Yesterday, the FTC released its long-awaited proposed changes to the Child Online Privacy Protection Act Rule and began the comment period. Undoubtedly, the proposed rules will spur comment from online companies who already face such obligations as well as those who may be required to address new obligations as a result of the proposed rule changes. One of the most significant changes is the FTC’s elimination of the sliding scale for parental consent mechanisms which used to allow providers who collected limited information for their own use to obtain parental consent by email. Under the proposed rule, email will no longer be acceptable.
The proposed rule makes a number of changes to the existing rule and this is only a brief summary of the 122-page document released yesterday. The two primary areas that are likely to require changes to existing company practices relate to the changes to the definition of personal information and to the mechanisms available to obtain prior parental consent.
- Definition of Personal Information: The Commission’s proposed rule expands the definition to include images, video or audio of a child that is not coupled with other information, and a wide range of persistent identifiers which in the Commission’s view could be used to contact or identify a child including IP Addresses, persistent cookie values, device ID numbers, chat aliases. The proposed rule also adds geolocation information to the definition. The definition of “collection” of personal information is expanded to include any “passive tracking” technologies on the operator’s website or on other sites. The FTC’s commentary makes clear that while operators who use certain types of persistent identifiers only for operation of their services may not be required to treat those identifiers as personal information. However, as soon as a provider begins to use those identifiers to collect information for building online profiles or behavioral advertising they would no longer qualify for the “internal use” exception.
- Mechanism to Obtain Verifiable Parental Consent: The FTC has decided to attempt to spur greater innovation in methodologies for obtaining verifiable parental consent by jettisoning the “sliding scale” and “email plus” aspects of the rule that have allowed operators collecting personal information from children for internal purposes to use what the FTC considers to be a less reliable form of parental consent based on contacting parents by email. The proposed rule will require that operators use methods of obtaining verifiable parental consent which may add significant costs and new privacy concerns, such as collecting identifiers associated with driver’s licenses and Social Security Numbers, and relying on monetary transactions with a credit card. Operators will be able to file a request for approval of an alternative consent mechanism with the FTC which will be published for comment and approved or declined in 180 days. Safe harbor programs will also have some flexibility to develop new consent mechanisms.
The proposed rule also modifies other definitions, imposes new requirements related to security of data when transferred to third parties and requirements to delete data no longer needed for business purposes. What the rule does not change is the definition of “child” (remaining 12 and under); the “actual knowledge” standard; and the fundamentals of which operators are covered and which are not.
The FTC is soliciting feedback on a number of questions that related to the proposed changes, including those described above. Please contact us if you have questions about how the proposed changes may impact your business or if you have interest in filing comments.
Comments due to the FTC by November 28, 2011