FTC Unlikely to Act Against Those Making Good Faith Efforts to Comply with New COPPA Rule

As the updated Children’s Online Privacy Protection Act (COPPA) rule takes effect Monday, operators of child-directed websites and apps are navigating the expansions in the rule, industry members and observers told us. The expansions in the rule -- unveiled by the FTC late last year (CD Dec 20 p10) -- include defining personal information to include device identifiers and the inclusion of sites and apps that are largely but not primarily directed to children. Such expansions require apps and websites to do substantial backend work and may cause revenue losses, said industry officials.

The FTC is unlikely to pursue violations of the updated rule immediately, said lawyers who deal with FTC compliance. In rejecting proposals to postpone the implementation date, as the agency did earlier this year (CD May 7 p8), the FTC is telling companies to “get your act in gear,” said John Feldman, ad attorney with Reed Smith. The agency will likely bring cases against only those companies that blatantly violate the updated rule and are not looking to become compliant, he said: Companies making good-faith efforts to come into compliance should be safe from FTC action for the immediate future. “That kind of attitude is likely to satisfy” regulators “if explained correctly,” he said. If questioned by the agency, “the answer has to be a bona fide exhibition of compliance activity,” he said.

A company’s ability to meet compliance requirements depends on company-specific factors, said Dona Fraser, director-privacy online for the Entertainment Software Rating Board, an FTC-approved COPPA safe harbor. “It’s a heavy lift for some companies,” she said. “Some of these rule changes require a lot of changes on the backend.” For each company, the compliance “timeframe depends on the nature of their business and the complexity of their data collection practices,” said Joanne Furtsch, director of product policy for TRUSTe, an FTC-approved COPPA safe harbor. TRUSTe has been working through meeting the new compliance requirements since the beginning of the year, she said.

App developers face “incredible technological challenges” to become compliant with the new rule, Tim Sparapani, Application Developers Alliance vice president-law, policy and government affairs, told us. For some apps, the updated rule will require them to collect and process more information about their users, he said. For instance, some child-directed apps had complied with the old COPPA rule by collecting no information, he said. Under the updated rule, they will have to collect enough information to determine if a user is under the age of 13 and then create separate data flows to treat those users according to the rule. The updated rule creates perverse incentives “in that they require you to collect a whole bunch more information” than apps might have previously, he said. On Friday, the ADA sent to its members a video and questionnaire to help developers come into compliance with the new rule. The video (http://bit.ly/19DMLMC) and checklist (http://bit.ly/18le0dF) are “intended to be a quick notice and questionnaire to help developers determine if they're compliant,” Sparapani said.

The inability of child-directed apps under the updated rule to display cross-platform ads will be detrimental to the app economy, Feldman said. Online behavioral ads are “how, today, most apps are funded,” Feldman said, so it’s important that operators carefully evaluate which of their apps rely on cross-platform ads for revenue. The way the new rule limits ad opportunities “cuts down revenue streams” for apps and sites, even if they're looking to profit from contextual -- rather than behavioral -- advertising, said Alan Friel, a technology lawyer at Edwards Wildman. Contextual advertising services often collect information from users to create “rich data sets,” he continued. “Even if they're not creating a behavioral profile, they're still collecting data."

Operators cannot simply prevent young children from accessing their sites and apps to avoid COPPA compliance under the new rule, which is detrimental to apps, Feldman said. As explained by the FTC in an FAQ it released prior to the implementation of the new rule (http://1.usa.gov/12rIE0W), operators with sites and apps not primarily directed at children but with audiences largely including young children may not screen users and prohibit access by users under the age of 13. Instead, the FTC said, operators may screen users for age and then collect personal information only from those users over the age of 13.

For the FTC to have this position is “unacceptable and arrogant,” Feldman said. As the updated rule is implemented, it would benefit operators to be able to block young children as their sites and apps come into compliance, he said. “During this transition period, I would rather block the children.” By including sites and apps that are largely but not exclusively directed to young children but not allowing those operators to block users under 13, the commission is broadening operators that have to comply with “restrictions that were really designed for little kids sites,” Friel said .

There needs to be some kind of technical solution so operators can clearly and consistently communicate to third parties which users are under 13 to prevent the collection of data about those users, Friel said. “There’s a question as to whether or not that technical solution is, in itself, a violation.” Sites and apps would effectively be tracking young users to tell integrated third parties not to track those users, he said. It’s unlikely the FTC would go after tracking behavior like that, he said: It would be “pretty aggressive” for the agency to do that. Ultimately, a technical solution for that kind of preemptive tracking would come from industry members, Friel said. “It will take awhile for an industry-wide technical solution to be developed."

Operators should verify that all third parties integrated into their sites and apps are compliant with the new rule, Friel said. TRUSTe is working with members to make sure they are “really understanding who’s integrated into their websites and mobile applications” and “helping them assess those relationships,” Furtsch said. Operators need to be able to ensure third parties are compliant, so TRUSTe is “arming out clients with information” to help them understand “the complex puzzle known as COPPA.” Fraser said the ESRB has been helping members to vet the third parties they work with. The members want to make sure that “if they're engaging with third parties ... they're doing so in a proper way,” she said. ESRB also assists members with their mobile apps’ privacy policies. “What our program does is provide the most effective disclosures for what our members are doing,” which leads to “more transparency for users,” said Fraser.

Getting verifiable parental consent “is key” for companies striving for compliance with the new rule, Fraser said. When it updated the rule, the FTC said companies could submit proposals for new ways to obtain verifiable parental consent. ESRB is working with members, “making sure that the notices ... are done in a way that are easily understandable to the user” and not “buried in legalese,” she said. “The challenge has been doing that on mobile devices as well.” ESRB looked for ways to make giving that verifiable consent “seamless,” she said. It wanted “a technology that can be built into a website, can be used on a mobile device,” she continued. ESRB partnered with Veratad Technologies to make available to members at discounted rates “a simple API plug-in” that lets parents provide immediate consent across multiple platforms after providing information once and doesn’t interfere with the user experience, Fraser said. “We spent a lot of time really researching the company and technology.” ESRB also hopes parents will use the privacy settings on devices, she said. “There are so many privacy settings on devices.”