The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs.
“In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses,” said FTC Chairman Jon Leibowitz. “We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.”
The Children’s Online Privacy Protection Act (COPPA) requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The FTC’s Rule implementing the COPPA statute became effective in 2000.
The FTC previously reviewed the COPPA Rule in 2005 and retained it without change. In light of rapidly evolving technology and changes in the way children use and access the Internet, in 2010 the FTC initiated another review of the Rule on an accelerated schedule. On April 5, 2010, the FTC sought public comment on every aspect of the COPPA Rule, posing numerous questions for the public’s consideration. In addition, the FTC held a public roundtable and reviewed 70 comments received from industry representatives, advocacy groups, academics, technologists, and individual members of the public.
A brief summary of some of the major changes is below.
The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.
Parental Consent Mechanisms
The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule.
The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.
To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.
Confidentiality and Security Requirements
To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.
Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits.
The Commission vote to issue the Federal Register notice was 5-0.
Written comments must be received on or before November 28, 2011.
Write “COPPA Rule Review, 16 CFR Part 312, Project No. P-104503” on comments, and file your comment online at https://ftcpublic.commentworks.com/ftc/2011copparulereview by following the instructions on the web-based form. To file comments on paper, mail or deliver comments to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E) 600 Pennsylvania Avenue, N.W., Washington, DC 20580.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook and follow us on Twitter.