In light of changes in technology, particularly in the mobile, interactive gaming and social networking space, this past week the FTC formally requested comments to its proposed changes to the Children’s Online Privacy Protection Rule (“COPPA”). Comments on the proposed changes are due November 28, 2011.
The changes focus on five substantive sections of the rule: (i) definitions, (ii) parental notice, (iii) parental consent, (iv) confidentiality and security, and (v) the self-regulatory safe harbor. Key highlights are stated below.
Definitions
The FTC proposes to expand the definition of “personal information” to include geolocation information, photos, videos and audio files that may enable the identification of a child, and persistent identifiers that track and identify an individual.
Parental Notice
The proposed rule attempts to streamline the parental notice requirement by limiting what is required to be included in the website operator’s privacy policy while providing more meaningful information in the direct notice to the parent.
Parental Consent
The FTC proposes to eliminate the existing parental consent mechanism of “email plus” whereby an email is sent to the parent followed by another email at a later date. The proposed rule would add several other mechanisms, including electronic scans of consent forms, video consents and ID checks against government databases.
Confidentiality and Security
The proposed rule strengthens the confidentiality and security obligations of website operators. Operators must take reasonable measures to protect the information, retain it for only as long as necessary and dispose of it in a manner to protect against unauthorized access. In addition, operators are required to ensure that their service providers have reasonable procedures in place to protect the child’s information.
Safe Harbor Requirements
Under the proposed rule, self-regulatory safe harbor programs are required to audit their members on an annual basis and provide the results to the FTC.