C.

Brownstein I Hyatt
Farber I Sch reck
Outline of FTC Online Fair Information Practices and COPPA Rule

Bruce L. Plotkin

June 2, 2010

A. Overview of FTC Authority and Enforcement Power. The FTC is empowered

pursuant to Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 41 et seq., to prevent
against any persons or entities (excluding certain financial institutions, common carriers and
other entities subject to other specific regulatory laws) from engaging in “unfair or deceptive
practices in or affecting commerce.” 15 U.S.C. § 45(a)(2). The Children’s Online Privacy
Protection Act (“COPPA”), 15 U.S.C. § 6501 et seq., requiring the FTC to issue and enforce
rules governing the online collection of personal information of children under the age of 13, was
passed by Congress in October 1998. The FTC issued the Children’s Online Privacy Protection
Rule (“COPPA Rule”) in November 1999, which became effective on April 21, 2000 and
governs the collection of information from children under the age of 13 at websites or portions of
web sites.

B. FTC’s Fair Information Practice Principles. In its June 1998 report, “Privacy
Online: A Report to Congress” (“Privacy Report”), the FTC enumerated five fair information
practice principles which the Commission said had become commonly accepted and which the
FTC determined were appropriate to guide the online collection of personal information. These
principles have formed the basis for the FTC’s positions in subsequent enforcement actions. The
principles are Notice/Awareness, Choice/Consent, Access/Participation, Integrity/Security and
Enforcement/Redress.

1. Notice/Awareness. “Consumers should be given notice of an entity’s

information practices before any personal information is collected from them.” Privacy Report
at § III.A. 1. The FTC has taken the position that the use of personal information without
adequate disclosure or in contravention of any disclosure to consumers is a deceptive trade
practice. See In the Matter of Geocities, FTC Dkt. No. C-3850. Specifically, the FTC suggests
that the notice include some or all (the FTC subsequently seems to want all) of the following
elements:

a. identification of the entity collecting data

b. identification of the uses to which the data will be put
c. identification of any potential recipients of the data
d. the nature of the data collected and the means by which it is
collected, passive or active
e. whether the provision of the requested data is voluntary or
required, and the consequences of a refusal to provide the
requested information
f. the steps taken by the data collector to ensure the confidentiality,
integrity and quality of the data

The FTC has prohibited the sale of personal information in contravention of a privacy policy
 Brownstein I Hyatt
Farber I Sch reck
restricting personal information transfers to third parties even in the context of a bankruptcy. See
United States v. Toysmart.com, Civil Action No. 00-11341-RGS, (Dist. Ct. Mass. 2000). A
company may not change the way it uses collected personal information in a manner that is
materially different from the disclosure it provided when it first collected the information
without obtaining the express consent of affected consumers. See FTC Staff Statement
Proposing Governing Principles for Behavioral Advertising and In the Matter of Gateway
Learning Corp., FTC Dkt. No. C-4120.

2. Choice/Consent. The FTC believes that consumers should be given a

choice about uses of their personal information beyond the purpose for which such information
was originally collected. FTC Report § III.A.2. Such “secondary uses” can be internal,
marketing additional company products or services to the consumer, or external, sharing of
information with third parties. Choice/Consent can be either via an opt-in or opt-out process.

3. Access/Participation. Consumers should be given a means to correct,

update or delete their personal information from the data collector’s database. FTC Report §
III.A.3.

4. Integrity/Security. The FTC requires that collectors of personal

information “employ reasonable and appropriate security measures to protect consumers’
personal information” and the failure to do so constitutes an unfair trade practice. See United
States v. Choicepoint, Civil Action No. 106-CV-0 198 (Dist. Ct. N.D. Ga. 2006). The required
security undertakings mandated by the FTC in a series of enforcement actions form a set of de
facto security standards. See, e.g., In the Matter ofBJ’s Wholesale Club, FTC Dkt. No. C-4148
(Decision and Order 2005). In an oft-cited case, BJ’s Wholesale Club, the FTC required:

a. the designation of an employee or employees to coordinate and be

accountable for the company’s information security program
b. the identification of material external and internal risks to the
security, confidentiality and integrity of personal information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction or other compromise of such information, and
assessment of the sufficiency of any safeguards in place to control
such risks
c. the design and implementation of reasonable safeguards to control
the risks identified through risk assessment, and regular testing or
monitoring of the effectiveness of the safeguards’ key controls,
systems, and procedures
d. the evaluation and adjustment of Respondent’s information
security program in light of the results of the testing and
monitoring, any material changes to Respondent’s operations or
business arrangements, or any other circumstances that
Respondent knows or has reason to know may have a material
impact on the effectiveness of its information security program

2
 Brownstein I Hyatt
Farber ISch reck
5. Enforcement/Redress. There must be a mechanism for enforcing the
privacy notice either through industry self-regulation, legislation or regulatory enforcement
schemes. FTC Report § III.A.4.

C. COPPA Rule. The COPPA Rule is designed to empower parental control over
the personal information that is collected online from their children.

1. Who is Covered. The COPPA Rule covers operators of websites directed

to children under 13 as determined by its subject matter, visual or audio content, age of models,
language or other characteristics of the website or online service, as well as whether advertising
promoting or appearing on the website or online service is directed to children. 16 CFR Part
312.2. The COPPA Rule also covers websites where the operators have actual knowledge that
they are collecting personal information from children under 13.

2. Required Privacy Notice. Covered operators must provide notice of what

information they collect from children under 13, how it uses such information and to whom it
shares such information. 16 CFR Part 3 12.3(a). Operators must provide a link to that notice on
the website’s home page and on each page where information from children under 13 is
collected. 16 CFR Part 312.4(b). The notice must provide the name, address, phone number and
email address for all operators collecting or maintaining such information. 16 CFR Part
3 12.4(b)2. The notice must also explain that the operator is prohibited from conditioning a
child’s participation in an activity on providing more personal information of the child than is
reasonably necessary to participate in that activity and state that a parent can review and have
deleted the child’s personal information. Id.

3. Notice to Parent. An operator must notify a parent that it wants to collect

personal information from a child, that the parent’s consent is required for the collection, use and
sharing of such information, and explain how that parent can provide such consent. 16 CFR Part
312.5. An operator must obtain verifiable consent using a method based upon a sliding scale
under which the mechanism required depends upon how the operator intends to use the
information. Id. Prior consent is not required when an operator collects an email address to
respond to a one-time request and then deletes the address, an email address to respond more
than once such as for a newsletter (provided that the parent is notified of the continuing
communication and is provide the opportunity to stop the communications), or a child’s name or
online contact information to protect the safety of the child (provided that the parent is notified
and has the opportunity to prevent further use of the information). 16 CFR Part 312.5(c).
Further, operators must provide parents access to their child’s personal information and allow
them to delete the information or opt-out of future use or collection of their child’s personal
information. 16 CFR Part 312.6.

4. Safe Harbor. The COPPA Rule provides a safe harbor for compliance
with FTC-approved guidelines such as the Children’s Advertising Review Unit of the Council of
the Better Business Bureau and TRUSTe. 16 CFR Part 312.10.