In This Issue
FTC Proposes Significant Changes to COPPA Rule
On September 15, 2011, the Federal Trade Commission announced proposed revisions to the Children’s Online Privacy Protection Act Rule (“COPPA Rule” or “Rule”). The proposed revisions would modify the COPPA Rule in five areas:
- Definitions
- Parental Notice
- Parental Consent Mechanisms
- Confidentiality and Security of Children’s Personal Information
- Safe Harbor Programs
Public Comment Period
As discussed in more detail below, each of the proposed amendments could have a significant impact on websites and other online services, including mobile applications, geared toward children under 13 years old. The FTC seeks comments from the public on these proposed revisions, which must be submitted on or before November 28, 2011. The FTC press release announcing its proposed revisions is available here.
Background
The current COPPA Rule requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children. The COPPA Rule was promulgated in 2000 pursuant to the Children’s Online Privacy Protection Act, which was enacted by Congress in 1999 (“COPPA”). The proposed amendments represent the first major revision to the COPPA Rule since it went into effect in 2000.
Prior to announcing the proposed revisions, the FTC sought public comment on the entire COPPA Rule, posing numerous questions for consideration. According to the FTC, revisions are necessary to “ensure that the Rule continues to protect children’s privacy, as mandated by Congress, as online technologies evolve.”
Importantly, the proposed revisions do not address many of the key issues raised in the initial comment period. For example, the FTC does not propose to broaden the definition of “child” to include all minors or teenagers, as suggested by some initial comments. Additionally, the proposed amendments do not clarify the term “actual knowledge,” a term that many companies claimed is confusing.
Clarification on the Applicability of COPPA to Online Services
The FTC noted in its announcement that in its initial proposal it sought public input on the implications for COPPA raised by technologies such as mobile communications, interactive television, interactive gaming, and other evolving media. Specifically, it asked for comments on the terms “website,” “website located on the Internet,” and “online services,” each of which is used, but not defined, in COPPA and the Rule. Following the initial comment period and subsequent roundtable discussion, the FTC found participant consensus that COPPA and the Rule are “written broadly enough to encompass many new technologies without the need for new statutory language.” Thus the FTC concluded that “online service” is broad enough to “cover any service available over the Internet, or that connects to the Internet or a wide-area network.”
As a result, the FTC announced that it views COPPA and the Rule as applying to “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements, or interact with other content or services.” Similarly, the FTC noted that “Internet-enabled gaming platforms, voice-over–Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA and the Rule.” The FTC concluded that it will continue to assess emerging technologies to determine whether or not they constitute “websites located on the Internet” or “online services” subject to COPPA’s coverage.
Less clear, the FTC observed, is the applicability of COPPA and the Rule to text (SMS) and multimedia (MMS) messaging on mobile devices. The FTC acknowledged that these messages are most commonly routed through private carrier networks and not the public Internet; however, several commenters noted that some mobile applications enable users to send text messages from a Web-enabled device without using these networks. The FTC offered no further discussion or guidance on this topic.
Summary of Major Proposed Changes
Definitions
- “Personal Information”: The proposed amendment would expand the definition of personal information to include a customer identification number held in a cookie, an IP address, a processor or device number, or a unique device identifier that is used for functions other than internal operations of the Web site, as well as tracking cookies used for behavioral advertising. The proposed amendment would also add geolocation information, photographs, videos, and audio files that contain a child’s image or voice to the definition of personal information.
Note: This new definition would expand the definition of personal information to include not just personally identifiable information provided by a consumer, but information that would identify the user’s computer or mobile device. In addition, the definition would now also include information that Web site operators, ad networks, and others use to track consumers as they surf the Web.
- “Collection”: The new definition would clarify that the Rule covers the online collection of personal information both when an operator requires the personal information and when the operator merely prompts or encourages a child to provide such information. The revised definition would permit a Web site operator to allow children to participate in interactive communities without parental consent, provided that the operator take reasonable measures to delete “all or virtually all” children’s personal information before it is made public, and to delete it from its records.
- “Release”and “Online Contact Information”: The amendment would define the term “release” of personal information separately from the definition of “disclosure.” A “release” would be the sharing, selling, renting, or transfer of personal information to a third party. The definition of “Online Contact Information” would be expanded to include instant message user identifiers, VoIP identifiers, and video chat user identifiers.
Parental Notice
- COPPA requires that parents be notified both on the operator’s Web site and in a notice delivered directly to the parent whose child seeks to register on the site or service. The proposed amendments would streamline the parental notice requirement, presenting key information to parents in a link placed on the Web site’s homepage and in close proximity to every information request.
Note: This simplified presentation of notice and choice is consistent with the FTC’s recent efforts to encourage businesses to present consumers with more straightforward and understandable information about their privacy practices.
Parental Consent Mechanisms
- The proposed amendment would add new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video conferencing, and use of government-issued identification checked against a database.
