Privacy & Information Security Law Blog

On May 23, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (“APRA”), which includes significant changes from the initial discussion draft.

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.

On April 9, 2024, Representatives Tim Walberg (R-MI) and Kathy Castor (D-FL) introduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0.”) The bill serves as a companion to the Senate bill by the same name.

On March 29, 2024, the Federal Trade Commission announced its decision to deny, without prejudice, an application for approval of a “Privacy-Protective Facial Age Estimation” mechanism for obtaining parental consent under COPPA.

On March 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) filed its response to the Federal Trade Commission’s notice of proposed rulemaking (“NPRM”), which addresses amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

Hunton Andrews Kurth is hosting a webinar discussing the Federal Trade Commission’s proposed revisions to the Children’s Online Privacy Protection Rule (i.e., the COPPA Rule) on February 20, 2024, at 12:00 p.m. (ET). Hunton partners Phyllis Marcus and Lisa Sotto will discuss the FTC’s recent proposal to strengthen federal protections for children’s privacy and the implications of the new changes, if enacted, for organizations. 

On December 20, 2023, the FTC issued a Notice of Proposed Rulemaking (“Notice”), which would bring long-anticipated changes to the children’s online data privacy regime at the federal level in the U.S. The Notice sets forth several important proposals aimed at strengthening the Children’s Online Privacy Protection Act Rule (“COPPA Rule”). The COPPA Rule has not been updated since 2012. The FTC received over 176,000 comments in response to its call to comment on updating the COPPA Rule.

On May 22, 2023, the Federal Trade Commission filed an amicus brief in support of a ruling by the United States Court of Appeals for the Ninth Circuit that COPPA does not preempt state laws claims that are consistent with COPPA.

On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

On December 7, 2022, the Federal Trade Commission released an updated Mobile Health App Interactive Tool to help developers determine what federal laws and regulations apply to apps that collect and process health data. The updated version of the tool, which revises the initial release in 2016, aims to assist developers of mobile apps that will access, collect, share, use or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness or addiction.

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.

On September 7, 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs announced its finding that Tilting Point Media, LLC (“Tilting Point”), owner and operator of the SpongeBob: Krusty Cook-Off app (the “App”), violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection (“CARU’s Guidelines”). CARU has recommended a variety of corrective actions with respect to Tilting Point’s advertising and privacy practices.

On August 25, 2022, the FTC issued its Federal Trade Commission Report to Congress on COPPA Staffing, Enforcement and Remedies. The document was prepared in response to the joint explanatory statement accompanying the Consolidated Appropriations Act of 2022, which directed the FTC to provide a report detailing (1) the current amount of resources and personnel focused on enforcing the COPPA Rule; (2) the number of investigations into violations of the COPPA Rule in the past five years; and (3) the types of relief obtained, if any, for completed COPPA investigations.

On July 6, 2022, the Better Business Bureau National Programs’ Children’s Advertising Review Unit (“CARU”) announced that it had found Outright Games in violation of the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and Guidelines for Children’s Online Privacy Protection. Outright Games owns and operates the Bratz Total Fashion Makeover app, which CARU determined to be a “mixed audience” child-directed app subject to COPPA and CARU’s Guidelines due to the app’s subject matter, bright colors, visual content, lively audio and gameplay features.

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”

On April 19, 2022, the California state legislature and an industry self-regulatory group each separately took steps to enhance online privacy protections for children who are not covered by the Children’s Online Privacy Protection Act (“COPPA”), which applies only to personal information collected online from children under the age of 13.

On March 25, 2022, the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. The plaintiffs sued TikTok in 2019, alleging that TikTok did not seek verifiable parental consent prior to collecting personal information of children under 13 on the popular video platform in violation of the Children’s Online Privacy Protection Act. The complaint further alleged that TikTok disclosed and sold user data, including lip-syncing videos created by children who used a TikTok-affiliated app called Musical.ly, to third parties, without parental consent. The $1.1 million settlement will be distributed among class members, who consist of U.S. users who, prior to the settlement’s effective date and while under the age of 13, registered for or used TikTok or Musical.ly.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On January 7, 2022, U.S. Representatives Kathy Castor (D-Fla.) and Jan Schakowsky (D-Ill.), members of the House Committee on Energy and Commerce, wrote to all of the Children’s Online Privacy Protection Act (“COPPA”) Safe Harbor programs to request information about each program to ensure “participants in the program are fulfilling their legal obligations to provide ‘substantially the same or greater protections for children’ as those detailed in the COPPA Rule” and “to solicit feedback” regarding “ways in which Congress can strengthen COPPA and the COPPA Rule.”

