My colleague Jennifer M Puckett, eModeration's Child Safety Liaison Officer USA, attended the recent Children's Advertising & Online Privacy Conference hosted by the Advertising Self-Regulatory Council (ASRC), formerly known as the Children's Advertising Review Unit (CARU). This year, the conference's most hotly debated topic was COPPA and the changes coming soon to a family-friendly product near you, which I blogged about last month.
To help clarify some of the issues surrounding the rule change, she has summarized the 'fireside chat' featuring members of the Federal Trade Commission(FTC). Please note, eModeration is not offering legal advice or comment here: we are reporting the Q&A session to help build the sum of knowledge about the COPPA changes.
The chat was hosted by Liisa Thomas (Partner, Winston & Strawn LLP), with FTC representative Mamie Kresses joining via Skype. The pair discussed many of the upcoming changes to COPPA that consumers, businesses and child safety advocates need to know about in order to comply with the changing law. Mamie has worked at the FTC for many years, focusing on COPPA and the many technological and social media changes since it was first put into law, 13 years ago.
All the questions asked were practical and addressed the key issues people have been itching to understand. Here's our summary - and our own interpretation - of answers to the most frequently-asked questions posed to the FTC representatives.
Liisa Thomas
LT: Many of us [representing the private sector] are worried about Online Behavioral Advertising (OBA) and the need to get parental consent. If we have a website appealing to both kids and adults, and we have reason to believe that both audiences are using the site, does that mean that we can't use OBA without parental permission? Or should we just not use OBA once someone actually tells us they are under 13?
Mamie Kresses, FTC
FTC: If your site is in that category of catering to both under and over 13 year olds, even if it is a site that is already directed to children, but you know or have reason to think that you are not limited to under 13s, you must assume everyone is under 13. We recognize that not all sites directed to kids are in practice catering to kids, and if you wish to market differently to each, then we won't necessarily go after you. However, by July 1, if you wish to continue using OBA then you must age-gate your product so that only those claiming to be over 13 will be subject to this form of advertising. If you cannot separate out your users by age and you continue to use OBA then you will not be in compliance with the law. However, you can use OBA if you get parental permission.
We [at the FTC] also don't know what is coming down the road with regards to collecting data from particular users. There will be tougher decisions in the future when and if we are dealing with a site that caters to more than one age group. People working on sites that are not directed at children will continue to be able to use OBA unless they know for a fact that they are catering to a child.
LT. Let's say we are creating an app where kids can take photos and add a widget to the picture. The app, once downloaded, will not have any interaction back with the company and will live as a stand-alone on a user's phone. Do we need to get parental permission - or does this scenario fall under an exception - under the Rule?*
In other words, would the FTC view the company as "collecting" a child's photo even though the pictures are not being sent back to (or seen by) the company? The app is simply facilitating someone taking the photo and "doctoring it up".
FTC: [Paraphrased] This is currently under discussion. A website or online service has to involve a transfer of information across the internet for [the Rule] to apply. As the app itself in this scenario is not working with the online environment (sharing digitally), it would not be an online service within our definition.
LT: At what point do we put the consent block during the download of an app when we KNOW we are advertising and creating kid-based apps? Is it just before the download? Where? When?
FTC: The point before you need to give notice and get consent comes just before the purchase of the app takes place. You don't need to collect information from every person on the account. If you have collected something from the user that indicates they are a child, you must collect parental consent and make account information easy to access for the parent; the usual place being somewhere on the company website where it can be found and edited if the parent wishes.
The FTC has tried to broaden the non-exclusive list of acceptable methods for collecting consent. If you as the company are doing your best to obtain parental consent even if it doesn't fall under the list of acceptable means, FTC will accept it.
In the process of downloading the app, you will be collecting information. The first step of the download should be the place to get parental consent. However, app stores need to make it easier for developers to incorporate consent and collection of parental consent information.
The FTC will not prescribe a method, but in looking at past methods, you may want to do something new and this could be acceptable if the person on the other side is known to be a parent or adult that is accepting the consent. However, collecting an Apple ID or Google ID is not sufficient at this time.
