From Lemonade and Lucy to COPPA and Cookies

On July 1, 2013, the Child Online Privacy Protection Policy (“COPPA”) dramatically altered how we think about cookies

Growing up as children in the US, our first taste of commerce involved selling lemonade in front of our house on a sweltering summer day, or wondering what justified the hefty price of 5 cents Lucy charged Charlie Brown for psychiatric help. We dreamed of consuming an endless number of cookies. However, dreams of chocolate oozing scrumptious spheres of delight now fade into an abyss of virtual electronic spheres designed to ooze information including “geolocation” and “persistent identifiers.”

As of July 1, 2013, the Child Online Privacy Protection Policy (“COPPA”) dramatically altered how we think about cookies. These new cookies may not be as appealing to the 13 and under crowd, but to those who develop mobile apps, they are included in the daily-recommended consumption of data in this 21st century.

PROTECTION OF CHILDREN’S PRIVACY ON THE RISE

While COPPA has been in effect since 2000, the legislature materially expanded it’s application. COPPA requires parental consent before an online service directed at children under 13 collects the child’s personal information. The act also applies to an online service that has actual knowledge it collects personal information from children. The act requires that an operator must: (1) post a privacy policy; (2) obtain verifiable consent from parents before collection; (3) give parents the option to limit the uses of the information; (4) allow parents to request deletion of the information; (5) allow parents to prevent further uses or collection of the information; (6) maintain the security of the information; and (7) not condition a child’s participation on the child’s disclosing more personal information.

Online privacy, and in particular children’s privacy, has been a hotbed of enforcement activity for the US Federal Trade Commission (“FTC”). In February 2013, the FTC issued guidelines which outlined it’s recommendations as to how developers could engage in “privacy by design.” Additionally, state attorneys general, have suggested that there will be a state enforcement possibility.

FTC ATTEMPTS TO EDUCATION IN ADVANCE OF DEADLINE

As part of it’s effort to inform app developers about the changes in COPPA, on May 15, 2013, the FTC sent 90 “educational letters” to help them prepare for COPPA’s new rule. The FTC sent letters to both US domestic and foreign companies that may be collecting from children persistent identifiers, images or sounds. According to the FTC, the letters did not reflect an official evaluation of the companies’ practices, they were designed to help businesses come into compliance with the rule’s requirements when they go into effect on July 1, 2013.

The letter sent to the domestic companies stated, “We strongly encourage you to review your apps, your policies, and your procedures for compliance. As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective.”

Many app developers asked the FTC to delay the July 1, 2013 implementation deadline to provide more time to prepare for changes. The FTC rejected the requests indicating that there has been more than sufficient time to prepare for the changes. Given warning contained in the FTC’s educational letters and the refusal to extend the implementation date, it appears the FTC is poised to begin enforcement as soon as possible.

The Expanded Scope of COPPA

The new COPPA rule addresses three main classes of operators. First, it applies to anyone who operates a commercial website or online service, including mobile apps, directed to children under 13 and which collects, uses, or discloses personal information. Second, it applies to a business that runs a general audience site with actual knowledge that the site collects, uses or discloses personal from children under 13. Third, a possibly most significant expansion involves a clarification about coverage. The new COPPA rule now includes sites or services that incorporate third party services, like plug-ins or advertising services if the plug-ins or advertising services also collect personal information from children under 13.

The expansion to plug-ins and advertising services appears to be based on “stream of commerce” type theory and an attempt by the FTC to hold additional operators who benefit from collecting the personal information responsible for compliance with COPPA. However, platforms such as Google Play and Apple’s App Store that merely “offer the public access to” the apps are not covered operators.

The Initial Determination: Is the Site Directed at Children?

The FTC issued a publication entitled, “Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.” The reader of this article is strongly encouraged to review the plan as it includes essential tips in straight forward language about how to comply with COPPA. In particular, the guide provides insight as to how the FTC will determine whether a site is directed to children under 13.

The FTC will look at a variety of factors to determine if the site or service is directed to children under 13. The FTC will look at the subject matter of the site, or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids and ads on the site or service that are directed to children. Finally, as a catch all guideline, the FTC will consider other reliable evidence about the age of the actual or intended audience. Given the number of specific and general guidelines, a mobile app developer should anticipate the FTC will scrutinize all possible aspects of the app in determining whether it is directed at children under 13.

EXPANDED DEFINITION OF PERSONAL INFORMATION

The FTC’s amendment to COPPA changes how we will now think of “cookies.” Before July 1, we likely thought that personal information referred to only a name, home, screen name, user name or telephone number. However, as of July 1, the definition of personal information also includes: a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier; a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers. Based on the new rule, cookies are no longer scrumptious morsels oozing with calories, but are electronic spheres which capture vital personal information oozing with possible uses for marketing professionals.

EXPANDED DEFINITION OF “COLLECTION”

Under COPPA, collects means a lot more than just putting the cookies in a cookie jar. An operator “collects” personal information if it simply requests, prompts, or encourages the submission of information, even it’s optional. Additionally, an operator collects information when it allows information to be made publicly available or passively tracks a child on line. In simple terms, the cookies don’t have to be placed in the jar or eaten, the operator only needs to follow a child’s movement leading up to consumption!

THE NOTICE COVERS MORE THAN YOU THINK

The rule requires that you post a privacy policy which describes not only the operator’s practices, but also the practices of any others collecting personal information on the site or service – for example, plug-ins or ad networks. The FTC recommends the policy be placed on a homepage and anywhere an operator collects personal information from a child. The link should be clear and prominent. The FTC recommends that the link should be larger font and in a contrasting color.

LIMITED EXCEPTIONS TO COPPA’S VERIFIABLE PARENT CONSENT REQUIREMENT

The FTC does allow some exceptions to when a site must obtain verifiable parent consent. However, the FTC cautioned that each exception is narrow and that if a site collects personal information under an exception, the information can’t be used or disclosed for any other purpose. Some examples of the limited exceptions are: (1) collecting the child’s and parent’s name and online contact information to get verifiable parental consent; (2) to give notice to a parent about their child’s participation on a site or service that doesn’t collect personal information; (3) to respond directly to a child’s specific one time request (like if the child wants to enter a contest); or (4) to protect a child’s safety. The rule also exempts an operator from obtaining consent to maintain or analyze the site’s functioning or perform network communications. There are several more limited exceptions, but these exceptions should be strictly followed and the developer should not collect more information than absolutely necessary.

COOKIES ARE STILL WORTH MAKING AND CONSUMING

Even though the FTC changed the rules, collecting of personal information is not something that should be shunned. A mobile app developer should collect the

information, but should also be mindful of COPPA’s requirements from the very beginning of development. Insuring compliance by adhering to the FTC’s privacy by design concept, will help insure consuming cookies remains as pleasant as when we first indulged as a child.