November 15, 2011
Practice Group(s):
Data Protection
FTC Proposes Major Expansion to
COPPA’s Scope and Compliance
Requirements
By Holly Towle, Henry L. Judy, Samuel R. Castic, and Lauren B. Pryor
The Federal Trade Commission (“FTC” or “Commission”) recently released proposed revisions
(“Proposal”) to its regulations relating to the Children’s Online Privacy Protection Act (“COPPA”
or “Act”), which would expand the Act’s scope and establish new compliance requirements for
website and online service providers.1 COPPA establishes requirements for websites and online
services that collect “personal information” about children under the age of 13.2 COPPA’s
current requirements are set out in rules and regulations promulgated by the FTC in 2000.3 The
Proposal represents another example of the FTC’s recent efforts to expand the scope of, and step
up enforcement on, a variety of privacy-related issues.4 This alert highlights the significant
changes presented by the Proposal and illustrates potential ways that your business might be
affected. The FTC is accepting comments on the Proposal until November 28, 2011.
Expanded Scope of Proposed Rule; Definitional Changes.
The Proposal seeks to modify various definitions used in COPPA, which would likely result in
additional websites and online services falling under the Act’s provisions. The definitional
changes would also impact the content covered by COPPA and possibly limit available
exemptions.
Websites and Online Services
COPPA imposes requirements on websites and online services that are directed to children under
the age of 13 or that knowingly collect personal information about children under the age of 13.5
However, neither COPPA nor the current FTC regulations define “website” or “online service.”6
The Proposal does not change this situation and suggests that the terms should be interpreted
broadly in order to capture evolving technologies.7
The Proposal supports the broad application of “online services” to cover “any service available
over the Internet, or that connects to the Internet or a wide-area network.”8 Online services would
also encompass gaming sites, VoIP, mobile apps directed at kids and sites with behavior
1
See FTC Press Release, FTC Seeks Comment on Proposed Revision’s to Children’s Online Privacy Protection
Rule (Sept. 15, 2011), available at www.ftc.gov/opa/2011/09/coppa.shtm.
2
COPPA is codified at 15 U.S.C. § 6501 et seq.
3
The current COPPA regulations can be found at 16 C.F.R. part 312.
4
See, e.g., FTC Press Release, Operator of Social Networking Website for Kids Settles FTC Charges Site Collected
Kids’ Personal Information Without Parental Consent (Nov. 8, 2011), available at
http://www.ftc.gov/opa/2011/11/skidekids.shtm.
5
See 16 C.F.R. § 312.3.
6
COPPA and applicable FTC regulations commonly use “website or online service” as a single phrase.
7
76 Fed. Reg. 59807 (Sept. 27, 2011) (“The Commission does not believe that the term ‘online service’ needs to be
further defined . . . .”).
8
76 Fed. Reg. 59807.
FTC Proposes Major Expansion to COPPA’s Scope and
Compliance Requirements
advertising features.9 The new interpretation of websites and online services would extend the
reach of COPPA to businesses and industries that are not now within the scope of the regulations.
Personal Information
One of the more significant proposed changes to COPPA is the expanded definition of personal
information. Personal information covers a wide variety of “individually identifiable information
about an individual online,” including names, addresses, telephone numbers, email addresses, and
other identifiers that the FTC deems applicable.10 The Proposal would expand the definition of
personal information in four key ways:
 Personal information would include “persistent identifiers.”11 A persistent identifier represents
“a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device
serial number, or unique device identifier12, where such persistent identifier is used for
functions other than or in addition to support for the internal operations of, or protection of the
security or integrity of, the Web site or online service.”13 The term unique device identifier is
not specifically defined in the Proposal,14 which may cause ambiguity regarding the types of
devices to which COPPA applies (e.g., cell phones, tablet devices, other wireless devices).
The addition of persistent identifiers to the definition of personal information could restrict the
applicability of the “support for internal operations” exemption under COPPA in that network
advertisers would no longer be able to claim that the collection of persistent identifiers
constitutes a technical function which would fall under such exemption.15 The Proposal is also
ambiguous on the issue of when a persistent identifier standing alone is personal information
and when it is personal information only when associated with other information.
 COPPA would now cover any “identifier [persistent or not] that links the activities of a child
across different Web sites or online services.”16 The Proposal states that this addition “is
intended to serve as a catch-all category covering the online gathering of information about a
child over time for the purposes of either online profiling or delivering behavioral advertising
to that child.”17 As a consequence, a service that tracks child user movements across Web sites
or online services, but stores this information separately from the persistent identifier, would
be deemed to have collected personal information from the child.18 Prior parental notification
and consent would be required before collecting any such information.
