Pages 1 & 2
inormation rom children or have access to or controlo such inormation collected by a third party is notconsistent with COPPA’s defnition o “operator”: the COPPAstatute itsel covers only entities “on whose behal suchinormation is collected and maintained.” Thus, Ohlhausendoes “not believe that the act that a child-directedsite or online service receives any kind o beneft romusing a plug-in is equivalent to the collection o personalinormation by the third-party plug-in on behal o thechild-directed site or online service.”It is also arguable that holding site operators liable orthe actions o third parties is not consistent with theCommunications Decency Act, which provides broadimmunities to a variety o online service providers orconduct by third parties that occurs on or through websitesand other online properties.
The Deinition o “Personal Inormation” hasbeen Broadened to Apply to Data that ManyProviders Currently Collect Without SeekingNotice and Consent.
The FTC has expanded the defnition o “personalinormation” in ways that are likely to have a signifcantimpact on how child-directed sites currently operate. Isites continue to collect such inormation (outside oexceptions or “internal operations”), they will be requiredto comply with COPPA.
While the existing defnitioncovers persistent identifers associated with individuallyidentifable inormation, the new Rule includes otherpersistent identifers – notably, unique IDs in cookies, IPaddresses, and process or device serial numbers that can“recognize a user over time and across dierent sites oronline services.” “Dierent websites” captures afliatedsites where the afliate relationship is not clear to theuser. Under the revised Rules, absent parental notice andconsent, operators may not gather persistent identifers tobehaviorally target ads to a specifc child, nor may they usethem to amass a profle on an individual child user basedon the collection o such identifers over time and acrossdierent sites.The FTC has, however, created a separate exception to theRule’s notice and consent requirements or identifers usedsolely or providing
support for the internal operations
o asite or service. This includes activities “necessary” (looselyspeaking) to:1. maintain or analyze the unctioning o the site orservice;2. perorm network communications;3. authenticate users or personalize site content;4. serve contextual advertising on the site or cap therequency o advertising;5. protect the security or integrity o the user, site, orservice; or6. ulfll a request o a child as otherwise provided inthe Rule.The new Rule also applies to third parties collectingpersistent identifers on a site or service. However, entitiesthat collect persistent identifers, and no other personalinormation, rom users who afrmatively interact with theentity and whose previous registration with such entityindicates that they are over the age o 12, are not subjectto COPPA. Thus, third-party plug-ins that collect a persistentidentifer rom an individual who afrmatively downloadsthe plug-in on another site and that know rom previousdealings with the individual that he/she is over the age