FTC Announces Significant Update of COPPA Rule

After a number of rounds of public comment and workshops, the FTC has released its revised regulations under the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The new regulations, to take effect on July 1, 2013, take into account changes in both technology and business since the original statute and regulations were enacted. According to the FTC’s release, the revised COPPA regulations:

• modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
• offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
• close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
• extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
• extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
• strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
• require that covered website operators adopt reasonable procedures for data retention and deletion; and
• strengthen the FTC’s oversight of self-regulatory safe harbor programs.

In his public statement describing the new Rule, FTC Chairman Jon Leibowitz described the FTC’s intentions with its revisions:

Just like you, we want a Rule that will protect innovation, and we think we have crafted one. Just like you, we want a Rule that will foster safe and vibrant spaces for children that are beneficial for learning and growth without creating a sanitized version of the Internet for older kids and adults, and we think we have struck that balance. Just like you, we want a Rule that will support diverse and free services online, and we think we are offering one today.

And, let’s be clear about one thing: under this Rule, advertisers and even ad networks can continue to advertise, even on sites directed to children. Business models that depend on advertising will continue to thrive. The only limit we place is on behavioral advertising, and in this regard our Rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.

The FTC has prepared a list of “Five Need-to-Know Changes” to the COPPA Rule for businesses, available here. The full text of the new Rule, to be published in the Federal Register, may be downloaded from this link. Finally, for some historical perspective, the following (courtesy of C-SPAN) is the original floor speech by Senator Richard Bryan of Nevada introducing COPPA on July 17, 1998:
 

FTC Orders 9 Data Brokers to Provide Info on Privacy Practices

The FTC announced today that it had issued orders to nine data brokers to disclosure how they collect and use consumer data. This is consistent with earlier guidance from the FTC, which recommended legislation targeting the data broker industry in its March 2012 Report on Protecting Consumer Privacy:

[T]he Commission recommends that Congress consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers. The proposed framework recommended that companies provide consumers with reasonable access to the data the companies maintain about them, proportionate to the sensitivity of the data and the nature of its use. Several commenters discussed in particular the importance of consumers’ ability to access information that information brokers have about them. These commenters noted the lack of transparency about the practices of information brokers, who often buy, compile, and sell a wealth of highly personal information about consumers but never interact directly with them. Consumers are often unaware of the existence of these entities, as well as the purposes for which they collect and use data.

The Commission agrees that consumers should have more control over the practices of information brokers and believes that appropriate legislation could help address this goal. Any such legislation could be modeled on a bill that the House passed on a bipartisan basis during the 111th Congress, which included a procedure for consumers to access and dispute personal data held by information brokers.

According to today's release, the FTC will use the information provided by the nine data brokers "to prepare a study and to make recommendations on whether, and how, the data broker industry could improve its privacy practices." The FTC's orders (in PDF format) may be downloaded here.

Children's Privacy: CDD files FTC Complaint Against Nickelodeon Spongebob App

In the latest legal development in the increasingly active world of children's privacy law, the Center for Digital Democracy announced that it had filed a complaint with the Federal Trade Commission against the cable network Nickelodeon and software developer PlayFirst over the SpongeBob Diner Dash game for iOS. According to the CDD's release, the description for the game in Apple's iTunes store inaccurately states that the app complies with the Children's Online Privacy Protection Act ("COPPA"):

As the complaint documents, Nickelodeon and PlayFirst engage in deceptive acts by representing in the privacy disclosure on the Apple App Store that the app’s “data collection is in accordance with applicable law, such as COPPA,” when in fact it is not. The SpongeBob Diner Dash game asks children to provide a wide range of personal information, including full name, email address, and other online contact information, without providing notice to parents or obtaining prior parental consent, as required by the Children’s Online Privacy Protection Act. Nor does the app provide an adequate description of the personal information it collects or how it is used.  

The FTC has not yet responded to CDD's request to investigate Nickelodeon and PlayFirst. CDD's complaint may be read here.

In a related matter, the FTC will reportedly release its update to the COPPA rules this week. These rules, which have been the subject of significant public discussion and comment, are the key regulatory requirements for those companies which collect personal information from children under the age of 13.

Peter Fleischer, Other Google Execs Still May Face Jail in Italy Privacy Case

AP Image of trial court via KLEWTV.com

 In the latest installment in a case that highlights both the legal risks and absurdity of the cross-border nature of the Internet, the Milanese prosecutor in the case against Peter Fleischer and two other Google executives has asked an appeals court to uphold the six-month jail sentences they received in a criminal privacy case. The case arose out of a 2006 posting to Google Video by Italian teenagers of a short video of a learning-disabled classmate. Although none of the executives had any involvement with the posting or its prompt removal by Google Video after notification, they were still charged (along with another colleague, later acquitted) of violations of Italian privacy law. Fleischer, who was then Google's chief privacy counsel in Europe, was arrested when he traveled from his Paris office to Italy to give a lecture in January 2009. After the case came to trial, Fleischer and two of his colleagues (including Google's chief legal officer, David Drummond) were convicted in February 2010 and given six month sentences, automatically suspended under Italian law. The case was then appealed, leading to the latest development.