 Personal information would extend to photographs, videos, or audio files that include a child’s
image or voice.19 Under the current rule, such information constitutes personal information
only when combined with other information such that physical or online contact with a child is
possible. The Proposal notes that photographs of children may contain metadata, such as
embedded geolocation data, that could enable physical or online contact.20 Further, advances
9
Id. See id. at 59807 n. 41 (listing actions commenced by the FTC against operators of online services).
76 Fed. Reg. 59810.
11
76 Fed. Reg. 59830 at proposed § 312.2(g).
12
See Jennifer Valentino-DeVries, Unique Phone ID Numbers Explained, Wall Street Journal—Digits Blog, Dec. 19,
2010, available at http://blogs.wsj.com/digits/2010/12/19/unique-phone-id-numbers-explained/.
13
76 Fed. Reg. 59830 at proposed § 312.2(g).
14
This term may include information such as International Mobile Equipment Identity (IMEI) and International Mobile
Subscriber Identity (IMSI) numbers or numbers that are specific to certain providers, such as Apple’s unique ID
numbers (UDID).
15
76 Fed. Reg. 59812.
16
Id. at proposed § 312.2(h).
17
Id.
18
Id.
19
76 Fed. Reg. 59813 at proposed § 312.2(i).
20
76 Fed. Reg. 59813 n. 87.
10
2
FTC Proposes Major Expansion to COPPA’s Scope and
Compliance Requirements
in facial recognition technology may be used to identify children.21 The FTC is also
considering adding a user’s full nine digit ZIP Code to the definition of personal information.22
 The Proposal would restrict the use of screen or user names where such identifiers are used for
purposes beyond internal operations.23 Businesses would be obligated to verify that collection
of such personal information fits within the internal operations exemption. If the collection of
such information is not for internal administrative purposes, the website operator must comply
with COPPA’s requirements (i.e., obtaining verifiable parental consent) before collecting such
information.
More Narrow Definition of Collects and Collection
The Proposal includes one definitional revision that might ease COPPA’s compliance burden.
Currently, sites and services that enable “children to make personal information publicly available
through a chat room, message board, or other means” are deemed to “collect” personal
information “except where the operator deletes all individually identifiable information from
postings by children before they are made public, and also deletes such information from the
operator’s records.”24 The Proposal would revise this definition to exempt operators that delete all
“or virtually all personal information” before posting and from their records.25 After observing
that the complete deletion standard for “all” personal information presents substantial challenges,
the FTC states that the new “virtually all” standard “is intended to encourage the development of
systems, either automated, manual, or a combination thereof, to detect and delete all or virtually
all personal information that may be submitted by children prior to its public posting.”26
Broader Range of Content Will Be Considered Relevant When
Determining Whether a Site or Service is Directed to Children.
In addition to websites or online services that knowingly collect information about children under
the age of 13, COPPA applies to sites or services that are directed to children.27 The analysis of
whether a website or online service is considered to be directed to children is based on the totality
of the circumstances and assesses a variety of factors.28 In addition to the factors already
enumerated in the rule,29 the Proposal would add the following types of content to the list of
factors it evaluates when determining whether a website or online service is directed to children:
 Child celebrities;
 Celebrities that appeal to children; and
 Music.30
Fewer Methods Will Constitute Verifiable Parental Consent.
Websites and online services subject to COPPA must obtain verifiable parental consent before
collecting or using a child’s personal information.31 The Proposal demonstrates that the FTC will
21
76 Fed. Reg. 59813 n. 88.
76 Fed. Reg. 59814.
23
76 Fed. Reg. 59830 at proposed § 312.2(d).
24
16 C.F.R. § 312.2 (emphasis added).
25
76 Fed. Reg. 59829 (emphasis added).
26
76 Fed. Reg. 59808.
27
16 C.F.R. § 312.2.
28
76 Fed. Reg. 59814.
29
See 16 C.F.R. § 312.2.
30
76 Fed. Reg. 59814.
31
16 C.F.R. § 312.5.
22
3
FTC Proposes Major Expansion to COPPA’s Scope and
Compliance Requirements
continue to take a narrow view of what constitutes verifiable parental consent. Specifically, the
FTC rejected several proposed methods of obtaining parental consent, including:
 Collecting a parent’s mobile number, and obtaining consent via SMS text message;
 Using a payment card other than a credit card;
 Developing parental control settings in game consoles;
 Use of an electronic signature; and
 Use of a mobile device to “input data by touching or writing on the device’s screen.”32
In addition to the clarifications above, the FTC intends to eliminate the so-called “e-mail plus”
method of obtaining consent. This method currently permits sending an initial e-mail to the parent
followed by an additional step, such as confirming consent via mailed letter, telephone call, or
delayed confirmatory e-mail by the site or service. The FTC believes that this method “has
outlived its usefulness and should no longer be a recognized approach to parental consent . . . .”33
The FTC proposes to allow, under certain circumstances, use of a scanned signature, video
conferences, and input of a government identification number as potential ways of obtaining
verifiable parental consent.34
The Proposed Revisions Include Additional Requirements.
