Monthly Archives: January 2014

COPPA Parental Consent: A 101 Legal Guide

COPPA parental consent rules
What are the COPPA parental consent rules? What is allowed and what is not?

IN THIS ARTICLE:

  • Allowable COPPA parental consent methods
  • The FTC approved a new consent option for the Children’s Online Privacy Protection Act
  • New COPPA parental consent method is based on knowledge-based authentication
  • KBA method beat out new “social-graphing” authentication method

Attention companies covered under the Children’s Online Privacy Protection Act: The FTC approved a new COPPA parental consent method. The nation’s consumer watchdog agency green lit Imperium LLC’s dynamic knowledge-based authentication system, ChildGuardOnline.

Quickly, What Is COPPA?

The Children’s Online Privacy Protection Act is one of the few Internet privacy laws in the United States. In short, it established a set of governing rules for online data collection and digital storage of people aged 13 and younger. One of the main COPPA components is parental consent. In the simplest terms, websites and apps must obtain parental consent before collecting, using or storing kid’s information. What are acceptable COPPA parental consent methods? Keep reading.

The Old (& Still Usable) COPPA Parental Consent Methods

Until now, the only FTC-approved “verifiable parental consent” options were:

  • Providing a downloadable consent form that the parent could sign and return — via U.S. mail, fax, or electronic scan;
  • Requiring parents to use a credit card, debit card or online payment system that notifies the cardholder of every transaction;
  • Providing a toll-free number to call;
  • Providing a video confirmation service;
  • Checking government ID against an FTC-approved database. (This method can only be used if you immediately delete the parent’s information after verification.)

The New Rules For COPPA Parental Consent

In 2013, the FTC updated COPPA regulations. Part of the “upgrade” involved expanding the list of allowable parental consent methods. According to the new rules, companies can “apply” to get an FTC “COPPA-validation stamp of approval” for their digital authentication platforms. Here’s how it works:

  1. First, a company submits a proposal to the FTC explaining their digital authentication system and why it would be an effective COPPA parental consent-friendly platform.
  2. Then, the FTC publishes the proposal and invites the public to submit any feedback about the application.
  3. When the comment period ends, the FTC reviews the proposal and public feedback; then the agency decides if the applicant’s platform is an acceptable COPPA parental consent product. After review, findings and a decision are posted online.

 Has The FTC Rejected Any Other COPPA Parental Consent Applications?

Imperium is not the first company to apply for COPPA parental consent status. AssertID, another authentication company, also submitted their social media verification process for FTC review. Dubbed a “social-graph verification” scheme by the FTC, AssertID is a system wherein a parent’s social media “friend” verifies a parent’s identity. Unfortunately for AssertID, the commission rejected its proposal because it could not be “reasonably calculated” that the person giving consent was an actual parent or friend of the proper parental consent holder.

[Interesting business competition side note: AssertID’s proposal garnered 6 public responses – none of which were from Imperium. AssertID, however, did submit a comment for Imperium’s COPPA parental consent proposal and argued that their competitors program failed “to establish an adequate link between parent and child.” Additionally, AssertID argued, “The only link between the child and the parent is that implied by what is presumed to be the parent’s email address — there is no verification that this is in fact true. Although this weak implied link has been overlooked in the past, we feel that any new [consent] methods should be held to the requirement.”]

What Is Knowledge-Based Authentication?

We’ve become accustomed to online verification methods, like captchas. A typical verification method is called “knowledge-based authentication,” which requires respondents to either provide or verify personal information items in order to gain access to a private part of a website or application. There are two main types of knowledge-based authentication models, static KBAs and dynamic KBAs.

  • Static KBAs are based on “shared secrets”. When registering for an online service, a user will be asked to provide the answers to various security questions. In order to retrieve credentials, he or she is asked to provide answers to those questions. Oftentimes static KBA systems are used for online banking logins (i.e., what is your mother’s maiden name?).
  • Dynamic KBAs don’t require the user to have previous contact with a given site. Instead, the system automatically generates questions it culls in real time from public records. (Say What!? Yep.) Typically, the questions asked are considered “out of wallet” questions, meaning they aren’t queries someone could glean from either stealing or finding your wallet. Information is gathered from credit reports, marketing data and sometimes even social media.

What Stipulations Did the FTC Make About Acceptable COPPA parental consent options?

To thwart any budding Al Capones, the FTC demands that any new COPPA parental consent systems are “dynamic, multiple-choice questions with enough options to ensure that the chances of a child guessing the correct answers are low.” In addition, the commission will only consider systems wherein “the questions used are of sufficient difficulty that it would be difficult for a child in the household to figure out the answers.”   If you have a website that could be used by a child aged 13 or younger, you must comply with all COPPA consent rules.

