FTC Unveils COPPA Rule Update, Includes IP Addresses, Geolocation as Personal Information

Third parties must be in COPPA compliance if they have “actual knowledge” they are collecting information from children, under the new rule. Leibowitz called the language in the rule a “meaningful narrowing from the rule we proposed earlier,” which would have required third parties, such as plugins and ad networks, to be COPPA-compliant if they had “reason to know” they were collecting information from children. “There was some dispute as to whether there could be a lower bar,” Rockefeller said, that would require third parties to get parental consent if they had information short of actual knowledge. But, he said, “the FTC really went as far as they could on this one.” Jim Halpert, technology lawyer with DLA Piper, said the actual-knowledge standard is “much easier for third parties, such as ad networks and plug-in providers, to comply with and better reflects the statutory language.” Halpert is also general counsel to the Internet Commerce Coalition.

Websites that are not primarily directed at children but have children as a “secondary audience ... will be required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13” under the new rule. In writing this language, the FTC “wanted to create the notion of a family-friendly site,” Leibowitz said. App platforms, such as the Apple App Store or Google Play, are not subject to COPPA under the new rules. The commission “did not mean to cover app stores” in the initial COPPA rule revision, Leibowitz said.

The new rule expands the definition of personal information to include “geolocation information, as well as photos, videos, and audio files that contain a human image or voice” and “'persistent identifiers’ that can be used to recognize users over time and across different websites or online services,” including device IDs and IP addresses. “Until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising,” Leibowitz said.

The update allows companies to get verifiable parental consent through new mechanisms, including “video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems.” Websites that develop new ways to gain verifiable parental consent can submit their ideas to the FTC for approval. “We're confident that our country’s most brilliant technologists will rise to the challenge” and develop new and innovative ways to gain parental consent, Leibowitz said.

The FTC will use a similar process for proposed additions to the list of exceptions that allow websites to collect personal information from child users without verifiable consent for support for internal operations. The definition of “support for internal operations” is outlined in the regulations and includes “contextual advertising, frequency capping, legal compliance, site analysis, and network communications.” Websites that seek to expand that definition can do so by contacting the FTC. The FTC will process those proposals in 120 days, Commissioner Julie Brill told us after the press conference, and then the agency will make the proposals available for public comment. “We think the rule now covers them all,” she said, but the FTC is “very interested in hearing from industry” about new technological developments.

This will create more work for privacy advocates, Jeff Chester, executive director of the Center for Digital Democracy, told us. Chester, who was repeatedly thanked for his work on COPPA by the lawmakers, said the new rule “ironically, created much more work for us” because privacy advocates will have to “scrutinize every new proposal” for parental consent mechanisms and data uses that fall under “support for internal operations” and therefore don’t require verifiable parental consent.

The commission voted 3-1-1 on the rule update, with Commissioner Thomas Rosch abstaining and Commissioner Maureen Ohlhausen dissenting. In her dissent, Ohlhausen disagreed with the rule’s extension of “COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected” by a third party. “I do not believe that the fact that a child-directed site or online service receives any kind of benefit from using a plug-in is equivalent to the collection of personal information by the third-party plug-in on behalf of the child-directed site or online service,” she wrote(http://1.usa.gov/TZbE98).

The new rules are misguided and will harm innovation, stakeholders said. Daniel Castro, senior analyst at the Information Technology and Innovation Foundation, said the update does “not address the real problems with current privacy restrictions which are woven into the open nature of the Internet and the always changing technology environment,” citing reports that children under the age of 13 often lie about their age to use services that are not subject to COPPA. “The FTC should have focused on rules to better address these issues and not simply restrict legitimate business practices,” he said in a statement.

The Application Developers Alliance is “deeply concerned that the new regulations will be so expensive to implement and create so much risk that talented and responsible developers will abandon the children’s app marketplace,” said President Jon Potter in a statement. The updates will disproportionately harm small companies, said Association for Competitive Technology Executive Director Morgan Reed in a statement: “These changes are welcome, but the FTC did not do enough to ensure continued opportunities for educational app startups."

The new rule could pose First Amendment problems for the FTC, said the Center for Democracy and Technology in a statement (http://bit.ly/WsP2Uh). CDT, which receives funding from some of the companies that have commented on COPPA proposals (http://bit.ly/R5CBem), said it was concerned about the new requirements that websites not directed solely at children but that have large child audiences require users to disclose their age. Uncertainty caused by this expanded definition “will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor,” the CDT wrote. “Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally.” This is “something the courts struck down in the cases against the (similarly named but substantively quite different) Child Online Protection Act of 1998,” CDT Policy Counsel Emma Llanso told us. According to FTC Senior Attorney Mamie Kresses, the rule is unlikely to violate the First Amendment “given that it’s a choice, not a requirement” that websites with child audiences screen users for age.