Matt DelNero is a partner at powerhouse Washington, D.C., law firm Covington & Burling, advising clients on media, privacy, data security and more, including compliance with rules implementing the Childrens Online Privacy Protection Act (COPPA), which are overseen by the Federal Trade Commission. Those rules are changing, and DelNero spoke with Multichannel News Washington bureau chief John Eggerton about what media companies and website operators — virtually the same thing these days — should be doing in the run-up to the FTC’s implementation of those changes, scheduled to take effect July 1.
MCN: What should media companies be doing to prepare for changes in kids online-privacy protection rules?
Matt DelNero: First, they need to make a determination if they are operating a website that is directed to children, and child is anyone under the age of 13.
MCN: But that doesn’t mean it has to be exclusively directed to children?
MD: Right. Even if it is partially directed to children, it still comes within the ambit of COPPA. What these new rules have done, and the FAQs that were just released, have emphasized is that websites that have plug-ins on their sites — for instance, plug-ins that are put on sites directed to children — also have to worry about the COPPA rules. That was a pretty major change.
MCN: How so?
MD: In the past, if a child-directed plug-in on a [third party’s] site was yours, it wasn’t really your problem. Now, the FTC is saying it may be your problem if you have actual knowledge that the plug-in is there.
MCN: So even if I don’t have a child-directed website, there could still be COPPA-related issues once I have determined that someone on my site is under 13?
MD: The basic purpose of COPPA is to regulate the collection of personal information about children under 13. So, if you have actual knowledge that you are collecting personal information from a child, then yes, you do have a responsibility under COPPA to obtain parental consent and meet other requirements.
Typically, most non-child-directed sites avoid collecting information that would provide that kind of actual knowledge and trigger the COPPA responsibilities. So it typically comes into play more with sites like social-networking sites that have an age screen, and somebody answers that they are under 13 and [the site owners] now have that actual knowledge and need to comply.
Once you have actual knowledge you have to take the proper steps, which could include immediately seeking the consent of a parent or, more likely, deleting the data immediately, so you are no longer in possession of personally identifiable information about children. And when you do an age screen to determine whether or not someone is 13 or under, you are also not supposed to do that in a way that leads someone to feel like the wrong answer is to say that you are under 13.
MCN: For example?
MD: The FTC has said in the past that you shouldn’t have a simple check box that asks, “are you 13 or over,” because you are going to obviously know to check yes, so you can do whatever the site is enabling you to do. More typically, it would ask you to enter the year when you were born.
MCN: What else do broadcast and cable operators need to be pay attention to in the new rules?
MD: The new COPPA rules are enlarging the definition of personally identifiable information. The trigger for COPPA is: Are you collecting personally identifiable information about children? At one time, under the old interpretation, that meant name and email address. Now it also includes a broader category such as persistent identifiers.
MCN: Like what?
MD: My smartphone has an identifier unique to my phone. If I go over to a site using my phone and the website operator is collecting persistent identifiers, within the meaning of COPPA they are collecting personal information. The point is that things that you were collecting before the changes go into effect, that were completely OK under the old rules, may now trigger COPPA obligations.
MCN: Can you give us any more examples of those?
MD: Static IP addresses would be another. Screen or user names that function as contact information. Photos, videos and audio files that contain a child’s image. So, it is not necessarily a child’s name or e-mail address, or phone number.
If you are allowing children to upload videos to your site and the video has their image in it, that is now personal information under COPPA. I could see that being something that TV stations or cable operators could run into — let’s say they have a local user-engagement portion of their website, where users can upload videos.
MCN: What would site operators need to do?
MD: If you were collecting that information from kids, you would need to get parental consent, which obviously is a somewhat involved process.
MCN: And once a site has actual knowledge that the surfer is a child, what if they do collect personal information without permission?
MD: Well, it’s a federal statute and the Federal Trade Commission has enforcement authority under it. It has enforced it in the past, and resulted in unpleasant investigations and potential monetary fines and consent decrees. And as a reputational matter, as a well as a legal one, you don’t want to be known as a local broadcaster or cable operator that has violated a statute meant to protect the personal information of children.
MCN: Why do you think the studios and broadcasters joined with online advertisers to try and get the July 1 deadline for implementing the changes pushed back to January? Just stalling?
MD: No. I don’t think it is stalling. These rules are a pretty big change. For example, inclusion of personally identifiable information: Media organizations have built their COPPA compliance on the old rules and they need time to go through their websites — which can be quite elaborate, as you know — mobile apps and other online services to make sure they still comply and, if not, change their practices. That takes time.
The FAQs just came out last week.
MCN: Are there actually things in the FAQs industry didn’t know when the FTC issued the new rules back in December?
MD: One, for example, is that if you do off er a childdirected site you don’t need parental consent if you blur the facial features of the child.
MCN: Should media companies be concerned that the FAQs also talk about protecting teens, even though the rules only deal with kids 12 and under?
MD: I think it is pretty clear they don’t have the right under COPPA to apply these rules to teenagers, but there has been a movement among some in Congress to expand those protections to teenagers as well, so that may just be part of a larger debate that may play out.