The Proposal includes clarifications about COPPA’s scope. For example, in indicating the types
of entities that must comply with COPPA, the Proposal clarifies that entities that prompt or
encourage a child to provide personal information—not just those that directly request personal
information—would be deemed to be collecting personal information from children.35 This
change would inevitably cause websites that were previously beyond COPPA’s grasp to consider
compliance strategies.
The Proposal would require sites and services to “take reasonable measures to ensure that any
third party to whom [they] release[] children’s personal information has in place reasonable
procedures to protect the confidentiality, security, and integrity of such personal information.”36
Sites and services would also be required to implement data destruction requirements for the
personal information they collect. Specifically, when personal information is no longer
reasonably necessary to fulfill the purpose for which it was collected, it must be securely deleted.
Privacy Policy Changes Will Likely Be Required.
If adopted, the Proposal will likely require modifications to privacy policies and terms of use. For
example, when multiple operators jointly provide a particular site or service, the proposed
regulations would now require each entity to include its name, physical address, telephone
number, and e-mail address.37 Such situations might occur when there are multiple entities
receiving the personal information collected by the sites or services, such as business partners or
affiliates, embedded content providers, or third party advertisers.
Both the current rule and the Proposal describe certain items that must be contained in the notice
of the website’s or online service's information practices if it is to be complete. The FTC proposes
“eliminating the Rule’s current lengthy—yet potentially under-inclusive—recitation of an
32
76 Fed. Reg. 59817-19.
76 Fed. Reg. 59819.
34
76 Fed. Reg. 59818.
35
76 Fed. Reg. 59808.
36
76 Fed. Reg. 59832 at proposed § 312.8.
37
76 Fed. Reg. 59815.
33
4
FTC Proposes Major Expansion to COPPA’s Scope and
Compliance Requirements
operator’s information collection, use, and disclosure practices in favor of a simple statement”
providing: (1) each operator’s contact information; (2) a description of what information each
operator collects from children, including whether the website or online service enables a child to
make personal information publicly available as well as how the operator uses and discloses such
information; and (3) that the parent can review and have the operator delete a child’s personal
information and refuse to permit further collection or use of the child’s information, and state the
procedures for doing so.”38 The FTC offers a threefold justification for this change:
 Privacy policies written under the current rule are “often long and difficult to understand, and
may no longer be the most effective way to communicate salient information to consumers”;
 The FTC “hopes to encourage operators to provide clear, concise descriptions of their
information practices”; and
 Simpler descriptions “may have the added benefit of being easier to read on smaller screens
(e.g., those on Internet-enabled mobile devices).”39
The difficulty is that the Proposal appears to be little more than a concise redraft of the current
provision. COPPA itself has not changed, and it is not clear that operators and service providers
will feel comfortable omitting some of the details that they view as necessary for compliance.
Self-Regulation Safe Harbor Rejected.
In contrast to the existing regime, the Proposal rejected the argument that compliance with the
Direct Marketing Association’s Self-Regulatory Principles for Online Behavioral Advertising40
represented a form of “robust self regulation [that] is the best and most appropriate way to address
privacy concerns in connection with online behavioral advertising, including concerns related to
children.”41 While the Proposal acknowledges the value of self-regulation, it asserts that
“Congress specifically directed the Commission to promulgate and implement regulations
covering the online collection, use, and disclosure of children’s personal information.”42 In doing
so, the Proposal implies that the FTC’s independent judgment of what COPPA requires will
control over industry statements of best practices.
The FTC Is Seeking Input on Its Proposed COPPA Revisions.
If any aspect of the Proposal will make conducting your business more difficult, or if you have
recommendations that could make complying with COPPA easier, the FTC is accepting comments
until November 28, 2011. Please contact one of the attorneys listed below if you would like
guidance with respect to COPPA or assistance in connection with the submission of comments to
the FTC.
Authors:
Holly Towle
holly.towle@klgates.com
+1. 206.370.8334
Henry L. Judy
henry.judy@klgates.com
+1. 202.778.9032
38
Id.
Id.
40
The Principles may be found at http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf.
41
76 Fed. Reg. 59812.
42
Id.
39
5
FTC Proposes Major Expansion to COPPA’s Scope and
Compliance Requirements
Samuel R. Castic
sam.castic@klgates.com
+1. 206.370.6576
Lauren B. Pryor
lauren.pryor@klgates.com
+1. 202.778.9398
6