Advertising Law Alerts

September 30th, 2011

FTC Proposes Revisions to Children’s Online Privacy Rule

The Federal Trade Commission (FTC) recently released its proposed revisions to the rule (Rule) implementing the Children’s Online Privacy Protection Act (COPPA). The revisions would update the existing Rule to cover social media, mobile devices, and other technologies that were not taken into account at the time the Rule was enacted.

Over a decade ago, COPPA was enacted to prohibit “unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information” from and about children under the age of 13 on the Internet. COPPA requires that operators of websites or online services directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using or disclosing such information. The Rule contains a “safe harbor” provision enabling industry groups to submit to the FTC for approval self-regulatory guidelines implementing the Rule’s protections.

In 2005, the FTC reviewed the Rule and retained it without change. The proposed revisions announced this month come on the heels of the FTC’s most recent review of the Rule, which was conducted on an accelerated basis in April 2010.

Significantly, the FTC declined to propose fundamental changes to the current COPPA framework. For example, the FTC is proposing to keep the current definitions of “child,” “Internet,” and “online service” and is also proposing to continue the “actual knowledge” standard.

Proposed Changes

The FTC has, however, proposed significant changes to the Rule. Key changes include:

Definitions. Arguably the biggest change the FTC is proposing relates to the definition of “personal information.” The COPPA Rule has always required covered operators to obtain parental consent before collecting “personal information” such as names, e-mail addresses, and telephone numbers from children. The FTC now proposes to expand the definition of “personal information” to include identifiers such as:

Screen or usernames (if used for anything other than, or in addition to, an online service’s internal technical operations);

“Persistent Identifiers” (including device identifiers, IP addresses, and cookies), if used for anything other than internal operations. This new language would permit covered operators’ use of persistent identifiers for purposes such as user authentication, improving site navigation, and serving contextual advertisements. However, the new language would require parental notification and consent prior to the collection of persistent identifiers where they are used for purposes such as:behaviorally targeting advertising to a child or amassing data on a child’s:

  • online activities;
  • “identifiers” that link children’s activity across different sites or services;
  • photographic, video, or audio files containing a child’s voice or image; and
  • geolocation data.


The FTC proposes several changes to the definitions of “collects” or “collection.” Notably, in order to encourage the development of filtering technologies, the FTC proposes to relax its “100% deletion standard” as it applies to material that children post online and, instead, to adopt an “all or virtually all standard.” The FTC would also broaden the definition to include all “passive tracking of a child online,” regardless of the technology used.

The FTC also proposes to modify the definition of “website or online service directed to children” in order to clarify that the presence of child celebrities, and celebrities who appeal to children, as well as music, are among the indicia it will use to determine whether an online service is directed to children.

Notice. The proposed amendments to the Rule would also streamline and standardize the direct notice that covered operators must give parents prior to collecting personal information from children. These revisions are intended to ensure that information is presented to parents in a standardized and succinct “just-in-time” notice, and not just in a privacy policy. Significantly, the FTC’s proposed revisions would require all operators of a website or online service, rather than a single designated operator, to provide their contact information in the required notice. Given the possibility of a child interacting with multiple operators on a single website or other online service (e.g., in the case of a mobile app that grants permission to an ad network to collect user data from within the app), the FTC noted that it believes the identification of each operator will aid parents in finding the appropriate party to whom it can direct inquiries.

Parental Consent. The FTC has proposed eliminating “email plus,” a method widely used by covered operators to verify parental consent through email confirmations. Covered operators would instead be able to obtain parental consent via the other (more onerous) methods identified in the Rule, or seek FTC approval of alternate consent mechanisms they create that are “reasonably calculated, in light of available technology, to ensure that the person providing the consent is the child’s parent.” Additionally, covered operators could use the consent methods sanctioned by COPPA “safe harbor” programs such as TRUSTe and Privo. The FTC’s objective with this change is to encourage innovation with respect to new methods of obtaining parental consent.

Confidentiality and Security. The FTC has proposed strengthening the confidentiality and security requirements of the Rule. Under the proposed amendment, covered operators will be required to ensure that any service providers or other third parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.

Data Retention and Deletion. The FTC has proposed adding a new data retention and deletion provision to the Rule, specifying that covered operators may retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. When deleting children’s personal information, covered operators would have to take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

Safe Harbors. The FTC has also proposed requiring self-regulatory “safe harbor” programs to audit their members at least annually and report periodically to the FTC the results of those audits. Also, new safe harbor program applicants would have to provide more detail in their applications than currently required.

Public Comment

The FTC is soliciting public comment on the proposed revisions. Written comments will be accepted by the FTC through November 28, 2011.

If you have any questions about the FTC rule, please contact Jeffrey A. Greenbaum at (212) 826-5525 or jgreenbaum@fkks.com, or any other member of the Frankfurt Kurnit Advertising Group.

Disclaimer. This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.