Last Wednesday (August 1st), the FTC released a supplemental notice of proposed rulemaking (NPRM) regarding its expansion of several aspects of COPPA — and supplementing the NPRM it released last September (see the ZwillGen blog post for a review of that NPRM). The FTC’s new round of rulemaking is based in large part on comments and reaction to its September NPRM.
The FTC is accepting further comments on the following proposed definitions, which are due on or before September 10, 2012. Please contact us for further information about the proposed rulemaking or advice regarding filing a comment.
1. Expansion of Term “Operator”
The FTC proposes to expand the term “Operator” to include situations in which “Personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.”
The FTC reasons that where a child-directed site benefits from the personal information used for, e.g., its content, functionality or revenue, it should also be considered an “Operator.”
This new definition is intended to expand COPPA liability to sites and services that enable other sites or services to collect personal information — in other words, to expand COPPA liability to sites that currently would likely be considered mere conduits. The expanded definition may be directed, for instance, to child-directed sites that enable Facebook and other social media plug-ins — whether or not they themselves collect personal information in this way. (This may in part be a reaction to Facebook’s public flirtation with opening its platform to those under 13.)
But the new rules would also apply to child-directed sites that enable unique identifiers to be placed into cookies for advertising purposes: those sites may need to more fully understand the cookies dropped from, or through, their websites, including whether they enable purely “contextual” advertising (which is permissible, see below) or targeted, behavioral advertising (off limits, absent verifiable consent).
An illustration of how the new rules might work in practice is previewed in the FTC’s Closing Letter recently issued in the investigation of OpenFeint, Inc., on July 31, 2012. OpenFeint — a gaming development platform used by some kids’ apps — argued that it should not be subject to COPPA because it had no control over how game developers used its software kit, nor insight into which games were directed to those under 13. The FTC believed that COPPA in fact does apply to such platforms and plug-ins, but declined to enforce COPPA due to the current “policy implications” around subjecting plug-ins to COPPA (as well as current ambiguity in the definition of “directed to children”).
2. Proposed Change to Definition of “Website or Online Service Directed to Children”
The FTC also proposes limiting the definition of “Website or Online Service Directed to Children” to instances where the site or service “knows or has reason to know” that it is collecting — itself or through its site partners (see above) — personal information from a child-directed application. In other words, this would enforce a constructive knowledge standard.
Taken together with the expansion of the terms “Operator” and “Personal Information,” this could impose significant burdens on ad networks and other platforms that direct and redirect data and cookies on a seamless, often self-serve basis. To lessen those burdens somewhat, the FTC has emphasized that it is not imposing on ad networks or plug-ins a duty to monitor or investigate whether they are on child-directed sites. But they can’t “ignore credible information” that this is occurring.
3. Recognition That Certain Websites Are Directed to Children And Families
As Disney argued in its comment, the current definition of “website or online service directed to children” has never properly recognized that many sites and services that may arguably be “directed to children” are also – even primarily – directed to adults as well, including parents. Disney thus urged the FTC to permit websites that are truly directed to larger “family” audiences to simply differentiate among users – through user self-identification, i.e., age screens.
To Disney’s credit, the FTC took its suggestion, at least in part. The FTC proposes that sites/services that may be “likely to attract” a significant (i.e., “disproportionate”) under-13 audience not be considered “child-directed” so long as they avoid collecting childrens’ personal information based on a self-identified age screen.
This would be simpler to comply with were it not coupled with the new definition of “personal information” – noted immediately below – that includes the type of unique cookie identifiers used for most third party advertising. In practical terms, a site such as the Little House on the Prairie fan site (http://www.prairiefans.com), a small-audience site that appears to defer its costs through the AdSense ads on its pages, might have to put all users through an age screen prior to showing its adult fans an ad tied to online cookies. (The AdSense program policies note that while those ads are often tied to contextual content, they likewise often are tied to unique IDs and multi-site cookies.)
Family-oriented sites may therefore need to choose between this additional user friction (i.e., slowing down users’ access to content), or avoiding at least certain types of ads or ad-serving platforms. These sites may find the erection of such ad screens absent PII a counter-intuitive experience, given that age screens are most often employed as a default — that is, absent submission of PII — in the case of adult entertainment sites (or, on occasion sites devoted to alcoholic beverages).
4. Major Expansion of What Is “Personal Information”
Persistent Identifiers = Personal Information.
In the September 2011 COPPA NPRM, the FTC caused a stir among the online advertising and content industries by proposing that “personal information” under COPPA include persistent identifiers – namely any “identifier that links the activities of a child across different websites or online services.” These would include unique identifiers placed in cookies or (somewhat less common) unique IDs tied to device fingerprints, serial numbers or IP addresses. At the same time, the FTC proposed a carve-out for “internal operations” (e.g., site navigation, “contextual” advertising, user preferences, fraud prevention).
In other words, the FTC wished to prevent unique, anonymous IDs from being used to target ads to children – a significant expansion, because the statutory definition of “personal information” suggests that it is limited to identifiers that “permit[] the physical or online contacting of a specific individual,” i.e., as distinct from an anonymous browser cookie. 15 U.S.C. § 6501(8)(F).
In its current NPRM, the FTC largely holds to its September proposal that unique identifiers tracked across websites be deemed “personal information.”
Clarification Regarding “Internal Operations” and Internal “User Names”
However, the FTC’s new proposal sets out two potentially important accommodations for child-directed websites that wish to use identifiers solely for internal, site-oriented use. First the FTC more clearly proposes that such identifiers may be used for internal operations, even if they track users across websites or services (e.g., customizing user content across affiliated websites). Recognizing commenters’ concerns about the lack of clarity around what “internal operations” justified, e.g., such cookie placement on less than verified consent, the FTC has proposed these revisions to its “internal operations” carve out:
Support for the internal operations of the website or online service means those activities necessary to:
(a) maintain or analyze the functioning of the website or online service;
(b) perform network communications;
(c) authenticate users of, or personalize the content on, the website or online service;
(d) serve contextual [as opposed to multi-site, behavioral] advertising on the website or online service;
(e) protect the security or integrity of the user, website, or online service; or
(f) fulfill a request of a child as permitted by §§ 312.5(c)(3).
Finally, the FTC also proposes that user names that do not rise to the level of “online contact information” effectively be carved out from the new definition of “personal information.” Into this category the FTC places screen and user names used strictly for “single sign in” purposes — such as to minimize data collection, avoid holding contact information, and permit customized first party content. In other words, so long as these user names are not a means of contacting children under 13, they would not require verifiable consent.