On December 15, 2021, the Federal Trade Commission announced a $2 million settlement with OpenX Technologies (“OpenX”) in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) and the FTC Act. According to the FTC’s complaint, OpenX knowingly collected personal information from children under age 13 without parental consent, and collected geolocation data from users of all ages who opted out of being tracked.

On November 17, 2021, the Senate Committee on Commerce, Science, and Transportation held its confirmation hearing on FTC Commissioner nominee, Alvaro Bedoya.

On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.” In the letter, the lawmakers noted that many technology companies have recently announced updates to their respective platforms’ policies that are intended to enhance children and teen protections in compliance with the UK’s Age Appropriate Design Code (“AADC”), which took effect on September 2, 2021.

On August 25, 2021, New Mexico Attorney General (“AG”) Hector Balderas sued Rovio Entertainment (“Rovio” or the “Company”), the developer of the popular Angry Birds mobile app games, alleging that the Company violated the federal Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting data from players under age 13 and sharing it with advertisers. Under COPPA, developers of child-directed apps are required to provide notice to parents of their data collection practices and obtain verifiable parental consent to collect personal information from children under 13.

The Children’s Advertising Review Unit (“CARU”), a part of a part of the Better Business Bureau National Programs (“BBBNP”), released its revised Children’s Advertising Guidelines (the “Guidelines”) earlier this month. The Guidelines, which contain some notable changes, will go into effect in January 2022.

On July 29, 2021, U.S. Representative Rep. Kathy Castor (D-Florida), a member of the House Energy and Commerce Committee, reintroduced the Protecting the Information of our Vulnerable Children and Youth Act (the “Bill”). The Bill would update the Children’s Online Privacy Protection Act (“COPPA”) to, among other requirements: (1) cover teens ages 13-17; (2) expand the categories of information considered to be “personal” (to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings); (3) prohibit companies from targeting online advertising to children and teens based on their personal information and behavior; (4) require opt-in consent to process personal information collected from all individuals under age 18; (5) strengthen Federal Trade Commission enforcement of COPPA; (6) provide a private right of action to parents of children and teens; and (7) eliminate the FTC’s recognition of self-regulatory COPPA safe harbor programs.

On May 11, 2021, Senators Edward Markey (D-MA) and Bill Cassidy (R-LA) introduced the Children and Teens’ Online Privacy Protection Act (the “Bill”). The Bill, which would amend the existing Children’s Online Privacy Protection Act (“COPPA”), would prohibit companies from collecting personal information from children ages 13 to 15 without their consent.

On November 27, 2020, New Mexico Attorney General Hector Balderas filed a notice of appeal to the U.S. Court of Appeals for the Tenth Circuit in the lawsuit it brought against Google on February 20, 2020, regarding alleged violations of the federal Children’s Online Privacy Protection Act (“COPPA”) in connection with G-Suite for Education (“GSFE”). As we previously reported, the U.S. District Court of New Mexico had granted Google’s motion to dismiss, in which it asserted that its terms governed the collection of data through GSFE and that it had complied with COPPA by using schools both as “intermediaries” and as the parent’s agent for parental notice and consent, in line with Federal Trade Commission Guidance.

On September 25, 2020, the District Court of New Mexico granted Google’s motion to dismiss a lawsuit filed on February 20, 2020, by New Mexico Attorney General Hector Balderas alleging, among other claims, that the company violated the federal Children’s Online Privacy Protection Act (“COPPA” or the “Act”) by using G Suite for Education to “spy on New Mexico students’ online activities for its own commercial purposes, without notice to parents and without attempting to obtain parental consent.”

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

On June 24, 2020, the Washington State Attorney General (“Washington AG”) announced that it had settled an enforcement action against the owners of the “We Heart It” social media platform for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and the Washington State Consumer Protection Act. Under the consent decree, the defendants must pay $100,000, with an additional $400,000 suspended contingent upon compliance with the consent decree.

