FTC Provides Limited “Safe Harbor” for Users of a “Do Not Track for Kids” Flag
The new Children’s Online Privacy Protection Act (COPPA) rule that went into effect earlier this month restricts almost all forms of tracking across child-directed sites other than for a set of limited “internal operations purposes.” Child-directed sites are now strictly liable for any third party tracking on their sites that do not meet COPPA’s limited exceptions, unless they obtain verified parental consent.
Third party code providers, such as analytics companies, ad networks, or social plug-in providers, can also be liable under the new COPPA rule if they have “actual knowledge” they are dealing with children – that is, if the first party site has effectively communicated its online status to the third party or if a “representative of the online service recognizes the child directed nature of the site.” Yet for many third party code providers, who distribute their code freely to millions of web developers, there is no way to assess whether they are being used by services directed at children.
Earlier this month, the Future of Privacy Forum (FPF) announced its support for a model proposed by FTC Chief Technologist Steve Bellovin calling for a special “flag” to be passed between companies that would indicate the child directed status of a site. FPF has been working with a number of stakeholders to refine a technical proposal that could help standardize this type of communication, effectively creating a limited “Do Not Track for Kids” signal. We have urged the FTC to provide a “safe harbor” for users of this flag in order to provide more certainty in this area and to help ensure compliance from web publishers and third parties.
Last week, the FTC released updated FAQs to help businesses comply with the COPPA rule. These FAQs include a provision recognizing the COPPA flag as a viable tool for compliance; the FAQ sets forth a technical system for a site to affirmatively certify whether it is “child-directed” or “not child-directed.” According to the FAQs, companies may rely on a signal that a site is “not child-directed,” but “only if first parties affirmatively signal that their sites or services are ‘not child-directed.’” Companies cannot set this option for their clients as a default, if they wish to limit their liability. The FTC is requiring a “forced choice” or a “double flag” process, rather than the single flag that Bellovin proposed and that FPF championed.
We are pleased that the FTC recognized the COPPA flag as an effective way to both protect children and ensure that companies meet their obligations. Technology can offer a meaningful, low-cost solution that can be widely implemented across industry to encourage compliance.
The new FAQs describe stringent requirements that must be met for a COPPA signal that companies “may ordinarily rely on.” Our view is that this FTC language creates a safe harbor of sorts, providing protection for companies worried that they will be arbitrarily imputed actual knowledge.
While the FTC’s version of the flag will work for some companies, it will not be practical for many others. And for those who it will work, it will likely be feasible for their new clients only, because retroactively forcing many thousands of current clients to make a forced choice or be terminated is not realistic.
A number of leading companies, including Facebook, AdMob, Twitter, The Rubicon Project, and Yahoo!, began to roll out a single flag option to their clients even before the FTC released its new FAQs. We believe this single “Do Not Track for Kids” option still has value even though it may not meet the FTC standard for a safe harbor. The FTC has reiterated that “actual knowledge” requires a fact-specific inquiry. As a practical matter, companies that send and receive a COPPA flag as part of their compliance efforts are demonstrating a good-faith attempt to meet their obligations under the new COPPA rule. Those who implement such technology as part of a broader compliance strategy will be in a far better position should the FTC come calling than those who do not.
The next step for companies is to standardize a format for the COPPA flag signal so that it can more easily be passed along from company to company. If you are interested in learning more about the FPF’s efforts to standardize this Do Not Track for Kids signal, please email [email protected].
