Andrew Lustigman Quoted in Law360 on the FTC’s Stringent Review of COPPA
Andrew Lustigman, head of Olshan’s Advertising, Marketing & Promotions Practice Group, was quoted in a Law360 (subscription required) article on the FTC’s call for a review of its child privacy rules and the effect those changes could have on compliance for website operators and app developers. Prompted by rapid technological advancements, the review seeks to evaluate changes made six years ago to the Children’s Online Privacy Protection Act, which took effect in 2000. The federal law requires child-directed websites to obtain consent before collecting, using, or disclosing personal information from anyone under 13, with penalties for violators up to $41,484 per violation. Now, the FTC is seeking comment on the law’s definitions, notice, and parental consent requirements, as well as on exceptions to verifiable parental consent and its safe harbor provision, which grants companies meeting the requirements of a certified program immunity from enforcement action. A significant goal of the review is in determining whether a website or online service is directed toward children and thus is covered by COPPA. “Probably the biggest impact [of the FTC’s review],” Mr. Lustigman said, “will be on websites that are not directed at children, but have a high usage by them. I would expect there to be pressure to develop an enhanced standard applicable to these sites. The burden will likely be on the site owners to continue to monitor their audience and take steps to modify their data collections practices.” Indeed, the FTC has voiced concerns about third party content uploaded to general audience platforms, which has not traditionally been covered by COPPA. Considering new laws like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act (effective in 2020) (read our AMP blog post on the GDPR and CCPA here), coupled with the likely enforcement expansion from the FTC’s review of COPPA, companies must increase their efforts to remain compliant when handling personal data that may belong to children.