With two months to go until companies are expected to comply with the updated Children’s Online Privacy Protection (COPPA) rule, the Federal Trade Commission on Thursday released a highly anticipated guidance document.
The document stakes out 92 “Frequently Asked Questions” on the recently amended COPPA—which not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.
COPPA requires that operators of child-directed sites and online services (including mobile apps) obtain parental consent before collecting children’s personal information. One of the biggest changes to the rule is the broader scope of what constitutes “personally identifiable information”—which now includes photos, videos, and, notably, “persistent identifiers,” such as a user’s IP address.
Considering an IP address to be personally identifiable information is a “policy leap,” Feldman says. “No court has defined it that way. Congress hasn’t defined it that way. The FTC has defined it that way.”
The broader definition is likely to prompt compliance obligations for many companies, according to Manatt, Phelps & Phillips partner Linda Goldstein. “Because of the expansive definition of personally identifiable information, it’s hard to imagine that a kid-directed site wouldn’t be collecting some kind of information that would trigger COPPA,” says Goldstein, who chairs the firm’s advertising, marketing, and media division.
Already, 19 trade groups—including the Direct Marketing Association, the U.S. Chamber of Commerce, and the National Retail Federation—have told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement.
Goldstein says brands will want to focus both on the content of their privacy policies and the manner in which those policies are disclosed on their website. The FAQs “reiterated” the agency’s view that privacy policies be clear and concise, and without extraneous or promotional material, according to Goldstein. “The message from the FTC is: streamline it,” she says.
“They’ve explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent,” says Goldstein. “They’ve essentially condemned the way most privacy policies are presented on a website.”
Other areas highlighted in the FAQ are likely to prove challenging for companies, too.
Take the collection of geolocation data, which falls under the definition of personally identifiable information. The commission is saying, “if you collected geolocation data previously, you need to get consent now—for data that you already have,” explains Goldstein, adding: “That was a bit of a surprise.”
Or how about FAQ 26, on the requirement that a child-directed website provide a “complete list” of “all the operators collecting information” on the site, which could include advertisers, sponsors, and even plug-ins used to display content. Matt Savare, a partner with Lowenstein Sandler, is used to working on advertising deals between website operators, or publishers, and advertising networks, and calls that requirement “untenable.”
“The advertiser could change on a second-by-second basis,” he says. “How does one disclose something that changes on a second-by-second basis?”
The larger challenge, though, will be for companies to “truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information,” Savare says.
And these days, he adds, “there are dozens, perhaps hundreds, of companies touching that real estate” on any given website.