- At the same time, the proposed amendment would eliminate the “email – plus” method of parental consent.
Confidentiality and Security of Children’s Personal Information
- Data Retention: The amendment would introduce a data retention and deletion requirement, which would require that data obtained from children be retained only for as long as is necessary to fulfill the purposes for which it was collected. The proposed amendment would also require operators that delete the child’s personal information to take reasonable measures to protect against unauthorized access to, or use of, the information in connection with its disposal.
- Service Providers: The amendment would add a requirement that operators ensure that service providers or third parties to whom they disclose a child’s personal information have reasonable procedures in place to protect it.
Safe Harbor
- The amendment would strengthen the COPPA Safe Harbor Programs by requiring that the Safe Harbor self-regulatory bodies, at minimum, audit their members at least annually and report the results of these audits to the Commission periodically.
If you have any questions regarding COPPA, the Rule, the proposed revisions, or would like to submit comments to the FTC, please contact us.
back to top
FTC Testifies on Children’s Identity Theft
Testifying before the House Committee on Ways and Means Subcommittee on Social Security, a staffer from the Federal Trade Commission discussed the agency’s commitment to protecting children from identity theft.
Deanya Kueckelhan, the director of the FTC’s Southwest Regional Office, told lawmakers that protecting consumers – particularly children – “is a critical component of the Commission’s consumer protection mission.” She discussed both the impact of identity theft and the agency’s efforts to combat it on three fronts: law enforcement, nationwide complaint management and education.
Kueckelhan stated that since 2001 the FTC has brought 34 law enforcement actions against businesses that failed to take reasonable steps to protect sensitive consumer information, and she made special reference to the 2006 suit against ChoicePoint, which sold sensitive information about 160,000 consumers – including Social Security numbers – to data thieves posing as clients. The company paid $10 million in civil penalties and $5 million in consumer redress. Kueckelhan also highlighted the recent action against Ceridian Corp. and Lookout Services for violations of the FTC Act for failing to implement reasonable safeguards to protect the sensitive consumer information they maintained. The defendants were required to establish and maintain a comprehensive information security program to protect the security and confidentiality of consumer information.
While millions of consumers are victimized by identity thieves each year, costing consumers and businesses billions of dollars and countless hours to repair the damage, Kueckelhan testified that children’s Social Security numbers are particularly valuable because they lack a credit history and can be paired with any name and birth date.
“In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit, often having no reason to suspect any problem,” she said. Therefore, “child identity theft is especially pernicious because the theft may not be detected until the child becomes an adult and seeks employment, or applies for student and car loans.”
Kueckelhan told lawmakers about a recent panel hosted by the Commission in conjunction with the Department of Justice’s Office for Victims of Crime, called “Stolen Futures: A Forum on Child Identity Theft,” where participants discussed how to prevent and remedy the problem.
Panelists discussed the causes of child identity theft – typically stolen from schools, government agencies, and businesses, and often by family members who have fallen on hard economic times – as well as potential solutions. The State of Utah experimented with an initiative to designate children’s Social Security numbers with a credit agency to help prevent an identity thief from attempting to obtain credit using the child’s name and information.
Most importantly, panelists emphasized prevention, Kueckelhan said. She encouraged parents and guardians to challenge requests for their child’s Social Security number and other personal information and to understand their child’s use of the Internet and social media so that such information is not accidentally divulged and used to commit identity theft.
To read the text of the Commission’s testimony, click here.
Why it matters: The director said the Commission’s primary goal in co-hosting the forum was to “learn more about the problem of child identity theft and to develop messages and target audiences for outreach on this issue.” In addition to preparing new educational materials like a “back-to-school alert” to inform parents about the importance of safeguarding children’s information, she said the agency “will continue its robust efforts to address all forms of identity theft through law enforcement, partnerships with state and federal agencies, nationwide data management and analysis, and education.”
back to top
State AGs Question Ads for “Adult Services”
The National Association of Attorneys General has requested that Village Voice Media respond to a series of questions about the company’s practices regarding “adult services” ads placed on the company’s Web site, Backpage.com.
The site has been the target of at least 50 cases in 22 states since 2008, the AGs said in a letter to the company, in which it called Backpage.com a sex-trafficking “hub.”
Although the site claims to have taken efforts to limit illegal advertisements, the letter, signed by 46 AGs, questions whether any changes have actually been made.
“The prominence of illegal content on Backpage.com conflicts with the company’s representations about its content policies,” the letter said. It noted recent examples like 142 advertisements “that are obviously for prostitutes” in the Seattle area, as well as advertisements for prostitutes in the Connecticut area bordered by Rhode Island and Springfield, Mass.
“We believe Backpage.com sets a minimal bar for content review in an effort to temper public condemnation, while ensuring that the revenue spigot provided by prostitution advertising remains intact,” the letter said. “Though you have stated ‘all new ads are moderated by a staff member,’ there appear to be no changes in the volume of prostitution advertisements resulting from this ‘moderation.’”
