Photo of Matthew Sullivan

Email
(202) 342-8580
Bio

This week, the Federal Trade Commission announced the latest updates to its Frequently Asked Questions (“FAQs”) document to assist online operators as they work to comply with changes to the Children’s Online Privacy Protection (“COPPA”) Rule that went into effect on July 1, 2013. The updated FAQs address the following topics:

  • Share buttons – FAQ D.9 confirms that if an online or mobile app contains embedded buttons or plug-ins that allow children to send email or otherwise post information (for example, through a social network), the operator of such app must obtain verifiable parental consent unless an exception applies. Such consent is required even if the app does not otherwise collect personal information from children.
  • Actual knowledge – FAQs D.10-D.12 describe various instances where an operator of a third-party advertising network will be deemed to have “actual knowledge” that it is collecting personal information directly from users of another Web site or online service directed to children.
  • Information collected from a child-directed site – FAQ K.2 addresses the notice and consent obligations of ad networks that collected personal information through child-directed websites prior to the July 1 rule changes. According to the FTC, in the absence of an applicable exception, the operator must stop collecting information immediately and obtain verifiable parental consent before using any personal information that the operator knows came from the child-directed website or online service.

These updates are the latest in a series of recent updates to the COPPA FAQs (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.
 

Two industry organizations announced new initiatives designed to help mobile app developers comply with revisions to the Children’s Online Privacy Protection Act (“COPPA”) Rule, which take effect today.

Today, the Association of Competitive Technologies (“ACT”) launched Moms With Apps, an initiative aimed at highlighting mobile apps that were designed with children’s privacy in mind. According to ACT, Moms With Apps will establish industry standards and best practices designed to assist with COPPA compliance, encourage transparency with respect to privacy practices and app features, and promote apps tailored to children under the age of 13.

On June 25, the Entertainment Software Rating Board (“ESRB”) announced that its privacy seal certification program, ESRB Privacy Certified, now includes services to help mobile app developers comply with the changes to COPPA. ESRB Privacy Certified includes the following suite of services:

• Individualized privacy risk assessment for all online and mobile properties;
• Solutions for obtaining verifiable parental consent for users under age 13
• Guidance on providing concise “short form” privacy disclosures to mobile users;
• Consultation on privacy policy development; and
• Ongoing compliance monitoring and reporting.

Lastly, the FTC announced the availability of new materials to help businesses that operate child-directed websites and mobile apps comply with COPPA. The FTC document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business,” includes a six-step process for companies to determine their obligations under COPPA. In addition, the FTC also released a video for businesses that explains the Rule changes. The new materials are the latest effort by FTC Staff (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.
 

This week, the Federal Trade Commission announced the latest update to its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection (“COPPA”) Rule, which go into effect on July 1, 2013. The updated FAQs address the parental notice and consent obligations for operators that feature a Facebook “Like” button on their site. The new question and answer (see FAQ I.10) read as follows:

10. I have a child-directed website. Can I put the Facebook Like button on my site without providing notice and obtaining verifiable parental consent?

Section 312.5(c)(8) of the Rule has an exception to its notice and consent requirements where:
• a third-party operator only collects a persistent identifier and no other personal information;
• the user affirmatively interacts with that third-party operator to trigger the collection; and
• the third-party operator has previously conducted an age-screen of the user, indicating the user is not a child.

If the third-party operator meets all of those requirements, and if your site doesn’t collect personal information (except for that covered by an exception), you don’t need to provide notice or obtain consent. This exception doesn’t apply where the third party collects more information than a persistent identifier — for example, where the third party also collects user comments or other user-generated content. In addition, a child-directed website can’t rely on this exception to treat particular visitors as adults and track their activities. If your inclusion of the Facebook Like button satisfies all these criteria, you may rely on this exception under the Rule.

The new Q&A is the latest effort by FTC Staff (also see here, here, and here) to educate operators of websites and online services directed to children about their obligations under the amended Rule.
 

