TechFreedom, a Washington, DC-based think tank, offered a panel discussion shortly after the July 2013 effective date for new COPPA regulations. A recording of the panel, “COPPA: The Past, Present & Future of Children’s Privacy & Media”, is available online. The discussion highlighted the ambiguity still existing in application of the new COPPA rules to third-party providers.
What Is COPPA?
The Children’s Online Privacy Protection Act (COPPA) prohibits commercial websites and online services from collecting, using, or disclosing the personal information of children under thirteen without parental notice and consent. The Federal Trade Commission (FTC) issued regulations for COPPA in April 2000 and subsequently issued amended COPPA regulations which became effective on July 1, 2013.
How 2013 Regulations Impact Plug-Ins, Ad Networks, Apps and Other Third-Party Providers?
Among other things, the 2013 regulations clarify that COPPA applies to operators of commercial websites and online services with actual knowledge that they are collecting personal information directly from users of a child-directed website. This includes plug-in and app services providing services to and collecting user information from child-directed websites.
When Does a Third-Party Provider Have Actual Knowledge Its Customer Is a Child-Directed Website?
One of the panels’ most useful take-aways for plug-in and mobile app services involved FTC staff interpretations of what constitutes actual knowledge. Kandi Parsons, an attorney with the FTC Consumers Protection Bureau, indicated that third party websites have no general obligation to investigate whether their customers are child-directed websites or online services. (Note that as the verbal interpretation of an FTC staff person, this is informal insight. Hence, the FTC is not absolutely bound by what Ms. Parsons said. Here’s a transcript of a relevant portion of Ms. Parsons comments (starting at approximately 1:12 of the recording). . .:
If I can speak briefly to actual knowledge. . . . if you get a list of urls from somebody that says these are child-directed sites or services. As a third party, that is not sufficient to provide you actual knowledge. We don’t believe this gives you independent evidence of the child-directed nature of the site or service because the Commission was very clear that there’s not a duty to investigate. That would turn the obligation from an actual knowledge standard into a reason to know or should have known standard and we’re not interested in [making that conversion]. It’s an actual knowledge standard.
There is some ambiguity in Ms. Parsons’ later comments where she implies that a third party website would have a duty to investigate if it found a “red-flag” that it was serving a child-directed website (e.g., a website customer with the url “games-for-7-year-olds.com).
Can Third-Party Providers Comply with COPPA by Having Customers Sign Contracts Stating the Customer Is Not a Child-Directed Website?
The FTC addresses this question in its FAQs on Complying with COPPA. FTC staff persons also addressed the issue during the TechFreedom panel (at approximately 2:27 of the recording).
Here is what I distilled from those resources. In order for a third party provider to rely on such a customer representation, the customer would need to make an affirmative statement that the website was not a child-directed website. A third party provider could not rely on a “Not-a-Child-Directed-Website” response that was the default response in an online form. The analysis might be different (i) for a negotiated contract and (ii) for a checkbox in an online form where the customer had to self-identify itself as “child-directed website” or “not-child-directed-website”.
The customer contract will not shield the third party provider from COPPA liability if the third party provider has actual knowledge that the customer’s representation is untrue and the customer is actually a child-directed website.