Recent Developments in Online Privacy Laws
Have you ever wondered why you have to click a box certifying that you are over the age of 13 or enter your birth date as part of the registration process for a website? The reason that you have to click the box or enter that data is the result of the requirements of the Children’s Online Privacy Protection Act (COPPA). This law protects minors under the age of 13 from having their personal information collected without the consent of their parents. COPPA requires that website operators that are collecting or disclosing data from minors to have mechanisms and policies in place to obtain verifiable parental consent in order to collect such data. In addition to the federal law, state laws are increasingly being passed to protect consumer data online, like the California Online Privacy Protection Act (CalOPPA), which can have far-reaching consequences for commercial website operators who do not comply, even here in Florida.
COPPA
The goal of Congress in enacting the COPPA rule was to allow parents to control what personal information is collected from their children when using websites and online services.1 While there is a common misconception that the rule applies only to websites or services directed at children under 13, this law also applies to operators of websites or online services (including mobile applications), such as advertising networks that have actual knowledge their site or service is collecting personal information from the users of other websites or online services that are directed toward children.2 However, the FTC has noted that the operators of general audience sites are not obligated to investigate the ages of the visitors to the site or service, though many general audience sites have opted to implement COPPA screening mechanisms as a precautionary measure or to block them altogether.3
The COPPA rule requires operators of websites or online services to take certain steps in order to be compliant, including:
• Posting a clear online privacy policy that describes the site/service’s information practices for personal information collected from children;
• Providing notice to parents and obtaining verifiable parental consent before collection of personal information from children;
• Providing parents with the option of giving consent to the collection and use of the child’s internal information by the operator, but prohibiting the operator from sharing that information with third parties;
• Providing parents with access to their child’s information for review, as well as the option to have that information deleted;
• Providing parents with the ability to prevent further use or collection of a child’s personal information;
• Maintaining the security, confidentiality, and integrity of the information that is collected from children, including taking reasonable steps to release that information only to parties who are capable of maintaining it with the same level of security and confidentiality;
• Retaining personal information that has been collected from children using the site or service for only as long as is necessary to achieve the purpose for which it was collected, and then deleting it so as to protect against the data’s unauthorized access or use.4
COPPA was enacted to protect the personal information of minors in the online world, and when it was first enacted in 1998, the definition of personally identifiable information included the following categories of data:
• First and last name;
• Home address or other physical address, including the street name and name of a city or town;
• Telephone number;
• Social Security number.
As one can imagine, the rapidly changing technological environment meant that changes to COPPA would be necessary to reflect this new reality. In 2013, the FTC proposed updates to the law to reflect the new types of data that could be collected from minors online, as well as the new mechanisms that had developed for doing so. These changes expanded the definition of personally identifiable data to include:
• Online contact information;
• A screen or user name that functions as online contact information;
• Persistent identifiers (e.g., a customer number present in cookies, an IP address, or a device identifier);
• Geolocation information;
• A photograph, video, or audio file that contains a child’s image or voice;
• Information concerning the child or parents combined with an identifier.5
The FTC granted a grace period on enforcement of the updated law, which expired in 2014, and the recent enforcement actions taken by the agency include important lessons for attorneys advising website operators in this space.
The first notable enforcement of the updated COPPA rules was brought against online review community operator Yelp, Inc.6 The FTC announced a settlement of $450,000 with the company in September 2014, and the company also agreed to report on its compliance program to the agency within one year.7 What tripped the company up was not having the proper age screening mechanism in place on its mobile application, which collected the email and birth dates of users as part of the registration process, including those of minors.8 As noted by the FTC in its announcement of the settlement, the irony of Yelp’s violation of COPPA resided in the fact that the company had the proper policies and mechanisms in place on its full website, but did not ensure that the same policies and procedures were in place on the mobile app.9
The second recent notable COPPA enforcement was brought by the FTC against game maker TinyCo. At issue in this enforcement was the fact that the games seemed to be targeted at children, but did not include the proper steps for obtaining verifiable parental consent for the collection of data from them.10 This included the collection of email addresses from minors in order to send them special bonus items to redeem in the game.11 The FTC noted the features of the game that it saw as targeting children in its announcement, which included “brightly colored animated characters,” and “themes appealing to children,” such as Tiny Pets, Tiny Zoo, Tiny Monsters, Tiny Village, and Mermaid Resort.12 Ultimately, the game company settled with the FTC for $300,000, and agreed to report on its COPPA compliance program within one year.13
Perhaps the most notable of the recent COPPA enforcement actions taken by the FTC was that in regard to the app maker BabyBus. The agency took the unprecedented step of warning the company that it was not in compliance with the law, and that its apps “appear to collect precise geolocation information that is transmitted to third parties” without obtaining the proper parental consent.14 As a result of this warning, Google pulled the company’s apps from the Google Play Store.15 This situation also demonstrates an important lesson for attorneys working in the app and online space, as the aspect of the app that the FTC took issue with was not actually BabyBus’ code, but that of a third-party piece of software that was incorporated in it.16 This application programming interface that BabyBus had used to collect analytics data was also collecting geolocation data from players in violation of COPPA.17 As such, attorneys working with app developers and website operators that potentially will be collecting such data need to caution them not only to check their own internally created code, but also the code and functionalities of any third-party software and code that may be incorporated into their respective product for COPPA compliance.