The Federal Trade Commission (“FTC”) announced its latest Children’s Online Privacy Protection Act (“COPPA”) settlement with California-based app developer HyperBeard and its individual principals. According to the FTC, since at least 2016, HyperBeard has offered a number of child-directed mobile apps, with names like BunnyBuns, KleptoCats and NomNoms that featured brightly colored, animated characters, such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and that are described in child-friendly terms like “super cute” and “silly.” These apps are free to download and play, but they generate revenue through in-app advertising and purchases. The FTC alleges that the defendants were aware that children were using their apps, and that they promoted them to child audiences on a kids’ entertainment website, through children’s books and through the merchandizing of officially licensed plush stuffed animals and toys. Defendants allowed third-party ad networks to collect persistent identifiers from children in order to serve them with interest-based ads without parental notice or consent, in violation of COPPA.

On May 19, 2020, the Federal Trade Commission (“FTC”) announced that it reached an agreement with Swiss digital game developer Miniclip, S.A. (“Miniclip”) to settle allegations that Miniclip misled consumers about its membership in a COPPA safe harbor program.

On October 22, 2019, the Federal Trade Commission announced that, for the first time, it has brought a case against a developer of “Stalking” Apps. The agency alleges that Retina-X Studios, and its owner, James N. Johns, Jr., developed and marketed three apps that allowed purchasers to surreptitiously monitor the movements and online activities of users of devices on which the apps were installed without the knowledge or permission of the device’s user. The FTC also alleges that the app developer took steps to ensure that a device user would not be aware that the app had been installed, bypassing mobile device manufacturers’ security restrictions and leaving the device vulnerable to cybersecurity risks. The apps were marketed as tools for monitoring the behavior of employees and children. The FTC further alleges that the app developer issued policies that made inaccurate representations regarding the security of their online systems, which were recently found to have been hacked twice during earlier incidents.

As an update to our previous blog posts, the FTC announced that it and the New York Attorney General reached a $170 million agreement with Google to resolve allegations that the company violated COPPA through its YouTube platform. Under the agreement, Google will pay $136 million to the FTC and $34 million to New York. The FTC voted 3-2 to authorize the action.

According to media reports, the Federal Trade Commission has approved a multimillion dollar fine as part of a settlement with Google related to the FTC’s investigation into YouTube’s children’s data privacy practices. The FTC found that, in violation of COPPA, Google had failed to adequately protect children under 13 who used the video-streaming service and improperly collected their data.

On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.

On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

On December 4, 2018, the New York Attorney General (“NY AG”) announced that Oath Inc., which was known as AOL Inc. (“AOL”) until June 2017 and is a subsidiary of Verizon Communications Inc., agreed to pay New York a $4.95 million civil penalty following allegations that it had violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting and disclosing children’s personal information in conducting online auctions for advertising placement. This is the largest-ever COPPA penalty.

On August 13, 2018, the Federal Trade Commission approved changes to the video game industry’s safe harbor guidelines under the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA’s “safe harbor” provision enables industry groups to propose self-regulatory guidelines regarding COPPA compliance for FTC approval. 

On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.

On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”  

On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date.

On July 31, 2017, the Federal Trade Commission announced that it has approved modifications to TRUSTe’s safe harbor program under the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On April 19, 2017, the FTC announced that it is seeking public comment on proposed changes to TRUSTe, Inc.’s safe harbor program under the Children’s Online Privacy Protection Rule (the “Proposed Changes”). As we previously reported, New York Attorney General Eric T. Schneiderman announced that TRUSTe agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. The Proposed Changes are a result of the settlement agreement between TRUSTe and the New York Attorney General.

On April 6, 2017, New York Attorney General Eric T. Schneiderman announced that privacy compliance company TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. According to Attorney General Schneiderman, the enforcement action taken by the NY AG is the first to target a privacy compliance company over children’s privacy.

On October 3, 2016, the Texas Attorney General announced a $30,000 settlement with mobile app developer Juxta Labs, Inc. (“Juxta”) stemming from allegations that the company violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding the collection of personal information from children.

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.

Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen understanding of the complexities of the revised regulations, as well as broader issues relating to student privacy, mobile applications and the Internet of Things.

On December 22, 2014, the Federal Trade Commission announced that it notified China-based BabyBus (Fujian) Network Technology Co., Ltd., (“BabyBus”) that several of the company’s mobile applications (“apps”) appear to be in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”). In a letter dated December 17, 2014, the FTC warned BabyBus of potential COPPA violations stemming from allegations that the company has failed to obtain verifiable parental consent prior to its apps collecting and disclosing the precise geolocation information of users under the age of 13.

