FTC's COPPA Request Implies Increased Burden for General Audience Websites
On July 19, the FTC announced that it is considering an update to the Children’s Online Privacy Protection Act (COPPA) and seeking public comments. The agency put out a list of questions for public comment in the Federal Register (which has been taken down as of this writing) highlighting Educational Technology, voice-activated devices (i.e. Amazon’s Alexa), and general audience websites (read: YouTube and Facebook) as areas of concern.
What does this mean for businesses collecting data from children online?
For those operators already trying to comply with COPPA, the FTC’s requests should be welcome; the FTC realizes there are loopholes in COPPA and eliminating ambiguous regulations will be helpful. For example, the FTC is thinking of expanding the definition of Personal Information to include biometrics and data that could be inferred about children, not just data definitively tied to children. The FTC uses language drawn from California’s SOPIPA and the E.U.’s GDPR, meaning that the FTC is taking cues from more sophisticated laws. Perhaps we will finally learn what “reasonably calculated” means in the context of the school exception to for collecting children’s personal information.
For “general audience” websites hosting content that is attractive to children, however, looking the other way on child users is no longer an option. The FTC is feeling its oats from its record Facebook fine (more from the excellent Byte Back blog here) and the FTC’s register questions show YouTube and Facebook in the crosshairs. To wit: the Federal register asks whether there is any way for a general audience website to rebut a presumption that there are children using its services; in other words, YouTube can no longer afford to act like the 13 million subscribers to a 6 year-old Korean child’s toy reviews are all adults just doing research. This means that general audience websites will likely have to comply with COPPA or fit into a likely narrower exception.
Less clear is how the FTC will regulate such general audience operators with child users. The new regulations might mandate age-gating before content attractive to children, making it illegal to place cookies on the devices of users under a certain age. They may revamp the process of age gating, which currently allows website operators to look the other way if children lie about their ages.
In short, general audience sites have been put on notice that ignoring child users will soon no longer fly under COPPA. This development makes marketing and tracking on general audience sites harder. Before new revisions come out, general audience websites might consider the following:
· If you have a general audience website with content that might be attractive to children, consider building a separate page for that content and age-gating that page.
· On that page, do not place cookies or beacons.
· Consider data minimization across your website.
· If you have not audited your email list to verify you know where every subscriber came from and that they have consented to marketing, now is the time audit. Reducing the number of potential children you could be emailing will significantly decrease your COPPA risk.
Might your general audience website have child users? Do you wish privacy laws had cooler acronyms? Contact SK&S privacy attorney Thomas Codevilla at Codevilla@skandslegal.com or 720-608-4799. Thomas has extensive experience in CCPA, GDPR, and COPPA compliance.