On May 24, 2013, Ohio consumers filed a class action lawsuit in U.S. District Court (N.D. Ohio) alleging that advertising by clothing retailer Jos. A. Bank violates the Ohio Consumer Sales Practices Act (“CSPA”) and state sale price statutes. See Schneider v. Jos. A. Bank Clothiers, Inc., No. 1:13-cv-01175-SL (N.D. Ohio Filed on May 24, 2013).  According to the Complaint, Jos. A. Bank’s television, radio, print, and online advertising falsely promotes substantial savings (including “free” offers) on men’s suits, sportcoats, and dress pants by basing the advertised “discount” prices on grossly inflated and illusory “regular prices” that do not represent the prices at which any of the clothing items are sold.

As one purported example of Jos. A. Bank’s alleged illegal conduct, the Complaint describes an instance where an Ohio consumer purchased a suit for “70% Off” of the advertised regular price of $895.  The Plaintiffs allege that the $895 “regular price” does not reflect the actual price regularly paid by consumers for the applicable suit, and that the suit is substantially inferior in value to the advertised regular price.  Ohio law defines a “regular price” as “the price at which the goods or services are openly and actively sold by a supplier to the public on a continuing basis for a substantial period of time.”  In addition, the Complaint asserts that Jos. A Bank’s claims that its sales are for a “limited time,” “today only,” or similar terms, are false and deceptive because the company maintains its sales offers on a nearly continuous basis.

The lawsuit claims that Jos. A Bank’s conduct violates Ohio Administrative Code section 109:4-3-04, which imposes certain requirements when making “free” promotional offers, and section 109:4-3-12, which prohibits an advertiser from using certain terms (e.g., “regularly. . .”, “now. . .;” “reduced from. . . to . . .,”) unless the comparison is to the advertiser’s legitimate regular price.

The plaintiffs are seeking compensatory damages that are based on the difference between the allegedly inflated “regular price” that each class member paid for a clothing item, and the “true” lower regular price for each such item.
 

Earlier this week, the Federal Trade Commission announced an update to its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection (“COPPA”) Rule, which go into effect on July 1, 2013. The updated FAQs clarify parental notice and consent obligations for child-directed apps that collect information from a child in order to send push notifications to users. The new question (No. 80) and answer read as follows:

80. I have a child-directed app and want to send push notifications. Do I need to get parental consent?

  • The information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule. To the extent the child has specifically requested push notifications, however, you may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. See FAQ 58. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app. If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.

The FTC’s latest update to the COPPA FAQs follows other recent efforts to educate operators of websites and online services directed to children about their obligations under the amended Rule. As we described last week, the FTC recently sent letters to more than 90 U.S. and foreign-based companies to highlight the significant Rule changes relating to the definition of “personal information.”
 

On May 15, 2013, the Federal Trade Commission sent letters to more than 90 U.S. and foreign-based companies that may be affected by amendments to the Children’s Online Privacy Protection Rule (“COPPA” or the “Rule”), which go into effect on July 1, 2013. The letters, which do not reflect an official evaluation of the recipients’ privacy practices, were targeted to online services and mobile applications that collect “personal information” from children under age 13, as defined by the Rule.

The primary purpose of the letters was to highlight the significant changes to the COPPA Rule definition of personal information, which, under the current Rule, includes user names, a home or physical address, contact information (e-mail address or telephone number), and social security numbers. As described in the letters, the amended Rule expands the definition of personal information to include persistent identifiers, such as cookies, IP addresses, and mobile device IDs, that can recognize users over time and across different websites or online services. Online operators that collect such information must provide notice and obtain parental consent, unless they use the identifiers to support internal operations, such as for user authentication or network analysis. Under the revised Rule, personal information also includes photographs or video with a child’s image, or an audio file with a child’s voice.

In addition to describing changes to the definition of personal information, the letters also highlighted the following “musts” for developers of child-directed online or mobile apps:

• Notice and parental consent for personal information collected on applications from third parties, such as ad networks;
• Reasonable steps to release children’s personal information only to companies that will keep it secure and confidential;
• New data retention and deletion requirements.

The letters are the latest step by the Commission to generate awareness about how the COPPA Rule changes may affect online operators’ current business practices. As we described last month, FTC Staff also issued an updated Frequently Asked Questions (“FAQ”) document, Complying with COPPA: Frequently Asked Questions, that includes a number of questions (and answers) that directly address how the amended COPPA Rule differs from the current Rule.
 

