Marketing to Children and Young Adults: Congress and the FTC Consider Significant Changes to COPPA

As Washington policymakers continue to debate various overhauls to the Nation’s privacy laws, children’s online privacy has emerged as a leading topic of focus.  The Federal Trade Commission (FTC) and Congress have dedicated significant attention to the matter this year, with a spike in regulatory activity in recent weeks. 

One of the early and persistent drivers of the debate was the introduction of the “Do Not Track Kids Act” (H.R. 1895) by Representatives Ed Markey (D-MA) and Joe Barton (R-TX).  Barton and Markey are co-chairs of the Bipartisan Congressional Privacy Caucus and continue to champion tirelessly their children’s privacy bill, a proposal that has been welcomed by many privacy advocates, but criticized by industry groups.  Among the most controversial aspects of the Barton-Markey bill are its call for an “eraser button” that would allow parents to delete their children’s online footprint, as well as an expansion of Children’s Online Privacy Protection Act (COPPA) protections to children ages 13 to 18. 

The outlook for congressional passage of strengthened child privacy laws remains in flux.  Many priority items are competing for the attention of policymakers, and few initiatives are capable of successfully navigating both the Democratic Senate and the Republican House.  Yet, it is noteworthy that the Barton-Markey bill is bipartisan, which is uncommon in today’s highly politicized climate.  Moreover, considering that most legislators have children or grandchildren who spend significant amounts of time online, it remains plausible that law makers may  approve new regulations to protect children’s online privacy.

Yet, even if Congress does not pass privacy legislation along the lines proposed by Reps. Barton and Markey, the FTC remains poised to act.  On September 15, the FTC issued proposed updates to the COPPA regulations, directed at websites that collect personal information from children under the age of 13.  These amendments, if passed, will significantly increase regulatory compliance hurdles for websites, online service providers and mobile applications that collect such information.  The FTC also has been actively investigating COPPA compliance and bringing enforcement actions to goad market participants into reviewing COPPA best practices.

COPPA requires that operators of websites or online services directed at children obtain parental consent before collecting, using or disclosing children’s personal information. The FTC implemented its COPPA Rule in 2000, reviewed it in 2005, and initiated another accelerated review in 2010 to reflect “rapidly evolving technology and changes in the way children use and access the Internet.”  The proposed modifications cover the following five areas: (i) definitions, (ii) parental notice, (iii) parental consent, (iv) confidentiality and security of information and (v) “safe harbor” programs.

First, the FTC proposes expanding the definition of “personal information” to include geolocation information, photos and videos containing a child’s image, audio files containing a child’s voice and certain types of persistent identifiers (such as IP addresses).  Additionally, it aims to clarify the definition of “collection” to make sure that it includes all types of passive online tracking, as well as systems that enable children to post personal information on public social networking sites and blogs, except where the operator employs “reasonable measures” to delete children’s personal information before it is made public and to purge it from its internal records.

Further, the amendments seek to reinforce COPPA’s goal of giving parents “direct notice” before collecting children’s personal information – instead of relying primarily on warnings in the website’s privacy policy – and ensure that operators obtain parental consent by eliminating less-reliable consenting methods.  The FTC proposes adding new methods of parental consent, such as electronic scans of parents’ signatures, video-conferencing and use of parents’ government-issued ID (as long as it is deleted promptly after verification is accomplished).

In order to strengthen the COPPA rule’s confidentiality and security provisions, the FTC proposes adding requirements that operators or third parties develop “reasonable procedures” to protect children’s personal information, retain it only as long as is “reasonably necessary,” and protect it from unauthorized access in connection with disposal of such information.  Finally, the FTC aims to strengthen its oversight of “safe harbor” programs, which are self-regulatory under COPPA, by requiring audits at least annually as well as periodic reporting of the results.

Written comments on the proposed amendments to the COPPA rule are due by November 28, 2011.

Meanwhile, a key House subcommittee recently held a hearing to offer its comments on the FTC’s proposed COPPA rule changes.  The October 5 hearing was convened by the House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade, which has jurisdiction on privacy matters.  The panel used the hearing as an opportunity to question and praise the FTC’s approach to reshaping COPPA protections.  Lawmakers from both sides of the aisle applauded the original COPPA statute and repeatedly acknowledged that the rules should be updated in a common sense fashion to account for the dramatic technological advances since the statute was originally crafted. 

The hearing likely served to reassure the FTC ahead of issuing its final rule changes after the comment period closes in November.  Representative Mary Bono Mack (R-CA), Chair of the subcommittee and one of the most influential voices in the privacy debate in Congress, expressed her support for the proposed changes.  Bono Mack told the panelists, including a representative from the FTC, that the Commission “hit the sweet spot” by striking a balance between updating protections for children and not stifling innovation.

With ongoing activity at the FTC and in Congress, it is all but certain that the landscape for children’s privacy will change in the near future and the FTC will continue to seek cases to reinforce its seriousness about children’s privacy.  If your company markets to children or young adults, or has products of interest to such age groups, now would be a good time to assess your compliance with existing and likely future regulatory requirements, and to consider engaging in the ongoing regulatory and legislative processes.

Contact Information

if you have any questions regarding this alert, please contact: