The Federal Trade Commission proposed changes to the Children's Online Privacy Protection Act rules on August 1, 2012, that would significantly expand the parties subject to COPPA and potentially impose new procedures on those online products and services that may interact with or collect data about children. Reflecting a general trend, the FTC also proposed changing the COPPA rules' definition of "personal information" to include persistent identifiers, which would narrow the information available for behavioral advertising and other activities. These proposals reflect the increased focus regulators have placed on children and the online marketplace, and are of note to a wide range of parties – whether potentially interacting directly with children or simply providing generic tools or services to those who do.
The FTC's recent proposed COPPA rule changes follow the agency's September 2011 proposed rule changes. The agency received over 350 comments in response to that proposal, and reviewed them as well as its recent enforcement experience in coming up with its more recent proposal. In the FTC's own words, the recent proposed changes "diverge" from those of the September 2011 proposal and are intended to strengthen the COPPA rules' "protections for the online collection, use or disclosure of children's personal information." The FTC proposes to do so by modifying the rules' definitions of "operator," "website or online service directed to children," "personal information" and "support for internal operations."
The COPPA rules' current definition of "operator" refers only to those who collect personal information on a website or service's behalf. Under this definition, there is a view that only those who collect personal information are responsible for complying with COPPA. This has led to the corollary view that the current COPPA rules do not apply directly to those websites that may incorporate plug-ins or other features controlled by third parties where just the plug-ins collect personal information of users, even if the website may be directed at children.
The recent proposed change would clarify that COPPA's requirements apply both to the website itself and the third party collecting data. It would do so by adding a proviso to the definition of operator stating that personal information is collected on behalf of an operator if collected "in the interest of, as a representative of, or for the benefit of, the operator." The FTC's...