On November 17, 2014, the Federal Trade Commission announced that data privacy certifier True Ultimate Standards Everywhere, Inc. (“TRUSTe”) has agreed to settle charges that the company deceived consumers about its recertification program and misrepresented that it was a non-profit entity in violation of Section 5 of the FTC Act.

On September 17, 2014, the Federal Trade Commission announced that the online review site Yelp, Inc., and mobile app developer TinyCo, Inc., have agreed to settle separate charges that they collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On August 6, 2014, the Federal Trade Commission announced that it had approved a safe harbor program submitted by the Internet Keep Safe Coalition (“iKeepSafe”), stating the program provides the “same or greater protections” for children under the age of 13 as those contained in the new Children’s Online Privacy Protection Rule (the “COPPA Rule”). An updated version of the COPPA Rule came into effect July 1, 2013.

On July 16, 2014, the Federal Trade Commission posted revisions to its Frequently Asked Questions that provide guidance on complying with the Children’s Online Privacy Protection Rule (the “COPPA Rule”). The revisions, which are in Section H of the FAQs, address the COPPA Rule requirement that operators of certain websites and online services obtain a parent’s consent before collecting personal information online from a child under the age of 13.

The Federal Trade Commission recently acted on three industry proposals in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. Specifically, the FTC determined that it was unnecessary to rule on a proposed parental consent mechanism, approved a proposed “safe harbor” program and is seeking public comment on a separate proposed “safe harbor” program.

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

On November 22, 2013, New Jersey’s Acting Attorney General announced that the State had entered into a settlement agreement with Dokogeo, Inc. (“Dokogeo”), a California-based company that makes mobile device applications, regarding allegations that one of the company’s mobile apps violated the Children’s Online Privacy Protection Act of 1998 (“COPPA”), the recently amended Children’s Online Privacy Protection Rule (the “Rule”) and the New Jersey Consumer Fraud Act.

On November 13, 2013, the Federal Trade Commission announced that it denied a proposal submitted by AssertID, Inc. for a mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

On September 23, 2013, California Governor Jerry Brown signed a bill that adds “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”). The new CalOPPA provisions prohibit online marketing or advertising certain products to anyone under age 18, and require website operators to honor requests made by minors who are registered users to remove content the minor posted on the site. In addition, operators must provide notice and instructions to minors explaining their rights regarding the removal of content they’ve posted.

On September 9, 2013, the Federal Trade Commission announced that it is seeking public comment on another proposed mechanism (submitted by Imperium, LLC) to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. This announcement follows on the heels of a similar recent announcement that the Commission is seeking public comment on a parental consent mechanism proposed by a different company.

On August 15, 2013, the Federal Trade Commission announced that it is seeking public comment regarding a proposed mechanism to obtain verifiable parental consent in accordance with the new Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013. The COPPA Rule requires operators of certain websites and online services to obtain a parent’s consent before collecting personal information online from a child under 13.

Today, July 1, 2013, the Federal Trade Commission’s changes to the Children’s Online Privacy Protection Rule (the “Rule”) officially come into effect. On December 19, 2012, the FTC announced that it had published the amended Rule following two years of public comments and multiple reviews of various proposed changes.

On May 15, 2013, the Federal Trade Commission announced that it sent educational letters to over 90 businesses that appear to collect personal information from children under the age of 13, reminding them of the impending July 1 deadline for compliance with the updated Children’s Online Privacy Protection Rule (the “Rule”). The letters were sent to domestic and foreign companies that may be collecting information from children that is now considered “personal information” under the Children’s Online Privacy Protection Act (“COPPA”) but was not previously considered “personal information.” The definition of “personal information” under COPPA was expanded to include (1) photos, videos and audio recordings of children; and (2) persistent identifiers that may recognize users over time and across various websites and online services (e.g., cookies and IP addresses).

On May 6, 2013, the Federal Trade Commission announced that it had voted unanimously to reject a request from industry groups to delay the July 1, 2013 deadline for implementation of the updated Children’s Online Privacy Protection Rule (the “Rule”). The groups had argued that the delay was necessary because they needed more time to comply with the changes to the Rule, which the FTC promulgated on December 19, 2012. In its response to the groups, the FTC asserted that the groups have been on notice of the changes since the beginning of the rulemaking process over three years ago, and ...

