The FTC asked for your input and you chimed in with 350 comments about the future of the Children’s Online Privacy Protection Rule. Based on what you said — and what we’ve learned through law enforcement — we’re back, asking for your help in thinking through modifications to certain definitions to clarify the scope of the Rule and strengthen its protections.
What’s under consideration in this supplemental request for public comment? We’re looking at possible changes to the definitions of “operator” and “website or online service directed to children” that would clarify the responsibilities under COPPA when third parties — like ad networks or plug-ins — collect personal information from users through child-directed websites or services. The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors would itself be considered a covered “operator” under the Rule.
What else is being discussed? Under the proposal, an ad network or plug-in would be covered by COPPA when it knows or has reason to know that it’s collecting personal information through a child-directed site or service.
Another proposal would allow websites with mixed audiences to age-screen visitors to provide COPPA’s protections only to those under 13. However, the proposal makes it clear that kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age couldn’t use that method.
The FTC is also asking for feedback about a suggested change to the definition of “personal information” to make is clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. In connection with that, the FTC is thinking about modifying the Rule’s definition of “support for internal operations” to state explicitly that activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft won’t be considered the collection of “personal information” as long what’s collected isn’t used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.