FTC Proposes Amendments to Children’s Online Privacy Protection Rule

This posting was written by John W. Arden.

The Federal Trade Commission has proposed amendments to the Children’s Online Privacy Protection Rule in order to ensure that the rule continues to protect children’s privacy, as online technologies evolve. The agency is seeking public comment on the proposal through November 28, 2011.

According to a September 15 press release, the proposed amendments would give parents control over what personal information websites may collect from children under 13 years of age.

The Children’s Online Privacy Protection Act (COPPA) (CCH Trade Regulation Reporter ¶27,590) requires operators of websites or online services directed to children under 13—or those having actual knowledge that they are collecting personal information from children under 13—to obtain verifiable consent from parents before collecting, using, or disclosing such information.

The FTC rule implementing COPPA—the Children’s Online Privacy Protection Rule (CCH Trade Regulation Reporter ¶38,059)—became effective in 2000.

In April 2010, the Commission sought public comment on the COPPA Rule, posing numerous questions for public consideration, holding a public roundtable, and reviewing 70 comments from industry representatives, advocacy groups, academics, technologists, and members of the public.

Proposed changes to the rule, released today, include:

Definitions. The FTC proposes updating the definition of “personal information” that may not be collected from children under 13 without parental consent to include geolocation information and certain “persistent identifiers” such as tracking cookies used for behavioral advertising. The agency further proposed a change to the definition of “collection” to allow children to participate in interactive communities, without parental consent, as long as the operators take reasonable measures to delete children’s personal information before it is made public.

Parental notice. The Commission seeks to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information in a succinct “just-in-time” notice rather than just in a privacy policy.

Parental consent mechanisms. New proposed methods of obtaining verifiable parental consent would include electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database. These new methods would supplement the existing methods of obtaining parental consent, which include signed parental consent forms, parents’ use of a credit card in connection with a transaction, and parents' calls to a toll-free telephone number. The FTC proposes eliminating parental consent through “e-mail plus,” an e-mail to a parent coupled with another step such as sending an e-mail confirmation.

Confidentiality and security. Proposed rules would strengthen confidentiality and security by requiring that operators ensure that any third party to whom they disclose personal information has reasonable procedures to protect that information, retain the information for only as long as reasonably necessary, and properly delete that information.

Safe harbor. The FTC proposes to strengthen its oversight of self regulatory “safe harbor programs” by requiring groups to audit their members at least annually and to report the results of audits to the Commission.

The 122-page notice of proposed rule and request for comments appears here on the FTC website.

Submission of Comments

Interested persons may submit comments online here or may send a hard copy of comments to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.

Write “COPPA Rule Review, 16 CFR Part 312, Project No. P-104503” on the submissions.