SPECIAL FOCUS: FTC Announces Final Amendments to Children’s Online Privacy Protection Rule
On December 19, the Federal Trade Commission (FTC) adopted long-awaited final amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). The amended rule – which will take effect July 1, 2013 – follows a lengthy public comment period initiated in April 2010, designed to ensure that protection for children’s privacy kept pace with new technology and the manner in which children use the Internet.
Congress granted the FTC the power to implement and update the COPPA Rule when it passed the Children’s Online Privacy Protection Act of 1998, long before the growth of the mobile marketplace, tablets, apps, social networks, and third-party companies that are now involved in the collection of personal information from consumers, including children. The amended Rule takes into account this new environment and clarifies the scope of the Rule and seeks to enhance protection for children’s privacy by giving parents greater control over their children’s personal information.
Importantly, the final amended Rule modifies the definitions of “operator,” “personal information,” and “website or online service directed to children;” updates the requirements for notice, parental consent, confidentiality and security, and safe harbor provisions; and adds a new provision on data retention and deletion. Most notably, the new COPPA Rule:
- Revises the definition of “personal information” – the collection of which triggers COPPA obligations – to include geolocation information, photos, videos, and audio files that contain a child’s image or voice. Further, personal information now includes persistent identifiers, such as IP addresses and mobile device IDs, that can be used to recognize specific users over time and across different websites.
- Expands the definition of “operator” – to cover the data collection practices of third parties that are used by or with child-directed sites, apps, and online services such as plug-ins and advertising networks.
- Offers operators new mechanisms for obtaining verifiable parental consent.
- Retains the “e-mail plus” consent mechanism for certain uses.
- Enhances and places new data protection requirements on operators.
Closing of a “Loophole.” One of the more notable changes to the Rule is the “closing of the loophole” that allowed third parties to collect personal information from children without parental consent. The FTC accomplished this by amending the definition of the term “operator” to cover a child-directed site or service that integrates outside services (e.g., plug-ins or advertising networks) that collect personal information from its visitors. Although the FTC recognized the “potential burden that strict liability places on child-directed content providers, particularly small app developers,” it noted that when Congress enacted COPPA, it imposed absolute requirements on child-directed sites and services regarding restrictions on the collection of personal information and that those requirements cannot be avoided through outsourcing offerings to other operators in the online ecosystem.
Expanded Data Collection Coverage. In addition to holding operators liable for the activities of third parties, the amended Rule also revises the definition of “website or online service directed to children” to extend coverage in some cases to third parties doing the collection, requiring them to comply with COPPA before collecting personal information from children. However, this revision came in a much narrower form of the Rule than an earlier proposal, which would have held responsible a third party that “knows or has reason to know” that it is collecting personal information through a host, website or online service directed to children. A coalition of consumer groups had supported this proposal, which would have required parental permission regardless of whether ad networks knew they were present on child-directed sites, based on the premise that third parties could be relieved from COPPA liability by claiming that they did not know how their plug-ins were being utilized or where ads were placed, nor would they have an incentive to find out this type of information.
Actual Knowledge for Third Parties. Nevertheless, the final amended Rule only extends COPPA to third parties with “actual knowledge” that they are collecting personal information through a child-directed website or online service. Although knowledge is a highly fact-specific inquiry, the FTC has set forth two scenarios in which it believes the actual knowledge standard it is adopting would be met: (i) when a child-directed content provider (who will be strictly liable for any collection) directly communicates the child-directed nature of its content to the other online service; or (ii) a representative of the online service recognizes the child-directed nature of the content.
Parental Consent. With respect to parental notice and consent, the amendments purport to streamline and clarify the direct notice requirements to ensure key information is presented to parents in a succinct “just-in-time notice” and expand the list of appropriate methods of parental consent. The Rule allows parental consent to be provided by methods such as video conferencing, use of government-issued identification, electronic scans of signed parental consent forms and alternative payment systems. Moreover, the Rule encourages companies to create simple low-cost and effective means of obtaining parental consent and by establishing a voluntary 120-day notice and comment process so parties can seek approval of a particular method of consent. Finally, the subject of numerous comments, the Rule retains “email plus” as an acceptable method of consent for operators that collect personal information for internal use.
