Monday, September 19, 2011

FTC Seeks Comments on Revised COPPA Rules

We've never really agreed to much Internet privacy legislation... except in one area.  That involves children.  One of the oldest laws related to the Internet is the Child Online Privacy Protection Act (COPPA), passed in the late 1990s when ecommerce sites would let kids win stuff on their websites.  Play a game on the site; win a few points.  Tell the site your mom and dad's name, address, and salary - and win 100 points. 

COPPA has been the guiding privacy regulations for children's sites for over a decade, and now the Federal Trade Commission is in the process of updating its COPPA rules.  Public comments are due by Nov. 28.
FTC Seeks Comment on Proposed Revisions to Children’s Online Privacy Protection Rule
Changes in Technology Drive Proposed Updates

The Federal Trade Commission is seeking public comment on proposed amendments to the Children’s Online Privacy Protection Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC proposes these amendments to ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve. The Commission proposes modifications to the Rule in five areas: definitions, including the definitions of “personal information” and “collection,” parental notice, parental consent mechanisms, confidentiality and security of children’s personal information, and the role of self-regulatory “safe harbor” programs.
“In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses,” said FTC Chairman Jon Leibowitz. “We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.”
The Children’s Online Privacy Protection Act (COPPA) requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The FTC’s Rule implementing the COPPA statute became effective in 2000.
The FTC previously reviewed the COPPA Rule in 2005 and retained it without change. In light of rapidly evolving technology and changes in the way children use and access the Internet, in 2010 the FTC initiated another review of the Rule on an accelerated schedule. On April 5, 2010, the FTC sought public comment on every aspect of the COPPA Rule, posing numerous questions for the public’s consideration. In addition, the FTC held a public roundtable and reviewed 70 comments received from industry representatives, advocacy groups, academics, technologists, and individual members of the public.
A brief summary of some of the major changes is below.
Definitions
The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.
Parental Notice
The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy.
Parental Consent Mechanisms
The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule.
The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.
To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.
Confidentiality and Security Requirements
To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.
Safe Harbor
Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits.
The Commission vote to issue the Federal Register notice was 5-0.
Written comments must be received on or before November 28, 2011.
Write “COPPA Rule Review, 16 CFR Part 312, Project No. P-104503” on comments, and file your comment online at https://ftcpublic.commentworks.com/ftc/2011copparulereview by following the instructions on the web-based form. To file comments on paper, mail or deliver comments to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex E) 600 Pennsylvania Avenue, N.W., Washington, DC 20580.
. . . . .
MEDIA CONTACT:
Claudia Bourne Farrell,
Office of Public Affairs
202-326-2181
STAFF CONTACT:
Phyllis Marcus,
Bureau of Consumer Protection
202-326-2854

Mamie Kresses,
Bureau of Consumer Protection
202-326-2070

No comments: