FTC Posts Guidance for Kids' Online Privacy Rule
With two months to go until companies are expected to comply with the updated Childrens Online Privacy Protection (COPPA) rule, the Federal Trade Commission on Thursday released a highly anticipated guidance document.
The document stakes out 92 Frequently Asked Questions on the recently amended COPPAwhich not only carries a significant compliance burden for operators of websites directed at children under 13, but also has broader implications for enforcement, according to privacy attorneys.
COPPA requires that operators of child-directed sites and online services (including mobile apps) obtain parental consent before collecting childrens personal information. One of the biggest changes to the rule is the broader scope of what constitutes personally identifiable informationwhich now includes photos, videos, and, notably, persistent identifiers, such as a users IP address.
Considering an IP address to be personally identifiable information is a policy leap, Feldman says. No court has defined it that way. Congress hasnt defined it that way. The FTC has defined it that way.
The broader definition is likely to prompt compliance obligations for many companies, according to Manatt, Phelps & Phillips partner Linda Goldstein. Because of the expansive definition of personally identifiable information, its hard to imagine that a kid-directed site wouldnt be collecting some kind of information that would trigger COPPA, says Goldstein, who chairs the firms advertising, marketing, and media division.
Already, 19 trade groupsincluding the Direct Marketing Association, the U.S. Chamber of Commerce, and the National Retail Federationhave told the FTC they think the July 1 compliance deadline is too soon and have asked for a six-month delay on enforcement.
Goldstein says brands will want to focus both on the content of their privacy policies and the manner in which those policies are disclosed on their website. The FAQs reiterated the agencys view that privacy policies be clear and concise, and without extraneous or promotional material, according to Goldstein. The message from the FTC is: streamline it, she says.
Theyve explicitly said in these FAQs: notice and a link at the bottom of the page will not be considered to be prominent, says Goldstein. Theyve essentially condemned the way most privacy policies are presented on a website.
Other areas highlighted in the FAQ are likely to prove challenging for companies, too.
Take the collection of geolocation data, which falls under the definition of personally identifiable information. The commission is saying, if you collected geolocation data previously, you need to get consent nowfor data that you already have, explains Goldstein, adding: That was a bit of a surprise.
Or how about FAQ 26, on the requirement that a child-directed website provide a complete list of all the operators collecting information on the site, which could include advertisers, sponsors, and even plug-ins used to display content. Matt Savare, a partner with Lowenstein Sandler, is used to working on advertising deals between website operators, or publishers, and advertising networks, and calls that requirement untenable.
The advertiser could change on a second-by-second basis, he says. How does one disclose something that changes on a second-by-second basis?
The larger challenge, though, will be for companies to truly understand not only the data flows within this ecosystem, but the various uses, disclosures, and retentions regarding personal information, Savare says.
And these days, he adds, there are dozens, perhaps hundreds, of companies touching that real estate on any given website.