This post was written by John Feldman and Frederick Lah.
It’s now been almost a month since the revised COPPA Rule went into effect July 1, 2013. Earlier this year, the FTC issued new guidance on how to comply with the revised Rule. As part of its new guidance, the FTC provided a detailed set of FAQs. To see our previous blog post on the FAQs, please click here.
The FTC is planning to make additional revisions to their FAQs, with these revisions focusing on the obligations of ad networks. Specifically, the FTC explains in what circumstances an ad network is deemed to have “actual knowledge” that it has collected personal information from users of a child-directed site (see D.10, D.11, D.12), and the obligations of ad networks after they discover that they have been collecting personal information via a child-directed website (see K.2). The revised FAQs also relates traditional enforcement policy to the context of a button within an app that automatically opens an email program or social network. Providing the facility for a child to share personal information is just as problematic as if the operator was collecting that information itself. Thus, verifiable parental consent is required when permitting children to share content that may contain personal information – such as a painting combined with a field that allows for free expression.
As of the date of this writing, the FAQs have not been updated to reflect these revisions, but we anticipate they will surely be updated soon.
In the meantime, the FAQs can be seen in their entirety below.
D.5. [Now at FAQ D.10]
D.9. I operate a child-directed app that allows kids to make paintings. I don’t collect the paintings — they rest on the device — but the app includes buttons for popular email and social media providers that kids can click on within the app. The buttons open the email program or social network, populate it with the painting, and allow the child to share it along with a message. I don’t collect or share any other personal information through the app. Do I have to seek verifiable parental consent?
Yes. The COPPA rule defines “collection” to include requesting, prompting, or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in identifiable form. In addition, under the COPPA Rule, “disclosure” includes making a child’s personal information publicly available in identifiable form through an email service or other means, such as a social network. You must get verifiable parental consent before enabling children to share personal information in this manner, even through third parties on your app. This is true unless an exception applies. (See Section I, Exceptions to Prior Parental Consent). However, in the situation you describe — where a child can email a painting and a message or post content on his or her social networking page through your app — no exception applies.
D.10. I operate an advertising network service. Under what circumstances will I be held to have “actual knowledge” that I have collected personal information directly from users of another Web site or online service directed to children?
The circumstances under which you will be deemed to have acquired “actual knowledge” that you have collected personal information directly from users of a child-directed site or service will depend a lot on the particular facts of your situation. In the 2012 Statement of Basis and Purpose, the Commission set forth two cases where it believes that the actual knowledge standard will likely be met:
- where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to you, the ad network; or
- where a representative of your ad network recognizes the child-directed nature of the content.
Under the first scenario, any direct communications that the child-directed provider has with you that indicate the child-directed nature of its content would give rise to actual knowledge. In addition, if a formal industry standard or convention is developed through which a site or service could signal its child-directed status to you, that would give rise to actual knowledge. Under the second scenario, whether a particular individual can obtain actual knowledge on behalf of your business depends on the facts. Prominently disclosing on your site or service methods by which individuals can contact your business with COPPA information – such as: 1) contact information for designated individuals, 2) a specific phone number, and/or 3) an online form or email address – will reduce the likelihood that you would be deemed to have gained actual knowledge through other employees. (See also FAQ D.12 below).
D.11. I operate an ad network. I receive a list of Web sites from a parents’ organization, advocacy group or someone else, which says that the Web sites are child-directed. Does this give me actual knowledge of the child-directed nature of these sites?
It’s unlikely the receipt of a list of purportedly child-directed Web sites alone would constitute actual knowledge. You would have no duty to investigate. It's possible, however, that you will receive screenshots or other forms of concrete information that do give you actual knowledge that the Web site is directed at children. If you receive information and are uncertain whether the site is child-directed, you may ordinarily rely on a specific affirmative representation from the Web site operator that its content is not child-directed. For this purpose, a Web site operator would not be deemed to have provided a specific affirmative representation if it merely accepts a standard provision in your Terms of Service stating that, by incorporating your code, the first party agrees that it is not child directed.
D.12. I operate an ad network and am considering participating in a system in which first-party sites could signal their child-directed status to me, such as by explicit signaling from the embedding webpage to ad networks. I understand that I would have “actual knowledge” if I collect information from users on a first-party site that has signaled its child-directed status. Are there any benefits to me if I participate in such a system?
Such a system could provide more certainty for you. If the system requires the first-party site to affirmatively certify whether it is “child-directed” or “not child-directed,” and the site signals that it is “not child-directed,” you may ordinarily rely on such a representation. Such reliance is advisable, however, only if first parties affirmatively signal that their sites or services are “not child-directed." You could not set that option for them as the default.
Remember, though, that you may still be faced with screenshots or other concrete information that gives you actual knowledge of the child-directed nature of the Web site despite a contradictory representation by the site. If, however, such information is inconclusive, you may ordinarily continue to rely on a specific affirmative representation made through a system that meets the criteria above.
K.2. I operate an ad network. I discover three months after the effective date of the Rule that I have been collecting personal information via a child-directed website. What are my obligations regarding personal information I collected after the Rule's effective date, but before I discovered that the information was collected via a child-directed site?
Unless an exception applies, you must provide notice and obtain verifiable parental consent if you: (1) continue to collect new personal information via the website, (2) re-collect personal information you collected before, or (3) use or disclose personal information you know to have come from the child-directed site. With respect to (3), you have to obtain verifiable parental consent before using or disclosing previously-collected data only if you have actual knowledge that you collected it from a child-directed site. In contrast, if, for example, you had converted the data about websites visited into interest categories (e.g., sports enthusiast) and no longer have any indication about where the data originally came from, you can continue to use those interest categories without providing notice or obtaining verifiable parental consent. In addition, if you had collected a persistent identifier from a user on the child-directed website, but have not associated that identifier with the website, you can continue to use the identifier without providing notice or obtaining verifiable parental consent.
With respect to the previously-collected personal information you know came from users of a child-directed site, you must comply with parents' requests under 16 C.F.R. § 312.6, including requests to delete any personal information collected from the child, even if you will not be using or disclosing it. Furthermore, as a best practice you should delete personal information you know to have come from the child-directed site.