Data Security Requirements. The final Rule also enhances the confidentiality, security, and integrity of personal information collected from children by requiring operators to adopt reasonable procedures for data retention and deletion, and take reasonable steps to release children’s personal information only to companies that can maintain the confidentiality, security, and integrity of such information. Specifically, operators are required to anticipate the reasonable lifetime of the personal information they collect from children and apply the same concepts of data security to disposal as they are required to do with collection and maintenance. Operators are also required to inquire about entities’ data security capabilities and, either by contract or otherwise, receive assurances from such entities about how they will treat the personal information they receive. Here, the FTC rejected an earlier proposal that would have required operators to “ensure” those entities secured the information absolutely.
Increased FTC Oversight of Safe Harbor Programs. The final amendments to the Rule also strengthen the FTC’s oversight of self-regulatory safe harbor programs through changes to the reporting and recordkeeping requirements. COPPA establishes a “safe harbor” for operators fully complying with an FTC-approved COPPA self-regulatory program to be deemed in compliance with the Rule and, in lieu of enforcement, would first be subject to the safe harbor program’s review and disciplinary procedures. The amendments alter the reporting obligations of such programs as follows: (i) self-regulatory programs must, at minimum, conduct annual, comprehensive reviews of each members’ information practices, as opposed to a review every 18 months; (ii) applicants to a safe harbor program must explain in detail their business model and technological capabilities and mechanisms for initial and continuing assessment; and (iii) safe harbor programs must submit a report to the FTC containing an aggregated summary of the results of the assessments, rather than a summary that names the member operators subject to the review.
In a press conference introducing the revisions, FTC Chairman Jon Leibowitz made clear that the revisions to the Rule only affect behavioral advertising, that is, advertising that is displayed based on a person’s browsing activities. Advertisers and ad networks can continue to advertise, even on sites directed to children; the rule simply limits behavioral advertising without parental consent.
Why it matters: Chairman Leibowitz commented, “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.” While federal legislation is still pending, including legislation that would offer similar protections to teenagers, regulators and legislators alike commented in a press conference about the new Rule that the amendments to the COPPA Rule underscore a bipartisan commitment to protect the most vulnerable members of society: our children. Thus, the FTC’s revisions seek to protect children by strengthening the role that parents play as gatekeepers of their children’s information, without hindering innovation and unduly restricting the rights of others on the internet.
back to top
’Tis the Season for Gift Card Restrictions
Expiration dates and nonuse fees for gift cards would be banned under new legislation recently introduced by Sen. Richard Blumenthal (D-Ct.). The proposed bill covers gift certificates, store gift cards (including loyalty, promotion, and award cards), and general use prepaid cards.
Current law – the 2009 Credit Card Accountability, Responsibility and Disclosure Act – allows gift card issuers to charge dormancy fees 12 months after purchase and expire the cards after five years. The Gift Card Consumer Protection Act would do away with both practices.
The proposed bill would also prohibit the sale or issuance of a store gift card if the issuer has filed for Chapter 11 bankruptcy protection. The Act amends the U.S. Bankruptcy Code to lift the automatic stay for the presentation or redemption of a gift certificate or store gift card at full value and authorizes bankruptcy trustees to honor cards and certificates at full value, the same as cash, for businesses that continue to operate while in bankruptcy.
Sen. Blumenthal – who helped enact a similar law while Attorney General of Connecticut – said the legislation would end “draconian deadlines and abusive fees.” “Gift card companies fatten their profits and shrink consumer wallets with exploitative expiration dates and petty, underhanded junk fees. Gift cards should not be the gift that keeps on taking.”
Sen. Blumenthal has the support of the Consumer Protection Financial Bureau. Director Richard Cordray said earlier this year the agency is considering “how best to extend protections” to cardholders. “If you do not know the card’s fee structure, it is easy to rack up charges unknowingly,” he said.
To read the Gift Card Consumer Protection Act, click here.
Why it matters: Even with the additional requirements imposed by the 2009 law, gift cards remain big business. Were Sen. Blumenthal’s bill to be enacted, issuers would face even more limitations on their profitability, particularly since it includes store loyalty, promotion, and award cards.
back to top
NAD Speaks on Indefinite Promotions
In a challenge brought by Home Depot, the National Advertising Division said that home improvement chain Lowe’s correctly halted indefinite promotional “10% Off” claims.
