a Notice of Proposed Rulemaking ("2011 NOPR"), and additional revisions on August 6, 2012 through a Supplemental Notice of Proposed Rulemaking ("2012 Supplemental Notice"). Operators will be required to comply with the final COPPA Rule beginning July 1, 2013.

The Commission made some significant changes to the COPPA Rule, including revisions to the definitions of personal information, operator, and website directed to children. The FTC also made important substantive changes to the COPPA Rule in response to industry comments and concerns about the compliance burden. These include: (i) maintaining the "e-mail plus" mechanism as a method of parental consent; (ii) replacing the "100% deletion standard" under the definition of collects or collection with a "reasonable measures" standard to allow filtered chat; (iii) defining screen or user names in the definition of "personal information" only when it functions as "online contact information"; and (iv) retaining the rule's requirements that the notice include only the contact information for one operator. While some of these changes reduce the potential impact on operators, compliance will nevertheless pose significant burdens on websites directed to kids.

The eight (8) most important changes to the COPPA Rule are provided below:

1. Personal Information: The final COPPA Rule expands the definition of personal information in several important ways. The definition now includes persistent identifiers linked to a device, "geolocation information sufficient to identify a street name and name of a city or town," a "photograph, video or audio file containing a child's image or voice," and a screen or user name when it functions as online contact information.

  • The FTC modified the description of persistent identifier to cover "a persistent identifier that can be used to recognize a user over time and [not "or"] across different websites or online services." This includes a customer number held in a cookie, an Internet Protocol (IP) address; a processor or device serial number, or a unique device identifier (UDID). This revision will, of course, have a significant ripple effect throughout the digital world, where personal information has always been thought to identify a specific person, rather than a device that may be accessed by multiple users. The FTC believes, however, that any added burden will be alleviated by allowing the collection of persistent identifiers as support for internal operations of the website or online service.
  • Geolocation information is also considered "personal information" when it is sufficient to identify a street name and name of a city or town.
  • In addition, screen or user names are personal information, but only when they function in the same manner as "online contact information." The Commission acknowledged that this definition of ascreen or user name permits operators to use anonymous screen and user names in place of individually identifiable information, including use for content personalization, filtered chat, public display on a website or online service, or operator-to-user communication via the screen or user name.
    The Commission declined to include date of birth, gender, or zip code alone in the list of items that constitute personal information. [footnotes omitted]

Access the full version of "Revamping Kids Privacy: FTC Finalizes COPPA Rule Changes" with your lexis.com ID. Additional fees may be incurred.

If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.

Lexis.com subscribers can access the complete set of Emerging Issues Analyses for Cyber & E-Commerce Law and the Cyber & E-Commerce Area of law page.

For more information about LexisNexis products and solutions connect with us through our corporate site.

 For more information on privacy and data security issues, please contact Keller and Heckman attorneys: Sheila Millar (+1 202.434.4143,millar@khlaw.com), Tracy Marshall (+1 202.434.4234, marshall@khlaw.com), or Crystal Skelton (+1 202.434.4254, skelton@khlaw.com).