COPPA Lawyer

If you have a website that could be used by a child aged 13 or younger, you must comply with all COPPA parental consent rules. It is no longer good enough to include a disclaimer like, “You must be older than 13 to use this site,” in your terms of service policy. Speak with a qualified COPPA lawyer to ensure compliance. The few hundred dollars it will cost for counsel is far better than the boat loads you may have to pay if the FTC comes a’knocking. A COPPA compliance audit is quick, painless and affordable. Get in touch today to get started on your COPPA legal compliance review.

Is Section 230 of the CDA Done? Summary Of The Sarah Jones v. Dirty World Amicus Briefs

Section 230 of the CDA
Section 230 of the Communications Decency Act may be in jeopardy of becoming obsolete.

Out of all the Internet laws, which is the most important? Many folks may give Section 230 of the Communications Decency Act (CDA) top honors. Some people have even speculated that Section 230 of the CDA is primarily responsible for turning the Internet into a thriving bazaar of business and innovation.

What Does Section 230 of the CDA Do?

What does the powerful statute do? Section 230 of the CDA says:

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Less legalese, you say? Basically, Section 230 of the CDA says you can’t blame hosting companies or website operators for defamatory statements posted by users, blog commentators or other third parties.

The Lawsuit That Could Decimate Section 230 of the CDA

At the end of 2013, a shocking district court decision had many people wondering if Section 230 of the CDA was about to be decimated – all thanks to a legal spat between an ex NFL cheerleader and a prurient gossip site.

The case was Sarah Jones v. The Dirty.com. Jones had sued the website and its owner/operator, Nik Richie, for posting false statements of fact online. Since Mr. Richie had added a comment to the posting (“Why are all high school teachers freaks in the sack? – nik.”), Jones’ lawyers argued that doing so nullified Richie’s Section 230 protections. In the end, a judge ruled that Nik Richie was liable for a defamatory post. X reasoned that Richie “encouraged” and “ratified” the original defamatory post “by reason of the very name of the site, the manner in which it is managed, and the personal comments of defendant Richie.”

When news broke of the decision, to put it bluntly, the Section 230 shit hit the fan.

Eager to voice discontent, and alarmed by the implications of the district court’s Section 230 decision, many businesses and organizations banded together to create amicus curias – friend of the court briefs – in support of Nik Richie and TheDirty.com. And on November 19, 2013, four different groups submitted four different amicus briefs to the court. Below is a summary of them.

What is An Amicus Curia?

An Amicus Curias, also known as a “Friend of the Court” briefs, are prepared by 3rd party that is not involved in a given lawsuit, but has a vested interest in its outcome. Usually, an amicus curia offers information related to the case in an effort to assist a court.

Opinion Corp. Pissedconsumer.com

Opinion Corp (a.k.a., pissedconsumer.com) filed an amicus brief in response to the Sarah Jones defamation victory over Nik Richie and TheDirty.com. Its main points are as follows:

  1. “Immunity is not forfeited unless the interactive service provider actively participates in the creation or development of the specific illegal content posted by the third party.”
  2. Since Nik Richie’s amendment was not a false statement of fact, and was added after the fact, it should not be considered defamatory.
  3. The District Court held that the mere nature and name of the website “encouraged” defamation. The Opinion Corp. friend of the court filing opines that the addition of “encouragement” as “an acceptable over rider of Section 230 of the CDA means judges will have free right to analyze websites based on” site names and subjects.
  4. Since Section 230 of the CDA specifically prohibits protection for copyright infringement, “analogizing contributory copyright infringement to ‘encouraging defamation’ is also misplaced.”
  5. The “Congressional intent” of Section 230 of the CDA is to “provide broad immunity for website operators.”
  6. “Non-defamatory responses are not part of defamatory statements and do not effect immunity.”

Online Service Providers Amicus Brief

Amazon, AVVO, Buzzfeed, Cable News Network, Curbed.com, Gawker Media, Magazine Publishers of America, The McClatchy Company, The Reporters Committee for Freedom of the Press, TripAdvisor, Yahoo and Yelp also submitted a joint friend of the court brief. Its main points are summarized below.

  1. In Jones v. Dirty World Entertainment Recordings LLC, “The court suggested that a website can be liable just because it selects posts to publish, does not verify their accuracy, and fails to remove them upon notice. But these are all ‘publisher’ functions with Section 230’s scope.”
  2. Affirming the current district court ruling would be disastrous because “if it is upheld, providers will have the perverse incentive not to review third party content at all, for fear of liability.”
  3. In the past, eight circuit courts endorsed a “broad immunity stance” that should be upheld as the standard.
  4. The district court’s ruling is dangerous because it means that “if a judge or jury finds that a website is somehow offensive and encourages users to submit content, the website provider loses immunity.”

Social Media Amicus Brief

Ebay, AOL, Facebook, Google, Linkedin, Microsoft, Tumblr, Twitter and Zynga also joined forces in an amicus curia focusing on Jones v. Dirty World Entertainment Recordings LLC. What did the social media giants have to say? Bullet points are below.

