By: Ronald G. London
The Federal Trade Commission has added to its recently revised “Frequently Asked Questions” (FAQs) to assist covered entities in complying with the first major update of regulations implementing the Children’s Online Privacy Prevention Act (COPPA Rule). The question-and-answer pairs are more clearly organized by topic and provide additional guidance, largely for ad networks. Specifically:
- One new FAQ provides greater latitude for ad networks that find out after the new rules’ effective date that they have been collecting personal information from a child-directed website, by allowing continued use of converted data and persistent identifiers under certain circumstances.
- The new FAQs also limit the circumstances somewhat where ad networks are deemed to have “actual knowledge” of the child-directed nature of sites from which they collect personal information. For example, one FAQ clarifies that knowledge gained by an ad network’s employees will less likely be attributed to the ad network if the ad network prominently discloses on its site or service the methods by which the ad network can be directly contacted with COPPA information.
- A related FAQ allows ad networks to rely on first-party affirmative representations of their non-child-directed status, including through signaling from the embedding webpage, so long as the ad network does not separately discover additional indicia of a website’s child-directed nature. If such additional indicia are “inconclusive,” the ad network may still ordinarily continue to rely on the site’s or service’s specific affirmative representations.
- Another new FAQ further establishes that, without more, the receipt of a list of websites (or services) claimed to be child-directed from parents’ organizations, advocacy groups, or similar entities is not enough to be deemed “actual knowledge” with respect to those websites or services.
This post discusses these additions to the FAQs – for further points of guidance provided in the COPPA FAQs, see our prior post, here.
When the Federal Trade Commission declined to extend the July 1, 2013, effective date for the overhaul of its COPPA Rule, it substantially revised the related FAQs, which are a key resource for understanding the regulations. Now, the FTC has acted on a promise to update the FAQs as questions arise post-effective date.
One of the recently updated FAQs poses the hypothetical of an ad network that finds out after the updated COPPA Rule’s effective date that it has been collecting personal information from a child-directed website. This new FAQ indicates that, unless an exception applies, the entity must stop collecting the information immediately, and obtain verifiable parental consent if it continues to collect new personal information from the website, re-collects personal information collected previously, or uses or discloses personal information now known to have come from the child-directed site. Verifiable parental consent must be obtained before using or disclosing the previously-collected data if there is actual knowledge it was collected from a child-directed site. Parental requests regarding the information must be honored even if there will be no further disclosure. And, the FTC urges, information known to have come from the child-directed site should be deleted “as a best practice.”
The FAQ also discusses what happens when the third-party does not know the source of personal information. In that case, the FAQ continues, if the entity, for example, converted data about websites visited into interest categories (e.g., sports enthusiast) and no longer has any indication where the data originally came from, it may continue using the interest categories without giving notice or obtaining parental consent. Or, for example, if the entity had collected a persistent identifier from a user on the child-directed website, but has not associated it with that website, continued use of the identifier is permissible without giving notice or getting parental consent.
The FAQ revisions also include several new points of guidance for when ad networks can be said to have “actual knowledge” of the child-directed nature of websites or services and/or that they have collected personal information directly from users of such sites/services. Though these situations can be highly fact-specific, the FTC points to two cases where it believes the actual knowledge standard is likely be met: where a child-directed content provider (which is strictly liable for any collection) directly communicates the child-directed nature of its content to the ad network; and where a representative of the ad network directly recognizes the child-directed nature of the content.
Under the first scenario, any direct communication the ad network has with the child-directed site or service that indicates its child-directed nature will give rise to actual knowledge. In addition, if a formal industry standard or convention ever evolves through which sites or services signal their child-directed status, that would also give rise to actual knowledge.
Whether an ad-network representative “recognizes” the child-directed nature of content will be particularly fact-dependent, but it reduces the likelihood that an ad network would be deemed to have gained actual knowledge attributable to the business as a whole through its employees, if the ad network prominently discloses on its site or service methods by which it can be contacted with COPPA information.
In a related FAQ, the FTC addresses the prospect of an ad network participating in a system in which first-party sites signal their child-directed status (e.g., by signaling from the embedding webpage to ad networks). In that case, such a signal would result in actual knowledge, but the ad network also gains the benefit by being able to know when sites signal they are “not child-directed.” However, while ad networks “may ordinarily rely on such a representation,” such reliance is advisable only if the first-party affirmatively signals its site or service is “not child-directed” – the ad network may not set that option for the first-party as a default.
The FAQ cautions that even under such a signaling system, ad networks may still be charged with gaining other additional information resulting in actual knowledge of the child-directed nature of a website or service despite a contradictory representation by the site. But, the FAQ continues, if that additional information is “inconclusive,” the ad network should still be able to rely on a specific affirmative representation made through a system of “child-directed” and “not child-directed” signals.
A new FAQ also clarifies that where an ad network receives from a parents’ organization, advocacy group, or other outside entity a list of websites or services claimed to be child-directed, the ad network would not likely be deemed to have “actual knowledge” based solely on that list. Ad networks also have no duty to investigate upon receipt of such a list. On the other hand, if the ad network is provided screen shots or other forms of concrete information as to the child-directed nature of a site or service, that would give rise to actual knowledge. The FAQ suggests that if an ad network receives a list or other information that creates uncertainty about a website or service being potentially child-directed, the ad network should still be able to rely on specific affirmative representations from a site or service that it is not child-directed (however, mere acceptance of a standard provision in, e.g., an ad network’s terms of service that a first-party agrees it is not child directed will not be a “specific affirmative representation” for this purpose).
Finally, there is a new FAQ that addresses “share buttons” embedded in child-directed apps or plug-ins that allow sending emails or otherwise posting information, such as via social networks. In that case, the FTC explains, the app/plug-in operator must obtain verifiable parental consent unless an exception applies, and that is true, even if the app/plug-in does not itself collect or share personal information.