Numerous child privacy groups recently filed an FTC complaint against the Ring Pops candy maker Topps for allegedly violating COPPA. This complaint serves a good reminder to your business to ensure it understands the COPPA laws governing third-party data collection.
According to the complaint, Topps launched a social media campaign for Ring Pops candy gave children the opportunity to submit pictures of themselves used in a music video. Also, candymania.com allegedly gave children the opportunity to upload photos of themselves wearing Ring Pops to Facebook, Twitter and Instagram. These photos apparently contained the children’s screen names.
Topps then used several of the photos of these children, which were clearly under 13, according to the watchdogs. The watchdogs also alleged that Topps disclosed the children’s photos along with contact information in the music video and disclosed their photos and online contact information on the Ring Pop Facebook page. Finally, Topps is also alleged to have used the online contact information to directly contact and market to children.
Allegedly, all of this was a violation of COPPA by Topps since they collected and disclosed personal data from children under 13 without their parents’ permission. (Photos of children are considered personal data under recent COPPA amendments that cannot be collected without prior parental permission.)
The big issue is that the children uploaded their photos and provided their screen names to Facebook, Twitter and Instagram and not directly to Topps.
So, can you get out of COPPA by “outsourcing” the collection of data to social media sites and other third-parties?
Some lawyers have argued that when the FTC revised the COPPA regulations in 2012, it made it crystal clear that companies are strictly liable for data collection by third parties. But, not all lawyers agree that imposing strict liability under COPPA was intended to cover the collection of personal information on a site such as Facebook. In fact, Facebook does attempt to restrict users who are under 13.
Then again, child privacy advocates argue that its easy for a child to create a social media account, generally speaking. The watchdog groups have also argued that anyone can sign up for Twitter and Instagram, and that it’s “common knowledge” that many children have Facebook accounts.
The question, then, is whether COPPA regulations regarding third-party data collection are solely aimed at curbing data gathering by ad networks, via plug-ins, etc. Or, does COPPA impose strict liability on website operators when children directly upload their information onto social media or other online platforms?
The best way to attempt to answer this question is to look at the FTC’s final rule amendments to COPPA in 2012. Specifically, the amendment that changed the definition of “collects” or “collection” of personal information may provide the most insight. You can review the full version here. To save you that agony, here is the relevant part of that text below:
II. Modifications to the Rule
A. Section 312.2: Definitions
1. Definition of Collects or Collection
a. Collects or Collection, Paragraph (1)
In the 2011 NPRM, the Commission proposed amending paragraph (1) to change the phrase ‘‘requesting that children submit personal information online’’ to ‘‘requesting, prompting, or encouraging a child to submit personal information online.’’ The proposal was to clarify that the Rule covers the online collection of personal information both when an operator requires it to participate in an online activity, and when an operator merely prompts or encourages a child to provide such information. The comments received divided roughly equally between support of and opposition to the proposed change to paragraph (1). Those in favor cited the increased clarity of the revised language as compared to the existing language.
Several commenters opposed the revised language of paragraph (1). For example, the National Cable and Telecommunications Association (‘‘NCTA’’) expressed concern that the revised language suggests that ‘‘COPPA obligations are triggered even without the actual or intended collection of personal information.’’ NCTA asked the Commission to clarify that ‘‘prompting’’ or ‘‘encouraging’’ does not trigger COPPA unless an operator actually collects personal information from a child.
The Rule defines collection as ‘‘the gathering of any personal information from a child by any means,’’ and the terms ‘‘prompting’’ and ‘‘encouraging’’ are merely exemplars of the means by which an operator gathers personal information from a child. This change to the definition of collects or collection is intended to clarify the longstanding Commission position that an operator that provides a field or open forum for a child to enter personal information will not be shielded from liability merely because entry of personal information is not mandatory to participate in the activity. It recognizes the reality that such an operator must have in place a system to provide notice to and obtain consent from parents to deal with the moment when the information is ‘‘gathered.’’ Otherwise, once the child posts the personal information, it will be too late to obtain parental consent.
After reviewing the comments, the Commission has decided to modify paragraph (1) of the definition of collects or collection as proposed in the 2011 NPRM.”
…
c. Collects or Collection, Paragraph (3)
In the 2011 NPRM, the Commission proposed to modify paragraph (3) of the Rule’s definition of collects or collection to clarify that it includes all means of passively collecting personal information from children online, irrespective of the technology used. The Commission sought to accomplish this by removing from the original definition the language ‘‘or use of any identifying code linked to an individual, such as a cookie.’’
The Commission received several comments supporting, and several comments opposing, this proposed change. Those opposing the change generally believed that this change somehow expanded the definition of personal information. As support for their argument, these commenters also referenced the Commission’s proposal to include persistent identifiers within the definition of personal information.
The Commission believes that paragraph (3), as proposed in the 2011 NPRM, is sufficiently understandable. The paragraph does nothing to alter the fact that the Rule covers only the collection of personal information. Moreover, the final Rule’s exception for the limited use of persistent identifiers to support internal operations— 312.5(c)(7)—clearly articulates the specific criteria under which an operator will be exempt from the Rule’s notice and consent requirements in connection with the passive collection of a persistent identifier. Accordingly, the Commission adopts the definition of collects or collection as proposed in the 2011 NPRM.
It appears that the FTC’s recent COPPA revisions suggest that website operators cannot rely on data collection by social media sites and other similar third-parties and avoid COPPA. Strict liability for website operators wasn’t intended to necessarily cover social media. But, it is illogical to think that operators can circumvent the requirements of COPPA when their actions are in essence no different then collecting personal information directly. If your business or your website is storing and/or using personal information from children provided to you via third-parties, assume COPPA applies.
Regardless, the outcome of the FTC complaint filed against Topps should conclusively answer this question. In the meantime, businesses, marketers, ad agencies and social media managers should take a hard look at the Ring Pops campaign and err on the side of caution.