CalOPPA
In addition to COPPA, attorneys working with clients in the online space need to be aware of the requirements of CalOPPA. This law requires all commercial operators of websites or online services to conspicuously post their privacy policies so as to inform consumers as to what categories of personally identifiable information are being collected, as well as with which third parties that information will be shared.18 Unlike COPPA, this law is not just targeted at minors, but at all California residents. While this may seem like it may not be applicable across the country, the largely interconnected world that has resulted from the advent of the Internet means that this law can indeed be a real problem for companies doing business online. Delta Airlines learned this lesson in 2012, when the company found itself the subject of an enforcement action by California Attorney General Kamala Harris for not having a privacy policy on its mobile app — conspicuously posted or otherwise.19 Ultimately, the Superior Court of California for the city and county of San Francisco found that the CalOPPA enforcement action was preempted by federal law regulating airlines.20 Like the COPPA enforcement actions, this case also demonstrates an important practice point for attorneys advising clients in this space: Ensuring that mobile apps and websites for commercial website operators feature privacy policies that are present and conspicuously posted to users.
CalOPPA has certainly made waves among companies operating online, including the companies that operate the major app stores. As a result of this, companies including Apple, Yahoo, and Google have entered into a joint statement of principles with the California Office of the Attorney General.21 As part of this agreement, the major app platform operators have agreed to undertake a number of efforts to better educate both consumers using apps, as well as app developers, about privacy and CalOPPA compliance.22 The first effort that operators have agreed to undertake is to provide consumers with the opportunity to review an app’s privacy policy before the app is downloaded. Secondly, app store operators have agreed to work to educate app developers about their privacy obligations under CalOPPA.23 Finally, these companies have agreed to develop tools that would enable consumers to report noncompliant apps.
CalOPPA is also of note for attorneys working with clients in the online space because of new amendments, which took effect on January 1, 2015.24 First, the new requirements include that retailers operating websites include a “delete button” feature that would allow minors who are registered users of the site to request that information and content they post be deleted from the site.25 In addition, website operators must provide minors with notice of this ability to request that their information and content be deleted from the site, as well as instructions for doing so.26 Finally, website operators are prohibited from marketing or advertising certain categories of products or services to minors online, including alcoholic beverages, ammunition, dietary supplements, drug paraphernalia, fireworks, handguns, lottery tickets, obscene matter, spray paint, tanning services, and tobacco products.27 Commercial website operators can comply with this latter restriction by either “taking reasonable actions in good faith” to avoid the prohibited marketing or advertising or by giving notice to the site’s advertising service that the site or application is “directed to minors,” the act of which shifts the burden of compliance to the advertising service from the operator.28
Conclusion
While compliance with these online data privacy laws can initially seem daunting, particularly for startup clients, it often comes down to matters of common sense. As the recent enforcements discussed in this article demonstrate, there are often simple steps that website or online service operators can take to make sure they are following the law, such as ensuring that the privacy policy is conspicuously posted. As the headlines can attest, online privacy is in the news on a daily basis, and as such, consumers, businesses, and lawmakers will continue to seek out solutions, such as COPPA and CalOPPA, to protect consumers online.
1 Federal Trade Commission, Complying with COPPA: Frequently Asked Questions, https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#General Questions.
2 Id.
3 Id.
4 Id.
5 Id.
6 Federal Trade Commission, Yelp, TinyCo Settle FTC Charges Their Apps Improperly Collected Children’s Personal Information, https://www.ftc.gov/news-events/press-releases/2014/09/yelp-tinyco-settle-ftc-charges-their-apps-improperly-collected.
7 Id.
8 Id.
9 Id.
10 Id.
11 Id.
12 Id.
13 Id.
14 Federal Trade Commission, FTC Warns Children’s App Maker BabyBus About Potential COPPA Violations, https://www.ftc.gov/news-events/press-releases/2014/12/ftc-warns-childrens-app-maker-babybus-about-potential-coppa.
15 Id.
16 Id.
17 Id.
18 Cal. Bus. & Prof. Code. §22575-22579
19 State of California Department of Justice, Office of the Attorney General, Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law, https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-files-suit-against-delta-airlines-failure.
20 Id.
21 State of California Office of the Attorney General, Joint Statement of Principles, available at http://ag.ca.gov/cms_attachments/press/pdfs/n2630_signed_agreement.pdf?.
22 Id.
23 Id.
24 Cal. Bus. & Prof. Code §22580-22582.
25 Id.
26 Id.
27 Id.
28 Id.
Chrissie N. Scelsi is the principal of Scelsi Entertainment and New Media Law, P.L., with offices in Port Charlotte and Orlando. She is the 2015-2016 chair of the Entertainment, Arts and Sports Law Section of The Florida Bar.
This article originally appeared in the Orange County Bar Association’s The Briefs. It is published here by permission of the Orange County Bar Association.
This column is submitted on behalf of the Entertainment, Arts and Sports Law Section, Christina N. Scelsi, chair.