Federal Trade Commission Proposes Revisions to COPPA
Friday, February 3, 2012
The regulations that implement the Children’s Online Privacy Protection Act ("COPPA”) appear to be headed towards their first extensive revision by the Federal Trade Commission (the "FTC”) since COPPA become effective in 2000. Late last year, the FTC introduced proposed revisions, and while those revisions are far from final, we believe that research companies should start preparing for major changes in how they collect and use the personal information of children.
Federal Trade Commission Proposes Revisions to the
Children’s Online Privacy Protection Act
The FTC’s proposed amendments include the following revisions and clarifications:
While we believe that research companies will be able to comply with most of these revisions with only minor tinkering to their notice and procedures, the removal of the "email plus” parental consent mechanism may necessitate broader changes. "Email plus” allows a company to request consent from a parent in an email message, and then to follow-up to confirm that it was, in fact, the parent who provided consent. That follow-up can occur through either requesting in the initial email that the parent provide a phone or fax number so that the company can use one of those mechanisms to confirm consent or after allowing a reasonable time delay sending a second e-mail to the parent to confirm consent. The FTC wants to phase out this "email plus” mechanism, because it is extremely easy for a child to defeat. For example, the child could just give their own e-mail address. While we understand that other research trade groups may have taken an aggressive stand against the FTC’s elimination of the "email plus” mechanism, we disagree. There are other, more reliable, affordable means of obtaining parental consent available on the market and "email plus” has indeed acted as a deterrent to companies using those better methods. Comments to the proposed regulations were due in December. We will continue to monitor the FTC as it likely issues final regulations sometime later this year.
- The FTC seeks to clarify that COPPA applies not only to traditional websites, but also to other technologies that could be considered "online services,” such as mobile applications, network connected games and potentially certain text messaging services.
- The definition of "personal information” in COPPA may be expanded to include not only traditional data points (name, address, e-mail address, etc.), but also IP addresses, device identifiers, internal customer ID numbers (such as a panelist ID), and geolocational information.
- Streamlining and clarifying the notices that companies must provide about their information collection practices to parents and where links to those practices must be placed.
- Eliminating the "email plus” verification method for obtaining parental consent, while proposing several new methods.
- Requiring companies to ensure that third party service providers to whom they disclose personal information have reasonable security safeguards in place.