The AGs asked the company to answer detailed questions about its policies and practices, such as how it determines which ads are illegal and how many ads it has removed in the last year after an individualized or “hand” review.
The letter set a deadline of Sept. 14 for the company to substantiate its claims that it can effectively limit prostitution and sexual trafficking activity on its Web site, particularly ads that may involve minors.
Why it matters: Craigslist, which faced similar scrutiny over its adult services ads, pulled the advertisements last year. Despite the negative publicity and pressure from law enforcement, the sites have successfully argued in court that they are immune from prosecution for illegal ads under the federal Communications Decency Act, because the content was created by users, not the site.
back to top
TCPA Plaintiff’s Damages May Exceed $75,000
A plaintiff can recover statutory damages under both the automated-call and do-not-call list sections of the Telephone Consumer Protection Act, the 6th Circuit has ruled.
The plaintiff claimed that the defendant placed 33 unsolicited telemarketing calls to his home over a three-month period in an attempt to sell him a membership in the NASCAR membership club.
The first call was a prerecorded voice message and the next two calls were placed by a live agent. The plaintiff claimed that on the third call he asked the agent to place his name and phone number on the defendant’s do-not-call list, but subsequently received 30 additional calls.
On the defendant’s motion a federal court dismissed the case, finding that the plaintiff’s damages did not exceed $75,000 as required for a suit based on diversity of citizenship filed in federal court. But in reversing the dismissal, the 6th Circuit said that the plaintiff’s requested damages did exceed the jurisdictional threshold, because he could recover damages under both the automated-call and do-not-call list subsections of the TCPA. For the 31 calls the plaintiff could receive damages of $1,500 for each of the two subsections violated for a total of $93,000, the court said.
Because §227(b)(3), the automated-call subsection, and §227(c)(5), the do-not-call list subsection, “contain significant textual differences, indicating that they are distinct provisions to be treated independently,” the plaintiff could recover statutory damages under both subsections, the court said. The two subsections target different harms and each creates a private right of action.
“By enacting separate private-right-of-action provisions, each including a statutory damages provision, Congress evidenced its intent that a person be able to recover for the telemarketer’s failure to institute the minimum procedures for maintaining a do-not-call list as well as the additional harm of the call being automated,” the court said. “Recovery of damages for the two separate provisions does not upset Congress’s balance in setting damages ‘fair to both the consumers and the telemarketer.’”
The court further found the plaintiff could be entitled to an additional $18,200 in damages based on his Ohio consumer protection claims as well as damages for state law invasion of privacy claims.
To read the decision in Charvat v. NMP LLC, click here.
Why it matters: In addition to deciding that diversity jurisdiction existed in the case, the court also held that federal courts have federal-question jurisdiction over private TCPA claims such as those raised by the plaintiff. The issue has split the federal courts of appeal, with the 2nd, 3rd, 5th, 9th, and 11th Circuits concluding that the plain language of the TCPA creates a private right of action for individual plaintiffs in state – not federal – court. Noting that another panel of the 6th Circuit reached the opposite conclusion and found federal jurisdiction just a few months prior, the Charvat court said it was bound by that decision. The 6th and 7th Circuits now exist as the minority of federal circuits to recognize federal jurisdiction in such suits.
back to top
A “Terrible” Lawsuit
Just in time for opening weekend, the Pittsburgh Steelers won a preliminary injunction earlier this month against a T-shirt seller that was allegedly breaching the NFL team’s trademark rights.
The plaintiffs sued Eugene Berry Enterprise, alleging that the T-shirt seller was trying to knock off team products by attempting to trademark and sell a line of “Terrible T-shirts,” including a T-shirt that read “The Terrible T-shirt, A Pittsburgh Original.” Together with a nonprofit, the Steelers own exclusive rights to the team’s “Terrible Towel” merchandise, including towels, aprons, footballs, pillows, and totes.
According to the complaint, even the printer that produced the design asked if Berry had a connection to the Steelers or the Allegheny Valley School, the nonprofit that benefits from the sales of the Terrible Towel merchandise.
A federal court judge agreed that consumers could be confused about the source of the T-shirts and ordered a halt to their sales.
The defendant’s T-shirt sales are “diverting proceeds from their charitable purpose” and are “irreparably harming the plaintiffs and the Foundation’s more than 900 beneficiaries with intellectual and developmental disabilities across the Commonwealth of Pennsylvania,” the court said.
Therefore, the interest of the public and the harm to the plaintiffs outweighed the harm to the defendant by issuing a preliminary injunction, the court concluded, and ordered the defendant to stop selling its T-shirts.
To read the complaint in AVS Foundation v. Eugene Berry Enterprise, click here.
To read the court’s preliminary injunction order, click here.
Why it matters: Now that the lockout is over and football season is officially under way, look for NFL trademark holders to aggressively protect their valuable rights.
back to top