Last month, Ad Nauseam discussed the FTC’s changes to the Children’s Online Privacy Protection Act (COPPA). The purpose of COPPA, which was implemented in 2000, is to protect the online use of personal information of children under the age of 13. In particular, the rule assigns strict responsibilities to “operators” including that they obtain verifiable parental consent before collecting, using or disclosing personal information from children, and that any information they do collect be kept secure. Today we will take a closer look at the FTC’s revised definition of an “operator” under the COPPA rule, and focus on the effect to third party services.
Importantly, under the revised definitions, advertising networks and plug-ins now fall under the umbrella of COPPA. The COPPA revisions have expanded the definitions of an “operator” and a “website or online service directed to children” to take today’s Internet-landscape into consideration. The definitions now include a child-directed site or service that integrates outside services that collects or maintains personal information from its visitors. This rule governs entities that have an agent or service provider collect or maintain personal information from its visitors, or an entity that benefits from allowing third parties to collect personal information from the viewers. Put simply: if you own the child-oriented website, then the use of that website by third parties is your responsibility.
But what about the third party service that is placed onto a child-oriented website? The expanded definition states that a third-party service that collects personal information directly from users of a child-directed site or service will be liable for complying with COPPA only when the third party has actual knowledge that the site is child-directed. The FTC explains that a third party service may obtain actual knowledge when: (1) a child-directed content provider expressly communicates the child-directed nature of its content, or (2) a representative of the online service recognizes the child-directed nature of its content.
URL’s present an interesting issue to “actual knowledge.” An easy assumption is that a URL will indicate whether the website you are placing the ad on is child-oriented. However, the Internet is a multi-layered and complicated network, and each layer collects different information. As a result, a third-party may not be able to discern whether or not a website is a “child-directed site” simply by viewing the URL. As a result, a URL may not be a proper indicator that a website has child-directed content, and could leave a third-party at risk for liability under COPPA.
The FTC’s Chief Technologist, Steve Bellovin, recently published a blog post which provides some suggestions as to how to resolve this issue of actual knowledge. The first suggestion was explicit signaling from the child-oriented website to the third-party advertisement. This type of signaling has already been used by advertising networks when they include how to request advertisements. In this type of signaling, a news article might contain a long link, and when you click on a word, it indicates how to place the advertisement in your article. Furthermore, the advertising network is being passed along information about the website it is placed on.
Bellovin explains that this technique can be tailored to include a “COPPA-covered site” flag, to give third parties actual notice that the website is child-oriented. This flag could be placed into the URL, so that the browser will understand and pass the information on to the third party. Also, it would be possible to configure the system so that embedded content that embeds content from another source, will have to pass along information about the COPPA flag.
At this time a standard “signaling” system has not been put into place to resolve the issue of actual notice, but Bellovin suggests that it could be with accomplished with the joint effort of the industry. Until this is implemented, it is important for advertising networks and plug-ins to be cognizant of the fact that if their services are placed on a child-directed site and they have notice of this fact, they could be held liable for COPPA violations under the revised rule.