The major COPPA Rule revision issued in 2013 was written in a manner that sought to anticipate how COPPA might apply to future technological developments. Predicting the future is always difficult. Less than a year later, the FTC is coming forward to clarify certain issues surrounding the proper way to gain verified parental consent with recent technological developments online.
Credit Is Due
The FTC has been justifiably criticized for failing to keep up with the pace of development on the web. This criticism was particularly justified in relation to COPPA. From the year 2000 until 2012, the FTC provided little in the way of updated guidance despite the fact the web changed radically with sites and apps such as Facebook, Twitter and Angry Birds launching during this period. Businesses were often forced to make educated guesses regarding how to comply with COPPA when, for example, they used a Facebook plugin to allow people to register with their sites.
The FTC appears to have taken the criticism to heart. Following the issuance of the new COPPA Rule in 2013, the Agency has consistently moved to provide guidance on a variety of COPPA issues. While we may not always agree with the position taken by the FTC, the Agency deserves significant credit for no longer leaving businesses hanging. In short, credit should be given where it is due, particularly since the FTC is again moving to clarify three tricky COPPA issues businesses now face.
The 16 H’s
“H” is for horse? Not when we discuss COPPA. In this case, “H” refers to a section of the FTC policy document published to give companies a heads up on how the Agency intends to apply COPPA to certain situations. Section “H” specifically covers the topic of “verified parental consent” and consists of 15 different topics. In July 2014, the FTC clarified two of these issues and added a 16th policy statement. Let’s take a look at each of them.
- Monetary Transactions
How does a website owner know they are receiving consent from the actual parent of the child in question when seeking verified parental consent? The FTC has suggested in the past that one acceptable method was to obtain a credit card number from the person and then apply a small charge to verify the authenticity.
The problem with this approach is it kills conversion rates. “Pay us .99 cents to verify you are the parent of Johnny” screams SCAM. Out of 10 parents, how many are going to take this step? Perhaps 10 out of 10 if the site in question is Disney. For less well know sites, however, the rates might be below 5 in 10, and that is a business model killer. Given this, the FTC has been asked to scale back the regulation to just require operators to obtain credit card numbers without the need to charge them. The FTC has again rejected this approach.
Most thought this topic dead, but the FTC is now issuing another clarification. In certain situations, according to the agency, it is sufficient to merely collect the credit card number of the parent in question so long as additional identifiers are also used. The Agency suggests, for instance, that the parent can be asked additional questions that only an adult would know the answer to.
Does this represent a major change in the COPPA Rule? No. There are simpler methods for gaining consent as far as we are concerned. Nonetheless, this does serve as an example of how the FTC is seeking to be proactive in addressing certain vague areas of its regulations.
- App Stores
Most apps are sold through independent app stores. iTunes is an example of such a platform. This raises an interesting question in relation to apps and COPPA. Can a party selling an app directed at children rely on a third party store to obtain the verified parental consent required by COPPA?
The FTC is giving a deceptive bit of advice on this question. The short answer will be hailed as great news by app developers – yes, the seller can rely on the store to handle the COPPA compliance issue. However, there are two significant catches.
First, it appears the FTC will hold the app seller responsible for making sure the store obtains consent in a manner compliant with COPPA. If you know XYZ app store isn’t getting verified consent using acceptable methods, you cannot ignore the shortcomings and escape liability. Whether you must affirmatively investigate the compliance efforts of the app store is unclear.
On top of this, the app seller must deliver a statement of information collection practices to the parent prior to consent being obtained, which requires a certain amount of coordination with the app store. The burden, however, should be mitigated by the fact the vast majority of stores will set up an automated approach incorporating this disclosure. Still, the app seller is responsible for making sure this is the case.
Apps are still a relatively new bit of technology and applying legal compliance requirements to their sale can be challenging. The FTC clarification in this regard is of great help and should be lauded.
- App Store Liability
If app sellers can rely on stores to handle the COPPA compliance process, does this mean the app stores assume the liability for COPPA violations? If so, this would represent a huge shift of risk from sellers to stores and might well lead most stores to refuse to sell apps directed at children under 13.
It turns out this is a non-issue. In its July statement, the FTC notes COPPA only applies to “operators” and the Agency does not consider app stores to qualify as operators as defined in the law. Thus, these stores cannot be found liable for COPPA violations.
Before you rush out and start an app store, you should know the FTC is leaving itself a back door for pursuing stores on this issue. While COPPA liability is no longer an issue, the Agency is suggesting Section 5 of the FTC Act could still be violated by an app store. Section 5 is a catch-all clause that prohibits “unfair or deceptive acts” in commerce. If an app store is found to willfully violate the requirements of COPPA, one can imagine the FTC would seek damages against the store using this catch-all phrase.
What It Means
The FTC’s new practice of providing proactive guidance on a variety of COPPA issues is to be lauded. The clarification of the obligations of app sellers versus app stores in regard to COPPA compliance is particularly helpful at this time. Of course, this means companies can no longer claim a lack of awareness. Follow us on Facebook to keep track of future COPPA developments.
Richard A. Chapo, Esq.