On Thursday, May 9, Rep. Hank Johnson (D-GA), and co-sponsor Rep. Steve Chabot (R-OH) introduced the “Application Privacy, Protection, and Security (APPS) Act of 2013,” (H.R. 1913). The bill, which is aimed at increasing consumer privacy within applications (“apps”) available through smartphones and other mobile devices, retains the provisions included in the discussion draft of the legislation circulated by Rep. Johnson in January 2013.

Among its key provisions, the APPS Act would require app developers to make a privacy statement available to consumers before they purchase an app, obtain consent from consumers before collecting data, and securely maintain the data that they collect. A developer’s privacy statement would have to disclose the categories of personal information collected by the app, and how such information is used, including whether it is shared with any third parties. App developers also would be required to include within their privacy statement a data retention policy that describes how long information is retained, and how consumers can access and seek the removal of such information. Under the bill, the Federal Trade Commission would be tasked with drafting regulations to implement the law, including defining the term “personal data,” as well as enforcing such regulations.

The APPS Act is the product of Rep. Johnson’s AppRights initiative, which is a web-based legislative project launched in July 2012 to address the privacy and security of mobile device users, and follows other recent federal and state efforts to enhance privacy protections for mobile app users. For example, we posted last week about the latest developments regarding the California Attorney General’s efforts to require all app developers to include a privacy policy in their mobile app.
 

On April 25, 2013, the Federal Trade Commission issued an updated version of its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection Rule (“COPPA”) that go into effect on July 1, 2013. COPPA requires commercial websites and online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 to obtain verifiable parental consent before collecting personal information from such children.

The FAQ document, Complying with COPPA: Frequently Asked Questions, was developed by FTC Staff and describes how operators can comply with the various COPPA Rule amendments announced on December 19, 2012. The amendments, which are the first revisions to COPPA since it became effective in 2000, significantly modify or expand key definitions within the Rule, including the definitions of “operator,” “personal information,” and “website or online service directed to children,” and update COPPA’s requirements concerning parental notice and consent, and the existing safe harbor provisions. The updated FAQs include a number of questions (and answers) that directly address how the amended Rule differs from the original Rule, including the following:

• What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?
• Other than the changes to the definition of personal information, in what ways is the new Rule different?
• Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation?

FTC Staff announced the updated FAQs two days after online industry and business organizations, including the Direct Marketing Association (“DMA”) and the U.S. Chamber of Commerce, sent a letter to the FTC seeking an extension of the effective date for the COPPA Rule amendments, from July 1, 2013 to January 1, 2014. The letter cited the lack of an updated FAQs document as one key reason for requesting the extension.
 

News media outlets are reporting that President Obama will name Edith Ramirez as Chairwoman at the Federal Trade Commission.  Ramirez, a Democrat who joined the FTC as a Commissioner in 2010 after working in private practice, will replace Commission Chairman Jon Leibowitz, who announced his departure last month.  

Please continue to visit AdLaw Access or visit the Kelley Drye website, as we will provide more detailed information about this appointment in an upcoming client advisory.

On February 1, the FTC issued the staff report Mobile Privacy Disclosures: Building Trust Through Transparency, which provides a series of consumer privacy-focused recommendations for key stakeholders in the mobile app ecosystem, including developers, platform providers, third-party advertising networks, and others. The Report responds to the explosive growth in smartphone use by consumers within the past few years and focuses on best practices to ensure that consumers receive timely and easy-to-understand information about the personal data that apps collect and how that data is used or shared with third parties.

In addition to releasing the staff report, the Commission announced two other items that reflect the Commission’s current focus on mobile app privacy. First, the FTC introduced a new business guide that complements the privacy disclosure report with a set of data security best practices tailored to mobile app developers. Second, the FTC announced a settlement with social networking app developer Path, Inc. over charges that it deceived users about its data collection practices and violated the Children’s Online Privacy Protection Act (“COPPA”) Rule by collecting personal information from children without their parents’ consent.

This Kelley Drye client advisory provides a detailed summary of the FTC’s latest efforts relating to consumer privacy in the mobile app ecosystem.