FTC Issues Updated Guidance on Children’s Online Privacy Protection Act to Account for New Technology, Requests Comments on Utility of CAN-SPAM Rule
The U.S. Federal Trade Commission (FTC or the Commission) had a busy week, and it shows no signs of slowing down. On June 21, 2017, FTC released an updated six-step compliance plan (the Plan) for businesses to help them determine if they are subject to the Children’s Online Privacy Protection Act (COPPA), and, if so, how to comply with the Commission’s rule implementing the same. Then, on June 22, 2017, the Commission published in the Federal Register a request for comments on the efficiency, costs, benefits, and regulatory impact of FTC’s rule implementing the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act.
By way of background:
- COPPA was enacted in October 1998, and the Commission’s rule implementing the same became effective in April 2000. COPPA places parents in control over what information is collected from their young children (under the age of 13) online.
- The CAN-SPAM Act was enacted in December 2003, and the Commission’s rules implementing the same started to become effective in April 2004. The CAN-SPAM Act contains requirements for, among other things, commercial messages, gives recipients the right to stop receiving commercial e-mails, and establishes penalties for violations.
COPPA Compliance Plan
As technology has evolved (e.g., internet connected toys and other devices), children’s personal information has become more vulnerable. FTC’s revised Plan outlines broader application of COPPA to reflect the changing technological landscape. More specifically, the Plan contemplates an expanded application of COPPA to new business models and new products to account for new ways of collecting data and the expanded use of connected devices. The Plan also suggests new ways for covered businesses to obtain parental consent. The six steps that follow provide businesses guidance as to when COPPA applies (step 1) and what to do if it does apply (steps 2-6).
- Step 1: Determine if the Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
- Step 3: Notify Parents Directly About the Company’s Information Practices Before Collecting Personal Information from Their Kids. ·
- Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
- Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
- Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
CAN-SPAM Rule Comments
FTC periodically reviews all of its rules and guides to evaluate their regulatory and economic impact. To that end, the Commission is seeking comment on, among other things: the economic impact and benefits of the CAN-SPAM Rule; possible conflict between the Rule and state, local, or other federal laws or regulations; and the effect on the Rule from any technological, economic, or other industry changes since promulgation of the Rule. More specifically, the Commission hopes to elicit feedback on a number of points, including, but not limited to:
- Is there a continuing need for the Rule?
- What benefits has the Rule provided to consumers?
- What modifications, if any, should be made to the Rule to increase its benefits to consumers?
- What impact has the Rule had on the flow of truthful information to consumers and on the flow of deceptive information to consumers?
- What benefits, if any, has the Rule provided to businesses, including small businesses?
- What modifications, if any, should be made to the Rule to account for changes in relevant technology or economic conditions?
Comments on the Rule are due by August 31, 2017.