On October 7, 2019, the U.S. Federal Trade Commission (“FTC”) held a public workshop in Washington, D.C. to discuss whether the COPPA Rule, a Commission rule which implements the Children’s Online Privacy Protection Act (“COPPA”), needs to be updated to keep pace with recent developments, including rapid growth in the educational technology (“EdTech”) and Internet of Things (“IoT”) sectors. Industry representatives, consumer advocates, and academics gathered for the day to debate and discuss how new technologies, new business models, and changes in the ways families and schools use websites and online services are affecting children’s privacy.
What is COPPA?
Originally enacted in 1998, COPPA is designed to place parents in control of what information is collected from their children under the age of 13. It imposes obligations on operators of websites, mobile apps, and online services which are directed to children or to operators of sites, apps, and services directed to a general audience who nevertheless have actual knowledge of use by children. Among other things, businesses subject to COPPA must post a detailed privacy policy, notify parents directly about their information collection practices, and get verifiable parental consent before collecting personal information from children.
The FTC workshop and related request for public comment are part of a mandatory rule review the Commission typically undertakes every 10 years. However, the current rule review is occurring several years early – an indication of a heightened focus on children’s privacy issues that we have seen at the Commission, in Congress, and abroad.
COPPA and US Businesses
In the past year, the FTC has brought several COPPA cases including a record-setting $170 million settlement with Google and YouTube announced in September 2019 relating to YouTube’s collection of persistent identifiers from viewers of child-directed channels without first notifying parents and obtaining their consent. In Congress, Senators Edward Markey (D-Mass.) and Josh Hawley (R – MO) have proposed legislation to expand COPPA’s scope and protections. Meanwhile, outside D.C., California, the United Kingdom, and European Union have all recently expanded children’s privacy protections.
Although no specific changes to the COPPA Rule are yet proposed, businesses that collect children’s personal information or provide child-directed online services should stay attuned to the evolving legal and regulatory landscape.
Our Five Key Takeaways from the COPPA Workshop
For hints on what we might see in a proposed Rule revision consider these five key takeaways from the recent workshop:
1) Updates are Likely.
Although the FTC’s request for public comment technically asks whether the COPPA Rule should be retained, eliminated, or modified, it is extremely unlikely that the rule will be either retained in its current form or eliminated entirely. There was broad agreement amongst workshop panelists that the rule should be updated. Consumer and privacy advocates urged for updates to reflect changes in technology such as growing adoption of voice-enabled connected devices which can collect personal information from children in the home. Meanwhile, industry representatives urged for updates that would clarify the fact-specific inquiry used to determine whether a website or online service is “directed” to children.
2) An Exception to Parental Consent for Schools’ Use of Ed Tech May Be Adopted.
Workshop participants largely agreed that the COPPA requirement to obtain verifiable parental consent for each app imposes a significant administrative burden on teachers and school districts which may use hundreds of individual apps for educational purposes within their district. Panelists recommended that the FTC create an exception to the verifiable parental consent requirement similar to the “school official exception” in the Family Educational Rights and Privacy Act (“FERPA”) which allows school officials to access personal information in education records without prior parental consent provided the school has determined they have a legitimate educational interest in the information. If adopted, a similar exception under COPPA would allow a school official at the school district level to consent on behalf of parents after vetting the apps.
3) Constructive Knowledge Could Become the Standard.
Currently, operators of websites, mobile apps, and online services are only subject to COPPA if they have actual knowledge that their sites and services are being used by children. However, consumer and privacy advocates argue that constructive knowledge should be the standard – that is whether a company knew or should have known that children were using the site or service. These proponents contend that the actual knowledge standard leaves children unprotected by creating an incentive for companies to refrain from investigating whether they have child users. While critics caution that a constructive knowledge standard would be difficult to apply, the use of similar standards in other privacy laws, including the recently passed California Consumer Privacy Act mean that this is a plausible possibility.
4) Representations to Marketers Will Likely Matter.
Workshop participants broadly agreed that how a company represents itself to marketers should matter in determining whether a company’s site, app, or service is child-directed. Specifically, participants agreed that if a company suggests to marketers that it is a good means for reaching children, then it is reasonable to conclude that the site or service is directed to children.
5) Existing Exceptions for Advertising to Children are Hotly Contested.
When the FTC last amended COPPA, in 2013, it widened the definition of children’s personal information to include “persistent identifiers,” such as cookies that track a child’s online activity, irrespective of whether those identifiers are combined with other identifying information. Accordingly, a company must get verifiable parental consent if it uses persistent identifiers for child-users, unless the identifier is only used to support “internal operations” such as legal compliance, site analysis, or – critically – contextual advertising. Thus, companies today may engage in behavioral advertising towards children provided they first obtain parental consent and may engage in contextual advertising even in the absent of consent. Many privacy and parent groups argue that one or both of these exceptions should be eliminated. However, many businesses maintain that preserving these exceptions are crucial to providing them with the revenue needed to develop valuable content for children. This question of how persistent identifiers should be treated was a central topic of discussion at the recent workshop and will likely be receive attention in any future rule revision.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