  1. “The protection afforded by Section 230 of the CDA has been and remains critical to the development and robustness of the Internet and interactive services…”
  2. The Jones court based its decision largely on Fair Housing Council v. Roomates.com LLC. The brief, however, argues that the case was misapplied in this instance because the Roommates’ opinion makes clear that unless an ISP “does not itself participate” in creating or developing content, it should be able to claim immunity under Section 230 of the CDA.
  3. Appealing to economic sensibilities, the social media-backed brief hammers home the idea that Section 230 creates an environment which allows the Internet to be “a medium for free expression and commerce.”
  4. Warns that if the Jones verdict stands as is, moving forward, free speech would be jeopardized because folks “would have little choice but to yield to a ‘heckler’s veto.’”

Amicus Briefs For Non Profits

The American Civil Liberties Union, ACLU of Kentucky, Electronic Frontier Foundation, Center for Democracy and Technology, Digital Media Law Project, Public Participation Project, Wendy Seltzer and Adam Holland also got in on the Jones v. Dirty World Entertainment Recordings LLC amicus brief action.

The associations brief reiterated much of what other concerned parties argued. They even acquiesced that “[a]ppellant TheDirty.com hosts frequently offensive – and indeed, sometimes actionable – gossip.” Notably, the watchdog groups reminded readers that “removing website from the legal line of fire when their users engage in actionable behavior was one of the primary motivations behind the enactment of Section 230.”

Do you run an online business that is being sued for defamation? Or maybe you are looking to file a defamation lawsuit against an online operation? Kelly Warner Law handles both plaintiff- and defendant-side Internet libel lawsuits. Our track record is excellent. We know how to handle situations swiftly, so you can get back to business sooner. Get in touch today.

FTC: Be More Precise In Your EULAs and Privacy Policies

FTC updateIf you’re running a “just legal” data collection operation, or if some portion of your revenue stream involves selling customer data, stop what you’re doing and pay attention for the next five minutes — it could have you a lot of hassle in the near future.

The Federal Trade Commission has made it clear that it’s tightening the reigns when it comes to the wording of end user license agreements (EULAs) and privacy policies.

How Typical Data Collection and Sale Businesses Work

Goldenshores Technologies maintained a lucrative (if not standard) Internet business operation:

  1. It offered a free Android app called, “Brightest Flashlight Free;”
  2. It collected information about everybody who downloaded the program, and then
  3. Goldenshores sold the data to 3rd party marketers.

The people loved the app and downloaded it millions of times over. (Not surprising when you consider that LED phone flashlights are the new “concert candle”.) To consumers, “Brightest Flashlight Free” served both a utilitarian – and perhaps aesthetic – purpose. But many users didn’t realize that every time they used it, the app gathered geolocation data, in conjunction with a device identifier, and bundled the data for third party ad networks. Cha-ching.

But the FTC felt Goldenshores was less than honest about how, when and why the information was collected.

So, consumer agency announced a consent order regarding the “Brightest Flashlight Free” application. What made the announcement noteworthy is that it didn’t focus on what Goldenshore’s policy said, but rather what it didn’t say.

The FTC’s main issues with the app:

  1. The company’s failure to inform customers clearly that the app collected and distributed precise geolocation info coupled with the phone’s identifier. The combination allowed third party marketers to match individuals with devices.
  2. The application presented users a no-share option, but before that choice was presented, the information had already been collected, rendering the opt-out useless.
  3. The Brightest Flashlight Free privacy policy was vague. Even though it did list a few ways in which Goldenshores may use data, it didn’t disclose that said information would be sent to third party advertisers.

Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, explained the commission’s stance succinctly by stating, “But this flashlight app left them in the dark about how their information was going to be used.”

In an unusual step for the agency – and perhaps a harbinger of what to expect from the FTC under Edith Ramirez’s stewardship – the commission didn’t just delineate offer murky platitudes. Instead, the FTC outlined exactly what Goldenshore had to do to become compliant, thereby making clear the exact standard for geolocation app privacy disclosures.

So what verbiage does the FTC require for geolocation app privacy policies? Basically, the FTC now requires a clear-worded disclosure, appearing before the transfer of any information, which explains to consumers:

  1. How data is collected;
  2. How data is used;
  3. How data is stored;
  4. Who sees the data;
  5. Who data is shared with or sold to (if any); and
  6. Why data is collected.

App Developer Lawyer

Are you a developer in need of an attorney? Kelly Warner represents all kinds of tech startups and established online businesses. We’re not an old-school firm — and we don’t boast of Internet law expertise just because we know how to use Facebook. We’re a firm made up of affiliate marketers, gamers and even programmers — who also happen to be top-rated attorneys.

Get in touch today. Kelly Warner is ready to help smooth things for your digital or Internet-based business.