Earlier this week, Ken Dreifach blogged about how COPPA’s New Rule Affects Ad Networks. Today, we look at how the new rules will impact general audience and teen-directed websites when they take effect on July 1, 2013.
Under the existing COPPA rules, operators of general audience and teen-directed websites and online services are required to comply with COPPA when they have actual knowledge they are collecting, using, or disclosing personal information from children under 13. Under this standard, websites and online services that are not kid-oriented in any way (or have kid-oriented portions) do not have to worry about COPPA; however, general audience websites that might attract children under 13 and especially teen-directed websites, do have to consider whether they are subject to COPPA. Since complying with COPPA is burdensome, many of these websites and online services have so far avoided COPPA either by affirmatively not collecting any personal information from any users, including potentially children under 13, or collecting users’ ages through an age-screening mechanism and blocking users under 13 from using the services. These tactics generally work under the existing rules; thus, these entities have some comfort that COPPA does not apply to their services.
The new COPPA rules, however, make life a bit more challenging for general audience and teen-directed services for a couple of reasons. While the FTC did not change the actual knowledge standard for these services, it did significantly expand the definition of “personal information” as discussed in Ken’s blog entry. The FTC further imposed strict liability on first-party websites and services for the actions of third parties, like ad networks and social plug-ins, that collect children’s personal information through those first-parties.
First, the definition of “personal information” now includes persistent identifiers, like tracking cookies, that can be used to recognize a user over time and across different websites or online services. Under the existing rule, persistent identifiers are considered “personal information” only when they are associated with individually identifiable information, or with a combination of a last name or photograph of the individual with other information that would permit physical or online contact. Thus, under the existing rules, a general audience website with users under 13 that does not collect personal information from those users can use persistent identifiers and can permit third parties, such as ad networks, to use persistent identifiers as well without having to comply with COPPA. They can do that now because such identifiers are not considered “personal information” if they are not combined with other identifying information.
Second, when you couple this change in the definition of “personal information” with a new imposition of strict liability on first party site operators that permit third parties, such as plug-ins and ad networks, to collect personal information through their services, general audience websites and service have some new legal and regulatory hurdles to clear. For instance, if a general audience website has actual knowledge that at least some of its users are children under 13, even if it does not itself collect personal information from those users, that website can be strictly liable for the actions of any third party plug-ins, ad networks or others that it allows to collect personal information, including persistent identifiers, on the site or service.
This strict liability standard creates an especially burdensome result on general audience services that have children users but have chosen to not collect any personal information from those users under the existing rule. Under the COPPA changes, if those sites continue to permit a third party plug-in or ad network to use persistent tracking cookies or other tracking technologies, they will be obligated to provide notice to parents and obtain consent before the third party can collect the child’s information. In other words, the first party general audience website is responsible for the actions of the third party and has to comply with COPPA even though they have not collected personal information from children.
To many, this may seem less than fair (or even illogical) given the trend in various other Internet laws (e.g., CDA and DMCA) to provide immunity to website operators for the actions of third parties; however the FTC’s expressed justification is that the first party site or service is in the best position to provide parental notice and obtain consent. The FTC also believes that imputing strict liability on website operators for the actions of third parties is justified because the sites often benefit from the third-party services through enhanced site functionality and content, greater publicity and compensation. Not all of the FTC Commissioners, however, agreed with this conclusion. In voting against the COPPA amendments, Commissioner Ohlhausen indicated that extending COPPA obligations to entities that do not collect personal information from children or have access or control to such information collected by a third party is not consistent with COPPA’s definition of “operator” – that is, the COPPA statute itself only covers entities “on whose behalf such information is collected and maintained.”
Absent a challenge to this part of the rule, general audience websites and services that do appeal to children and employ behavioral advertising or social plug-ins should consider age screening prior to the collection of any personal information from any of their users. A successful age screen allows these sites to either prohibit users under 13 from using the services or at least identify those users for whom the service will have to provide parental notice and obtain consent before allowing the collection of personal information.
Of course, these services also should consider their existing relationships with ad networks and plug-ins to ensure that they are comfortable with the information collection engaged in by these entities, or whether they want to begin engaging solely in contextual advertising on their services, which is permitted under COPPA.