Home Depot complained that Lowe’s promoted an indefinite “10% Off Major Appliances” campaign, while representing to consumers that the offer was available only for a limited time. The online and in-store materials listed a defined period of time for the promotion, but appeared nearly identical from each week with a different “offer ends” date. Personnel from the appliance department also confirmed that the campaign was “ongoing,” “permanent,” “indefinite,” and had “no expiration date at this time,” Home Depot said.
The promotion – which continued for at least two months – was a misleading attempt to drive sales and damage the goodwill of competing retailers, Home Depot argued.
Although Lowe’s responded that the 10% was a true discount from existing prices and that the sale was extended because of popularity with consumers, it halted the campaign for “various business reasons.”
Analyzing the claims, the NAD looked to the Federal Trade Commission Guides Against Deceptive Pricing, which provides that retailers “should not offer an advance sale under circumstances where they do not in good faith expect to increase the price at a later date, or make a ‘limited’ offer which, in fact, is not limited. In all of these situations. . . advertisers should make certain that the bargain offer is genuine and truthful. Doing so will serve their own interest as well as that of the public.”
The discontinuance of the campaign was “necessary and appropriate,” the NAD determined. “NAD recognizes that aggressive price competition serves to benefit consumers, but such benefits are only realized when savings claims are accurate and enable consumers to assess the value of a bargain or sale. In order to clearly communicate the price of a sale item not only do promotions need to be accurate in relation to the sale items’ bona fide prices, but also to the availability of the discounted price.”
Further, “any future sales promotions [should] properly observe any stated time limits or end dates,” the NAD advised.
To read the NAD’s press release about the decision, click here.
Why it matters: The NAD noted that the decision should remind advertisers that they are “responsible for all reasonable interpretations of [their] claims, not simply the message [they] intended to convey.” Companies that engage in promotional pricing should review their advertising to ensure that sales and discount offers do not violate state law or federal regulations.
back to top
FCC: Confirmatory Opt-Out Message Doesn’t Violate TCPA
In response to a request by SoundBite Communications, a company that sends text messages on behalf of entities like banks, utilities, and retailers, the Federal Communications Commission issued a declaratory ruling that a single text message confirming a consumer’s opt-out of receiving future messages does not violate the Telephone Consumer Protection Act.
SoundBite follows the Mobile Marketing Association’s best practices, which permits the transmission of a confirmatory opt-out message. But a spate of consumer class actions from consumers who received confirmatory messages prompted SoundBite to seek clarification from the agency.
Siding with the two federal courts that have also addressed the issue, the FCC said confirmatory messages “ultimately benefit and protect consumers by helping to ensure. . . that the consumer who ostensibly opted out in fact no longer wished to receive text messages.”
The FCC emphasized that its ruling applies only to a one-time confirmation message when the sender has obtained prior express consent. It concluded that “A consumer’s prior express consent to receive text messages from an entity can be reasonably construed to include consent to receive a final, one-time text message confirming that such consent is being revoked at the request of that consumer.”
Consumer consent for such messages is not unlimited, however. Consent for a confirmation message is limited to texts “that: 1) merely confirm the consumer’s opt-out request and do not include any marketing or promotional information; and 2) are the only additional messages sent to the consumer after receipt of the opt-out request.”
In addition, the message must be sent within minutes of receipt of an opt-out request. Texts sent within five minutes will be presumed to fall within the consumer’s prior express consent, the agency said. “If it takes longer, however, the sender will have to make a showing that such delay was reasonable, and the longer the delay, the more difficult it will be to demonstrate that such message falls within the original prior consent.”
The agency provided an example of a confirmation text that includes impermissible marketing information: “Your request to opt-out of future messages will be honored but we are offering you a 10% discount on our products.” Such a text conveys a marketing message, the FCC said, and is “likely beyond the scope of the consumer’s prior consent.”
The agency also encouraged that marketers explicitly notify their consumers that when they opt into a text campaign, they also consent to a final confirmation text when they opt out.
The ruling emphasized that to date the agency has not received a single complaint regarding confirmation texts, but in fact had received consumer complaints about not receiving a confirmation text after sending an opt-out request. “We believe this supports the conclusion that consumers expect that their prior express consent includes consent not just to the receipt of texts but also the process for opting-out of those text messages, including the receipt of a confirmation message.”
To read the FCC ruling, click here.
