WASHINGTON — The Federal Trade Commission has issued additional guidance on its July 1 decision to boost enforcement of the Child Online Privacy Protection Act (COPPA). Focused mostly on what constitutes “actual knowledge,” the FTC revised two of its existing FAQs (D.10 and K.2) and added three new ones (D.9, D.11 and D.12).
Last December, the FTC expanded the definition of personal information that companies can't collect from kids under 13 without parental permission to include bring geolocation, cookies, online user names, and photos, videos and audio. The expanded definition also brought behavioral targeting explicitly within the rule and made websites and ad networks liable for third-party collection in some circumstances.
Following are the FTC’s latest FAQs:
D.9: I operate a child-directed app that allows kids to make paintings. I don’t collect the paintings — they rest on the device — but the app includes buttons for popular email and social media providers that kids can click on within the app. The buttons open the email program or social network, populate it with the painting, and allow the child to share it along with a message. I don’t collect or share any other personal information through the app. Do I have to seek verifiable parental consent?
Yes. The COPPA rule defines “collection” to include requesting, prompting or encouraging a child to submit personal information online, and enabling a child to make personal information publicly available in identifiable form. In addition, under the COPPA Rule, “disclosure” includes making a child’s personal information publicly available in identifiable form through an email service or other means, such as a social network. You must get verifiable parental consent before enabling children to share personal information in this manner, even through third parties on your app. This is true unless an exception applies. (See Section I, Exceptions to Prior Parental Consent.) However, in the situation you describe — where a child can email a painting and a message or post content on his or her social networking page through your app — no exception applies.
D.10: I operate an advertising network service. Under what circumstances will I be held to have “actual knowledge” that I have collected personal information directly from users of another website or online service directed to children?
The circumstances under which you will be deemed to have acquired “actual knowledge” that you have collected personal information directly from users of a child-directed site or service will depend a lot on the particular facts of your situation. In the 2012 Statement of Basis and Purpose, the Commission set forth two cases where it believes the “actual knowledge” standard will likely be met: where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to you, the ad network; or where a representative of your ad network recognizes the child-directed nature of the content.
Under the first scenario, any direct communications the child-directed provider has with you that indicate the child-directed nature of its content would give rise to actual knowledge. In addition, if a formal industry standard or convention is developed through which a site or service could signal its child-directed status to you, that would give rise to actual knowledge. Under the second scenario, whether a particular individual can obtain actual knowledge on behalf of your business depends on the facts. Prominently disclosing on your site or service methods by which individuals can contact your business with COPPA information — such as: (1) contact information for designated individuals; (2) a specific phone number; and/or (3) an online form or email address — will reduce the likelihood that you would be deemed to have gained actual knowledge through other employees. (See also FAQ D.12, below).
D.11: I operate an ad network. I receive a list of websites from a parents’ organization, advocacy group or someone else, which says that the websites are child-directed. Does this give me actual knowledge of the child-directed nature of these sites?
It’s unlikely the receipt of a list of purportedly child-directed websites alone would constitute actual knowledge. You would have no duty to investigate. It's possible, however, that you will receive screenshots or other forms of concrete information that do give you actual knowledge that the website is directed at children. If you receive information and are uncertain whether the site is child-directed, you may ordinarily rely on a specific affirmative representation from the website operator that its content is not child-directed. For this purpose, a website operator would not be deemed to have provided a specific affirmative representation if it merely accepts a standard provision in your terms of service stating that, by incorporating your code, the first party agrees that it is not child-directed.
D.12: I operate an ad network and am considering participating in a system in which first-party sites could signal their child-directed status to me, such as by explicit signaling from the embedding webpage to ad networks. I understand that I would have “actual knowledge” if I collect information from users on a first-party site that has signaled its child-directed status. Are there any benefits to me if I participate in such a system?
Such a system could provide more certainty for you. If the system requires the first-party site to affirmatively certify whether it is “child-directed” or “not child-directed,” and the site signals that it is “not child-directed,” you may ordinarily rely on such a representation. Such reliance is advisable, however, only if first parties affirmatively signal that their sites or services are “not child-directed." You could not set that option for them as the default.
Remember, though, that you may still be faced with screenshots or other concrete information that gives you actual knowledge of the child-directed nature of the website despite a contradictory representation by the site. If, however, such information is inconclusive, you may ordinarily continue to rely on a specific affirmative representation made through a system that meets the criteria above.
K.2: I operate an ad network. I discover three months after the effective date of the rule that I have been collecting personal information via a child-directed website. What are my obligations regarding personal information I collected after the rule's effective date, but before I discovered that the information was collected via a child-directed site?
Unless an exception applies, you must provide notice and obtain verifiable parental consent if you: (1) continue to collect new personal information via the website; (2) re-collect personal information you collected before; or (3) use or disclose personal information you know to have come from the child-directed site. With respect to (3), you have to obtain verifiable parental consent before using or disclosing previously-collected data only if you have actual knowledge that you collected it from a child-directed site. In contrast, if, for example, you had converted the data about websites visited into interest categories (e.g., sports enthusiast) and no longer have any indication about where the data originally came from, you can continue to use those interest categories without providing notice or obtaining verifiable parental consent. In addition, if you had collected a persistent identifier from a user on the child-directed website, but have not associated that identifier with the website, you can continue to use the identifier without providing notice or obtaining verifiable parental consent.