The FTC’s New Kid Privacy Rules (COPPA) Are a Big Mess (Forbes Cross-Post)

By Eric Goldman

shutterstock_121163350.jpgEarlier this month, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children’s Online Privacy Protection Act (COPPA), and the new rules are a real mess.  They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

Rather than do that, this post considers only one aspect of the new rules, but it’s crucial: is your website or app governed by the new rules?  If the rules don’t apply to you, who cares how byzantine and stupid they are?

Fortunately, most websites and apps won’t be newly affected directly by the rule change.  If you don’t have a kid-oriented website or app, you can probably avoid the new rule easily (if you’re potentially covered at all).  However, the news is less happy for vendors to kid-oriented websites or apps, including ad networks and app plug-ins, and for kid-oriented websites that haven’t already complied with COPPA.

Background

Congress enacted COPPA in 1998 as part of its never-ending efforts to “protect kids online.”  The statute provides extra online privacy protections for kids 12 and under unless parents consent.  The law, however, has some obvious structural deficiencies, such as:

* the law doesn’t apply to teens, even though minors can’t enter into binding contracts–including privacy policies.  So the statute leaves an odd gap for 13-17 year old users who aren’t covered by COPPA but presumably can’t agree to privacy policies themselves.

* most websites don’t authenticate users’ ages and can’t do so easily or cost-effectively, so many websites have no idea when they are dealing with kids.

* websites don’t have a reliable way to obtain parents’ consent online, forcing COPPA-compliant websites to adopt costly off-line verification methods.

Combine these problems with the fact that kids under 13 usually don’t have a lot of direct purchasing power, and the choice was clear for most websites: maximize profits by avoiding being covered by COPPA.

How to Avoid COPPA: the Existing Rules

Under the FTC’s existing COPPA rules, it was fairly easy to figure out how to navigate around COPPA.  The rules applied to:

any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child

Thus, websites could avoid the rules in two ways.  First, if they targeted kids, they could avoid collecting personal information.  Second, if they didn’t target kids, they could avoid collecting users’ age information, or they could bounce any self-identified kids.  While these policies aren’t ideal, they provide substantial predictability for the Internet community.

How to Avoid COPPA: the New Rules

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way.  The basic rule of who is governed hasn’t changed, but the details have:

Directed to Kids.  If you ask for age information and users self-report being under 13, then you are governed by COPPA because you actually know you’re dealing with kids.  That’s not new.  You can bounce those users to avoid “knowing” you’re dealing with kids 12 and under.

However, whether or not you collect age information from users, you still might be deemed to be a website/online service directed to kids.  The new rules define this term in three parts:

*  Subpart (a) applies when site/app content appeals to kids 12-and-under.  This definition isn’t new (although the factors are expanded), and we haven’t seen any problematic FTC interpretations of this language to date.

* Subpart (b) applies when a service “has actual knowledge that it is collecting personal information directly from users of another website or online service directed to children” (emphasis added).  This is intended to cover vendors/service providers to websites dealing with kids, such as ad networks or app plug-ins, but I find this language inscrutable.

* Subpart (c) applies to services that are “directed” to kids but don’t target them as their primary audience.  This is a nonsense definition, because the rules define “directed” to kids as “targeted to” kids.  So how can a service simultaneously target kids but not target them as the primary audience?  This defines a null set, so the FTC made a drafting error.  (I asked the FTC about this in their Twitter chat and, characteristically, got a non-response).  Subpart (c) provides a safe harbor for these sites/apps if they (1) don’t collect personal information before age verification (an impossibility under the new rules) and (2) ask users’ ages and bounce users who self-report as under 13.

In its guidance accompanying the rules, the FTC implies that subpart (c) means “those sites that, based on overall content, are likely to draw a disproportionate number of child users.”  Elsewhere, the FTC clarifies that subpart (c) is supposed to be good news, not bad; it says subpart (c) “create[s] a new compliance option for a subset of websites and online services already considered directed to children under the Rule’s totality of the circumstances standard.”  Given their sloppy drafting, that’s not actually what they said, but I’ll take their word on it.

Thus, one way of reading subpart (c) is that it applies when a site/apps has lots of kid users even though that wasn’t the operator’s goal.  On balance, COPPA would be better without this extra provision, but if my reading is right, I don’t anticipate any shocking enforcement actions using this provision.