LT: Many companies have concerns about what is viewed as personal information - information about the child submitting the data online, or anybody's personal information that the child submits. For example: would you view the Rule as being triggered (and therefore being a need to get parental consent) if a child submits a parent's information? What if the child submits information about a friend?
FTC: The Rule is triggered by information being given by a child. It doesn't have to be their own information for the Rule to apply. In July [2013], we will have finally defined the concept of collecting a parent's email address as a viable method for collecting consent.
If a child submits pictures or videos of another child, you as the company must remove this information from your records, on the basis that this falls under the category of collecting PII from a child without the consent of that child's parents.
There is nothing that prevents the general public uploading pictures of another child in a general audience type of site, however.
LT. Let's say that we are a publisher with in-app purchases. Other than your new graphic disclosure, what other things should we think about? Where should we place this graphic?
FTC: There is a new infographic at the FTC website. [http://www.consumer.ftc.gov/articles/0018-understanding-mobile-apps#kids]
The infographic was designed by our Consumer and Business Education Department to give parents general information about what could be going on with the apps they buy, that there are different types of information, and to teach them how to get more information on apps.
There is no onus on companies to post it, but it has been widely picked up and it could be helpful to see this on an app store in the future.
As to whether or not in-app purchases are covered under COPPA, the vital thing to remember is that if your business is in a kids' space, or is attracting youth, this is the kind of information parents want upfront rather than to find out later. It is more about being a good business model and delivering COPPA information and obligations in a common sense setting and could help you head off trouble down the road.
LT: Let's talk about screen names. The Rule now says that these are Personally Identifiable Information if it permits someone to directly contact the person online. How does this play out on a website with a chatroom? In particular, one where kids can register without parental permission because the only information collected is a screen name and the site has only set sentences that people can use to communicate with each other?
FTC: [Paraphrased] Whether the screen name has a "life of its own" outside the context of the site is seen as the key criteria here. For example, if on its own, it reveals something personally identifiable, something that could trace a person across other forms of online communication, I would see this falling within the Rule. The less personal information a child can put in to the username, the less the risk there is of being able to personally identify them. If they can put say, [email protected], this can constitute PII.
In the chat context, the more restrictive you are with the type of information a user can put in, the more likely you will be to stay within the Rule. However, this is still a very gray area and one to approach with caution.
LT: Let's talk about the mechanism you built in to the Rule to add additional types of parental consent. Can you walk through how that would work, and explain any specific ideas about this? Video consents, where the parent records themselves giving permission? Scanned images of IDs? Any others? It may be helpful to remind people that they can select many different ways for getting consent; they don't have to use one. Isn't that right?
FTC: Here are some examples of how to collect parental consent. However, this list is not exhaustive:
- Collect the parent's email
- Have the notice and consent on the screen, but collect the parent's name and credit card information
- Video consent is being considered and may be acceptable, but there is not a final decision on this as yet
Video consent might even be fun, but as a practical business matter you must always give parents a place they can return to in writing so that they can review and change [consents]. Particularly with COPPA, where parents have multiple ongoing rights. As long as this happens if the company decides to use video consent, it should be fine.
LT: Are you considering how companies have attempted to collect parental consent before the changes to the Rule? What should businesses do with these accounts and account information?
FTC: That will be addressed in the upcoming FAQs, due out by the end of this month [April 2013]. Update: here are the new COPPA FAQs (Updated: April 26 2013)
___________________________________________________________
So there you have it. Clearly there are still a lot of areas that the FTC is ironing out, and a lot of practical situations to which there are not yet clear solutions. What is clear, however, is that more companies are becoming aware of the magnitude of these changes, and want to do the right thing by their customers and users, and for their business.
Next week, I'll pick up where this conversation left off, with a panel of business lawyers and community professionals discussing the practicality of the COPPA mandates and how they will affect the practicalities of running their businesses.
Image via Flickr from IntelFreePress