Fleischer, in a recent blog entry about the appeal, describes both the facts and the illogical nature of the case against him, given that he and his colleagues had nothing to do with the incident:

Under European law, hosting platforms that do not create content, such as Google Video, YouTube, Bebo, Facebook, and even university bulletin boards, are not legally responsible for the content that others upload onto these sites. But in this instance, a public prosecutor in Milan decided to charge us with criminal defamation and a failure to comply with the Italian privacy code.  None of us, however, had anything to do with this video. We did not appear in it, film it, upload it or review it. None of us knew the people involved or were even aware of the video's existence until after it was removed.

 This case, similar in many ways to the action in Germany against Compuserve's Felix Somm in 1996, serves as a stark reminder that those associated with companies doing business online may find themselves facing personal liability or even prosecution based on the laws of other countries, even when the individuals had no connection with the activity in question, and even when the activity was fully legal under the laws of the jurisdiction in which the company is based. While it is impossible to research and be certain of compliance with every relevant law in every possible country with access to the Internet, those who work for high-profile businesses, especially companies whose activities may potentially violate particular nations' cultural norms, should at the least be aware of these risks when considering business or personal travel to other regions. Companies, for their part, must include these risks in their overall assessments when choosing to do business online.

FTC Settles With Online Marketer Over "History Sniffing"

The Federal Trade Commission ("FTC"), the chief federal agency for consumer protection, has announced a proposed settlement with online marketer Epic Marketplace, Inc., over what the Commission called a "deceptive" use of a technology called "history sniffing." According to the FTC's release:

Epic Marketplace is a large advertising network that has a presence on 45,000 websites.  Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed.  The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.   
In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network.  However, according to the FTC, Epic was employing history-sniffing technology that allowed it to collect data about sites outside its network that consumers had visited, including sites relating to personal health conditions and finances. 
According to the FTC complaint, the history sniffing was deceptive and allowed Epic to determine whether a consumer had visited any of more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.

The technique used by Epic apparently combined two methods enabled by its cookie-placing network: seeing whether a user's browser program colored particular links to indicate they had been previously clicked, and accessing the cache (temporarily stored files) of the browser.

The proposed settlement order bars Epic from futher history sniffing, mandates full and accurate disclosure of Epic's information collection practices, and places restrictions and retention requirements on Epic's data collection and sharing. It does not, however, contain any financial penalties for Epic's conduct.

Blogger Settles Case with Former Employer Over Twitter Follower Ownership

The social media and technology blog Mashable reports that blogger Noah Kravitz has settled the lawsuit filed by his former employer, mobile tech blog PhoneDog, over the Twitter followers Kravitz kept when he left PhoneDog in October 2010 and changed his Twitter account from @phonedog_noah to a more personal @noahkravitz. The original complaint filed in the Northern District of California in July 2011 alleged that Kravitz' keeping the Twitter followers constituted misappropriation of trade secrets, intentional interference with prospective economic advantage, and other business torts. According to Mashable, the case has been settled through mediation.

The issue of ownership of a company's online resources, particularly those created and built by former employees on their own initiatives, is not new; in the mid-nineties, the New York Post had a dispute over the NYPost.com domain name with Farhan Memon, a former freelancer who had registered it during his work for the Post, and MTV had a similar conflict with its former VJ Adam Curry over the MTV.com domain Curry had registered. The Kravitz case, though, serves as a reminder that whenever an organization is being represented through an online presence, it needs to create and enforce clear guidelines in advance over who controls that presence, which should include ensuring that a single employee's departure (willing or otherwise) does not impede the organization's online efforts.

Australian Federal Police Shut Down Romanian Cybercrime Ring

The Australian Federal Police announced on November 29th that it had charged seven people in Romania for "the largest credit card data theft in Australia's history." According to the release, the investigation began in June 2011 based upon a referral from an Australian financial institution, and ultimately involved "numerous international law enforcement partners" including Romanian authorities.

The scope of the data theft is substantial: more than 500,000 credit cards were potentially accessible, with approximately 30,000 being used for "fraudulent transactions amounting to more than $30 million" Australian dollars. The cost of the fraud was apparently not borne by Australian consumers; instead, as in the United States, the issuing banks reimbursed the cardholders for the fraudulent transactions, which were performed throughout the world, including in Europe and the United States.

The case highlights the borderless nature of the Internet and the resulting challenges for law enforcement officials, as well as the significant financial exposure by companies and consumers for international (and local) data breaches and theft.

(Via @mukimu on ZDNet)