Accordingly, most websites and services that aren’t governed by COPPA today should remain outside COPPA.  Still, the FTC’s poor drafting on this crucial point is inexcusable, and I hope they fix it ASAP.

Collect and Personal Information.  The rules have expanded definitions of what it means to “collect” information from users and what constitutes “personal information.”  Personal information expressly includes IP addresses, which every website acquires by definition, and “collect” includes “passive tracking.”  It’s not clear if merely capturing IP addresses in a server log qualifies as “passive tracking.”  Any efforts to personalize the experience based on IP address probably qualifies as passive tracking.  The FTC has made it clear that behavioral advertising on kid-oriented sites/apps definitely qualifies.

As a practical matter, once a website/service is deemed a website/service “directed” to kids, COPPA applies in all its glory (and ugliness) because the website/service collects IP addresses or related identifiers.  This especially impacts sites that currently target under-13s but don’t ask users for personal information.  The new rules have such an expansive definition of personal information that all of these sites are now under COPPA’s umbrella.  In mitigation, the rules provide a partial exception if the data collection only is done for “internal operations.”  Presumably this would cover storing IP addresses in server logs; it also covers some other administrative and non-ad-targeting personalization activities.  In those cases, no notice or parental consent is required in advance, but even so the other obligations still apply–even if the website considers itself purely content publisher and never tries to interact with its users.

Effects on Other Third Parties.  The new rules also more deeply reach into the relationships between kid-oriented websites and vendors/service providers to those websites, such as ad networks.  So if you are running a business supporting websites, you might be side-swiped by COPPA because your clients are now newly deemed to be kid-directed.  This is a major problem both logistically and legally.  Among other things, I think the FTC has potential problems under 47 U.S.C. 230 for trying to hold online service providers accountable for other businesses’ activities, but the FTC lives in a parallel universe where they (incorrectly) believe 47 U.S.C. 230 doesn’t exist.

Conclusion.  If under-13 kids aren’t your target audience and you don’t collect users’ age information, the revised COPPA rules probably won’t affect you.  If you do collect age information, rethink whether you want to do so; and if you do, definitely make sure to bounce under-13 users.

Reminder: This post isn’t legal advice.  Please consult your attorney before making any decisions.

_____

December 27, 2012 Update

1) My headline declares the new regulations a “big mess,” but my blog post doesn’t fully support that characterization. Instead, the post explains the mess in only one small–though crucial–corner. I fully stand by the characterization that the COPPA regulations are a big mess, but my decision not to defend the broader claim was pragmatic. It took me over 6 hours to write this post initially, and I didn’t have the time (or, frankly, the enthusiasm) to do similarly time-consuming deconstructions of the many other ambiguities. I trust others will be rolling out those deconstructions over the coming months.

2) Based on responses to my initial Forbes post, I’m clearer that subpart (c) does not change the interpretation of subpart (a). Instead, subpart (c) provides an option to websites/apps that that supart (a) has determined are kid-directed. I don’t think subpart (c) is a very useful option because the website/app probably has to show an age verification screen immediately upon the user’s arrival. (Otherwise, it’s collecting IP addresses–overinclusively deemed personal information under the new regulations–from kids without parental permission). Even so, I guess more options are better than fewer. Still, I hope the FTC clarifies its language.

If your website/app isn’t collecting age information (and I recommend you don’t collect it if you don’t need it), subpart (a) remains the crucial provision to review to determine if COPPA applies to you. The new regulations add some language to subpart (a), but I don’t anticipate the FTC will use the new language in subpart (a) to chase borderline cases.

3) I’ve been fascinated by the press coverage typically hailing the new regulation as a “win” for kids’ privacy. Perhaps that’s true if all you care about is kids’ privacy, but viewed more holistically, I don’t see the new regulation as a clear win for kids. The new regulations provide even more reasons for websites/apps not to cater to the under-13 crowd–meaning the Internet will be less rich and resourceful to that segment of society. We saw the same dynamic when COPPA was newly enacted; the Internet literally shrunk for kids under 13 immediately after those rules went into effect in 2000 (at Epinions, we found all the self-reported under-13s and terminated their accounts). Some might lament what under-13 kids lost from that constriction, but not the FTC. They didn’t have any problem with the Internet shrinkage in 2000, and I’m sure they won’t have any problem with it now either.

[Photo Credit: Internet Protection Concept // ShutterStock]