By Lindsey Tonsager and Shel Abramson
Earlier this morning, the FTC proposed additional revisions to the rule implementing the Children’s Online Privacy Protection Act (“COPPA”). COPPA governs the online collection, use, and disclosure of children’s personal information by (1) operators of websites and online services that are directed to children under the age of 13 and (2) operators of general audience websites or online services that have actual knowledge that a user is under 13. The FTC initially proposed revisions to the COPPA Rule in September 2011, and based on comments that it received, is proposing additional changes for comment. Comments to this supplemental proposed rule must be submitted by September 10, 2012. No final rules were adopted at this time.
The supplemental proposed rule revises the definitions of several key terms, including “operator,” “website or online service directed to children,” “personal information,” and “support for internal operations.”
- Operator: The revisions would expand the definition of “operator” to include third parties, such as social plug-ins and ad networks, that know or have reason to know that they collect personal information through child-directed websites and online services. The FTC previously had rejected a constructive knowledge standard. The notice suggests that website operators and such third parties would be deemed “co-operators” that would be jointly responsible for complying with COPPA.
- Website or Online Service Directed to Children: The revised definition would allow family friendly websites that are directed to both children and a broader audience to comply with COPPA without treating all users as children, instead providing COPPA protections only to users under the age of 13.
- Screen and Usernames: The revisions would clarify that screen or usernames would be covered only where they function as online contact information.
- Personal Information: The new proposed definition would include persistent identifiers that can be used to identify users over time and across different sites and services.
- Support for Internal Operations: Activities that are required to manage and operate a site will not be deemed to have collected personal information if they do not use or disclose the information for the purposes of contacting an individual.