Why it matters: The ruling is a victory for marketers who have faced the threat of consumer class actions under the TCPA with the potential for sizable damages. Companies should review their practices to ensure their confirmatory opt-out messages comply with the agency’s requirements, as the FCC said it will monitor consumer complaints and take appropriate action on a case-by-case basis if senders use confirmation texts as an additional opportunity to market.
back to top
FTC Retains Authority to Fight International Crime
President Barack Obama signed the U.S. SAFE WEB Act into law earlier this month, reauthorizing the Federal Trade Commission to take action against international defendants that engage in false and deceptive behavior online.
Originally passed in 2006, the Undertaking Spam, Spyware, and Fraud Enforcement with Enforcers beyond Borders Act was set to expire in 2013. The law will now remain in effect until September 2020.
Under the Act the FTC may share information and work collaboratively with foreign law enforcement authorities to combat online fraud and spam attacks. Specifically, the agency’s powers extend to:
- Reciprocate information sharing and investigative cooperation. The Act allows the FTC to share its confidential information with foreign law enforcement and, in return, receive information from foreign agencies. In addition, the FTC can conduct investigations and discovery to assist foreign authorities and receive foreign investigative assistance in matters before the FTC.
- Authority in cross-border cases. The SAFE WEB Act confirms the FTC’s authority to redress harm in the United States caused by foreign wrongdoers and harm abroad caused by U.S. wrongdoers. Under the law, all remedies available to the FTC are applicable in cross-border cases, including the award of restitution to foreign victims.
- Make criminal referrals. Actions that violate the FTC Act may be referred for criminal prosecution overseas, an option that helps the agency when it is working with a country that criminalizes fraud and deception instead of categorizing it as a violation of civil law.
Testifying in support of the law’s extension at a hearing before the House Energy and Commerce Subcommittee earlier this year, FTC Deputy Director for International Consumer Protection Hugh Stevenson called the Act “critical.”
He told lawmakers that since the law’s enactment, the agency has investigated over 100 online global frauds and filed more than 50 actions involving cross-border components, all of which saved consumers from losing hundreds of millions of dollars. Stevenson also testified that more than 100,000 online fraud consumer complaints were filed with the FTC in 2001 and at least 10 percent of those were related to foreign businesses.
To read H.R. 6131, the U.S. SAFE WEB Act, click here.
Why it matters: Rep. Mary Bono Mack (R-Calif.), one of the sponsors of the measure, called the extension of the legislation a “win-win.” “It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world,” she said in a statement. “With nearly 1.5 billion credit cards in use in the United States, nearly everyone in America has a stake in making certain that the FTC has the powers it needs to fight online fraud.” The Interactive Advertising Bureau also supported the Act’s extension, which Senior Vice President and General Counsel Michael Zaneis said has been “an effective tool” in protecting online commerce.
back to top
FTC Settles Charges of “History Sniffing”
Epic Marketplace and the Federal Trade Commission reached an agreement over the agency’s charges that the company used “history sniffing” technology to illegally gather data from millions of consumers.
Epic, an advertising company that has a presence on 45,000 Web sites, placed a cookie on visiting consumers’ computers to store information about the sites they visited. Epic claimed in its privacy policy that it would collect information from consumers about their visits to sites only within its network. But the company then secretly collected information about consumers for behavioral advertising purposes – “sniffing” their browsers to see what other sites they visited from March 2010 to August 2011, the FTC alleged.
Data on sensitive financial and health issues like fertility, disability insurance, incontinence, debt relief, menopause, credit repair, and bankruptcy was collected, according to the agency, and Epic used the information to categorize consumers based on their site visits. Consumer “interest segments” were created with topics like “incontinence,” and those within the segments were then served targeted ads.
The history sniffing itself does not violate Section 5 of the FTC Act, the agency said. Instead, the unfair and deceptive practice occurred when the defendant failed to inform consumers in its privacy policy about the use of the technology.
Under the terms of the proposed consent agreement, Epic is banned from future use of such technology and must destroy any information gathered unlawfully. Future misrepresentations about data privacy and confidentiality are also prohibited. Epic did not admit to any wrongdoing in the settlement.
To read the complaint and the proposed consent agreement, click here.
Why it matters: “Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” FTC Chairman Jon Leibowitz said in a news release. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”
back to top