Latest FTC Privacy Happenings

The Federal Trade Commission has announced that it is seeking research presentations on consumer privacy and security issues – with a particular focus on health applications – for the FTCs annual PrivacyCon, which will take place on July 21, 2020.

According to one FTC defense lawyer, the agency’s focus this time around is on the privacy of health data collected, stored and transmitted by mobile applications.

The call for presentations seeks research responding to several questions, including:

What are the risks to consumer data, particularly data held by health apps, and how does the risk vary by product and data type?

Which products are transmitting user data to third parties, who are the recipients, what are the data, and what are the apparent purposes for these transmissions?

Has empirical work assessed consumer perception of the privacy and security of products that handle sensitive information? What factors affect that perception (e.g., endorsement by a credible organization, popularity, representations in the privacy policy, claims in a user interface, paid versus non-paid version)? Are consumer perceptions of the privacy and security of products accurate? How do we know?

What are the tradeoffs between product functionality (including the ability to combine data from various devices) and increased security or increased privacy protections?

Are there unique attributes or characteristics of apps that collect, store, or transmit health data that merit special attention or focus?

It is anticipated that PrivacyCon will bring together a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, FTC attorneys and government officials, to discuss the latest research and trends related to consumer privacy and data security.

COPPA Workshop

The FTC recently held a workshop to discuss possible updates to the Children’s Online Privacy Protection Act. COPPA was enacted in 1998 with the intention of regulating how entities collect data and personal information online from children under the age of 13.

Given technological advances, more than one FTC CID attorney believes that the agency has big plans to modernize the rule. While FTC staff have been relatively tight-lipped about what a revised rule would look like, FTC attorney Phillips warned against regulation’s potential for chilling effects on technological advancement.

Nevertheless, most of the workshop’s participant’s agreed that COPPA needs to be updated and be enforced aggressively. For example, many seek enhanced clarification regarding how to determine if a service is child-directed.

Commissioner Noah Phillips’ also commented that in 1998, when Congress enacted COPPA, technology looked quite different. At that time, a major concern was that children were providing their personal information through website registration forms and surveys, or posting contact information on electronic bulletin boards.

“Unlike the phone ringing or the mail carrier arriving, parents could not observe these communications. The first three cases the FTC brought under the COPPA Rule are illustrative. The website targeted girls aged 9 to 14, and offered features such as online articles and advice columns, contests, and pen-pal opportunities. Partnering with and Looksmart, the Girlslife website also offered children free email accounts and online message boards. In these three cases, the FTC alleged that the defendants each collected children’s full names and home addresses, email addresses and telephone numbers. None of these websites posted privacy policies that complied with COPPA or obtained the required consent from parents before collecting this information.”

Commissioner Phillips further commented that “[i]n 1998, social networks, smartphones, geolocation, and static IP addresses were barely on the horizon. However, by 2010, the FTC recognized that changes to the online environment, including children’s use of mobile technology to access the Internet, warranted another look at whether the Rule was sufficient.”
In December 2012, after a thorough notice and comment process, the FTC announced amendments to the COPPA Rule, which addressed changes to the technology landscape.

Among other things, the amended COPPA Rule updated the definition of personal information to include geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. The amended COPP Rule was expanded to cover persistent identifiers that can recognize users over time and across different websites and online services, such as IP addresses and mobile device IDs.

The amendments also made clear that the COPPA Rule covered child-directed sites or services that integrate outside services, such as plug-ins or advertising networks that collect personal information from its visitors. In addition, the amendments also clarified that if plug-ins or ad networks have actual knowledge that they are collecting personal information from a child-directed website or online service, they must also comply with the COPPA Rule.

As the FTC considers whether the COPPA Rule needs further amendment, Commissioner Phillips believes that the FTC must keep in mind the original congressional intent behind COPPA, that any rulemaking must be grounded in facts and that the focus should be on the impact that conduct being (or to be) regulated actually has, and in particular whether it causes harm.

Contact an experienced FTC defense attorney if you have questions about complying with the COPPA Rule, or if you are the subject of an FTC investigation or enforcement action.

Richard B. Newman is an FTC defense attorney at Hinch Newman LLP.

Attorney Advertising. Informational purposes only. Not legal advice.