Corporate TIPS Blog: Federal Trade Commission's Update on Privacy Rules Involving Children
By Craig S. Horbus & Hanne-Lore M. Gambrell on October 23, 2019
The Federal Trade Commission (FTC) called for a new review of child privacy rules this summer. The FTC revealed that it is seeking comment on the effectiveness of sweeping changes it made to the Children's Online Privacy Protection Act (COPPA) just six years ago, and on whether additional amendments are needed in light of rapid technological advancements.
The first draft of COPPA took effect in 2000. COPPA requires child-directed sites and services to notify parents and obtain their verifiable consent before collecting, using, or disclosing personal information from anyone under the age of 13. Violators of COPPA face penalties of up to $41,484 per violation. In 2010, the FTC initiated its first review of COPPA, which resulted in the most recent, revised, broader policies that took effect in 2013, which now regulate photographs and voice recordings, and encompass third parties that have actual knowledge that they are collecting personal information from children.
Usually the FTC revisits its rules every 10 years; however, the commission cited the rise of voice-enabled connected devices (like Amazon’s Alexa and Google Voice Search), interactive entertainment, and general audience platforms that host third-party child-directed content, as well as advances in the educational technology arena, as reasons why it needs to act sooner.
This process is important because it will most likely affect website operators, app developers, and companies that deal in connected devices that children may be using. Additionally, enforcement has ticked up in recent years as the FTC has shifted to a Republican majority and a new slate of commissioners has been sworn in. The FTC’s enforcement actions include a record $5.7 million fine issued in February 2019 against the operator of lip sync music video app Musical.ly, which is now known as TikTok, for illegally collecting children's data; a penalty assessed against virtual dress-up game i-Dressup.com for failing to safeguard and obtain permission to collect children's data; and a settlement with toymaker VTech that marked the commission's first COPPA action involving internet-connected toys.
The FTC's unanimous decision to review COPPA’s scope and policies builds on these efforts, offering the potential for not only new compliance risks but also greater clarity on the commission's expectations. The FTC is seeking comment on all of COPPA’s major provisions, including its definitions, notice, parental consent requirements, exceptions to verifiable parental consent, and its safe harbor provision, which allow companies that meet the requirements of a certified program to receive immunity from enforcement action. The commission’s last review of COPPA addressed many of these issues, however, changes to the way children use and interact with technology have prompted many questions that the FTC could not have even fathomed in 2013.
A question that is likely to attract significant attention is what factors should be considered in determining whether a website or online service is directed to children, and thus covered by COPPA. The FTC specifically asked if this rule should be amended "to better address websites and online services that may not include traditionally child-oriented activities, but have large numbers of child users." This question could have significant implications for online sites and services as mobile device users have gotten significantly younger over the past few years.
The FTC has also asked whether it should modify the rule to encourage general audience platforms to identify and police child-directed content uploaded by third parties, which could create enhanced obligations for those that have traditionally fallen out of COPPA's grasp.
Many of the amendments in the 2013 revision of COPPA, as well as the amendments being contemplated are consistent with the recent trend of more restrictive privacy legislations such as the General Data Protection Regulation (GDPR) and the California’s impending Consumer Privacy Act. Both of these laws include broad definitions of personal information and strict liability on third-party data. This was also a key feature of the 2013 revision of COPPA, and most likely will be the trend in the next round of amendments.
The upcoming COPPA review could also result in the easing of some restrictions, particularly in the education arena. The FTC is seeking answers as to whether the requirement to obtain parents' consent should be suspended when it comes to the use of education technology in schools. This would codify guidance from the FTC that schools can act as a proxy for parents when data is being collected and used for certain educational purposes, which could also offer a degree of certainty for companies that deal in educational technology for children.
Companies were also encouraged to be active in the review process, both by submitting comments and participating in the public workshop the FTC held on October 7, 2019.
The FTC’s review will likely have the greatest impact on companies like YouTube, Snapchat, and other companies that are not directed toward children, but have a high usage by them. In the most recent review of COPPA, the FTC considered whether it should set a threshold percentage of child visitors in order to qualify a site as being directed toward children. While the FTC has always considered a site's user demographics in enforcement, the commission declined to impose a numerical trigger in 2013, and instead kept the focus on the look and feel of the site. It is unclear whether the FTC will reconsider the percentage threshold requirement in its upcoming review of COPPA; however, if this rule is considered, the number of sites and services regulated by COPPA could significantly increase.
How Brouse Can Help
Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery, and response). Contact us for more information.