Reed Smith LLP

Reed Smith Client Alerts

COPPA Update: Ask and Ye Shall Receive…Actual Knowledge

Subscribe
Home Perspectives COPPA Update: Ask and Ye Shall Receive…Actual Knowledge

Authors: John P. Feldman

Online services that ask for the age of users as part of the registration process will be deemed to have “actual knowledge” of that information. Whether or not one’s site is directed to children, a registration process that includes an age field effectively turns the process into an “age filter,” which must be operational to avoid the risk of violating COPPA.

Illustrating this point, Yelp, Inc. has settled allegations made by the FTC that it violated the Rule enforcing the Children’s Online Privacy Protection Act (COPPA), according to an FTC press release announced September 17, which also stated that Yelp agreed to pay a $450,000 civil penalty for the Rule violation. According to the complaint filed by the FTC in the U.S. District Court for the Northern District of California, the violation stems from a determination that Yelp had “actual knowledge” that children younger than 13 were accessing and registering with the Yelp website, and they provided personal information to Yelp, including full names and email addresses. Users who registered were also able to post reviews and other information on the website.

But Yelp Isn’t Geared to Children, Right? This case is interesting because it focuses on the “actual knowledge” prong of the definition of a “website directed to children.” There is no allegation that Yelp is primarily directed to children (contrasting with another action announced on the same day involving TinyCo, Inc., an app developer who offered apps with themes that were appealing to children, used simple language, and could reasonably be deemed “directed to children” under the Rule). Moreover, the FTC does not suggest that this is a mixed site that is targeted at a range of ages including children, but not primarily so. Rather, the FTC focused on the alleged facts that indicated that users came to the site and, despite the Yelp privacy policy that states the service is “for general audiences and is not directed to children under 13,” it included a field within its registration process that captured birth date.

Importantly, this case is really only focused on Yelp’s mobile app. According to the complaint, on the Yelp Internet website, Yelp has always employed an age filter. But according to the FTC allegations, when Yelp introduced its app in 2009, the registration feature on the app did not have an age filter. In 2010, Yelp did some testing using a third-party organization to verify its privacy compliance; but, unfortunately, the vendor erroneously informed Yelp that the iOS application prohibited registrations from users under the age of 13. Yelp did not test the Android version, according to the complaint, and in fact on both platforms, users who were younger than 13 could register.

Thus, a small percentage of users who were younger than 13 (amounting to thousands according to the complaint) and who accessed the Yelp service via the mobile app, were registering by providing their birth dates and other personal information. On the basis of these facts, the FTC alleged that Yelp had “actual knowledge” that it was collecting personal information from children under 13 years of age in violation of COPPA.

The FTC’s Definition of “Targeted to Children” Under COPPA, a “Web site or online service directed to children” is a commercial website that is “targeted to children.” A website can be “targeted to children” if it determined to be so based on an extrinsic examination of the site. The FTC looks at things like visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, and the presence of child celebrities or celebrities who appeal to children. The FTC can also look at empirical data concerning the makeup of the audience for the site. A website will not be deemed to be targeted to children if it meets the criteria for “targeted to children” in an extrinsic examination, but (1) does not target children as its primary audience; and (2) employs a filter that ensures that the site does not collect personal information from any visitor prior to collecting age information, and then prevents the collection, use, or disclosure of personal information from persons who have identified themselves as younger than 13.

There is another way in which the FTC will deem the site “directed to children”: “A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” (Emphasis added.) Thus, if an operator of a website actually knows that it’s collecting personal information from children younger than 13, it cannot avoid liability simply because the site is not directed to children in any way.

There is no definition of “actual knowledge” in the Rule itself. However, the FTC staff has articulated some guidelines for assessing whether one might have “actual knowledge” that children are accessing and providing personal information.

In its FAQs, the Commission staff has addressed a few scenarios that help flesh out how the “actual knowledge” standard can be applied:

  • In the context of an ad network, how would one know that the network is collecting personal information from children under 13? The Commission staff states that it believes the “actual knowledge” standard will “likely be met” where a child-directed content provider directly tells the ad network of the child-directed nature of the content, or where a representative of the ad network actually “recognizes” the child-directed nature of the content. This highly fact-specific discussion has implications for the relationship between websites and ad networks, but it doesn’t tell us much about what a non-child-directed website should do if kids actually register for the service by supplying their birth dates.
  • In the context of a general audience gaming site where the operator does not ask visitors to reveal their ages, at what point might the operator gain “actual knowledge”? The FTC suggests that if in the course of dealing – such as in responding to an email or in a feedback option – the operator learns that the person it is corresponding with is a child under 13, it is deemed to have “actual knowledge” with regard to that person.
  • In the context of a general audience online service where the operator never asks for age, but where users can create their own blog pages or participate in online forums, does the operator gain “actual knowledge” when a child registers for the site without revealing his age and does not ask visitors to reveal their ages? What happens when the operator receives some notice from a parent or actually learns that one of the users is a child? If there is no age or birth date field in the registration process, then there is no “actual knowledge.” But according to the FTC, if the operator gets a report from “a concerned parent who has discovered that her child is participating on the site,” or if the operator knows that a particular visitor is a child, then the requirements of COPPA kick in with regard to that child. Note that in this FAQ, the FTC does not go so far as to say that the operator has a duty to monitor the blog pages and forums to look for evidence that a person participating is a child. In fact, the FTC suggests that if a child were to announce her age on a post but no one at the operator’s organization is aware of it, then the fact that the operator may have collected and used the personal information of that child is probably not a COPPA violation, because the operator would not have “actual knowledge.”

Key Takeaways from the Yelp Case The FTC staff also fleshes out its “guidance” through enforcement actions, which is what happened in the Yelp case. It is not entirely clear from the complaint and descriptions provided by the staff in a blog about the case whether Yelp intended that its registration process through the app would act as an age filter, or whether the company did not employ a filter at all on its app platform. Regardless, the fact that Yelp asked for information, e.g., date of birth, was really the critical factor. Once Yelp had obtained that information, a simple programming loop could have identified the user as a child younger than 13. Thus, this was not a situation where Yelp was being held responsible for a disclosure of age in a customer review, for example. It was a situation where it created an input field within the registration process that requested and received the exact information that would permit it to know whether that user was younger than 13 years of age. It was for that reason that Yelp was deemed to have had “actual knowledge” that children were providing personal information, and it apparently took too long for Yelp to recognize this and bring its privacy practices into compliance with COPPA.

An online service such as Yelp that permits millions of users to access the site and provide personal experiences and content, and to obtain the views and ratings of others to help one make a purchasing decision, should not be turned into a child-directed site without “actual knowledge” that it is collecting personal information from children. But, when you ask for information, you likely will be deemed to have knowledge of that information.

 

Client Alert 2014-244