On April 25, 2013, the Federal Trade Commission released an updated version of its frequently asked questions regarding the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The revised FAQs, entitled Complying with COPPA: Frequently Asked Questions (A Guide for Business and Parents and Small Entity Compliance Guide), provide general information on COPPA’s requirements and also include new guidance on the recent amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

On February 1, 2013, the Federal Trade Commission issued a new report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. The report makes recommendations “for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures,” offering specific recommendations for mobile platforms, app developers, advertising networks and other third parties operating in this space. The FTC’s report also makes mention of the Department of Commerce’s National Telecommunications and Information Administration’s efforts to engage in a multistakeholder process to develop an industry code of conduct for mobile apps.

On February 1, 2013, the Federal Trade Commission announced that Chairman Jon Leibowitz will step down from his role on February 15, 2013. Leibowitz, who has been with the Commission since 2004 and was appointed Chairman in 2009, leaves the agency with a much more aggressive privacy agenda than the one he inherited, having helped to shape “groundbreaking work on consumer protection and competition issues.” During what may be his final press conference as Chairman, Leibowitz announced a new staff report on mobile app privacy disclosures and an enforcement action against the operator of a social networking app stemming from allegedly deceptive information collection practices that violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Act.

In an interview with Tom Field of BankInfoSecurity, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, discussed the top privacy trends and threats for 2013. Lisa predicts that security vulnerabilities will remain the biggest threat to privacy, particularly with the move toward mobile computing. She also talked about key issues to watch in 2013, such as online behavioral advertising, big data and evolving privacy legislation and regulation, especially in the EU and other countries around the globe.

Listen to Lisa’s ...

Internet users have expressed increasing concern about efforts to track their online activities. As the online tracking methods used to target advertisements have expanded in both scope and complexity, regulators have taken notice and have begun to act in the online behavioral tracking and advertising space. In an article published in the November/December 2012 issue of IP Litigator, Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, and Melinda L. McLellan, a senior associate on the firm’s Privacy and Data Security team ...

U.S. Federal Trade Commission Chairman Jon Leibowitz announced on Monday that David C. Vladeck, director of the FTC's Bureau of Consumer Protection, is leaving the Commission on December 31, 2012 to return to the Georgetown University Law Center.

On December 19, 2012, the Federal Trade Commission announced the adoption of its long-awaited amendments to the Children’s Online Privacy Protection Rule (the “Rule”). The FTC implemented the Rule, which became effective on April 21, 2000, pursuant to provisions in the Children’s Online Privacy Protection Act of 1998 (“COPPA”).

On December 10, 2012, the Federal Trade Commission issued a new report, Mobile Apps for Kids: Disclosures Still Not Making the Grade, which follows up on the FTC’s February 2012 report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing. The FTC conducted a follow-up survey regarding pre-download mobile app privacy disclosures, and whether those disclosures accurately describe what occurs during use of the apps.

On October 4, 2012, the Federal Trade Commission announced that Artist Arena LLC (“Artist Arena”), an operator of fan websites for several popular recording artists, agreed to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule (“the Rule”) by improperly collecting personal information from children under the age of 13 without first obtaining verifiable parental consent. The settlement will impose a $1 million penalty on Artist Arena, bar future violations of the Rule and require deletion of the information collected in violation of the Rule.

On September 5, 2012, the Federal Trade Commission issued guidelines for mobile app developers entitled “Marketing Your Mobile App: Get It Right from the Start.” The guidelines are largely a distillation of the FTC’s previously expressed views on a range of topics that have relevance to the mobile app space. They are summarized below:

On August 1, 2012, the Federal Trade Commission announced that it is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). According to the FTC, the second-round revisions modify certain COPPA Rule definitions to “clarify the Rule’s scope and strengthen its protections for the online collection, use, or disclosure of children’s personal information.” The FTC developed these new definitions after reviewing the 350 public comments submitted in response to the Commission’s September 2011 proposal to amend the Rule.

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

In its new report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, the Federal Trade Commission issues a “warning call to industry that it must do more to provide parents with easily accessible, basic information about the mobile apps that their children use.” The report indicates:

“Parents should be able to learn what information an app collects, how the information will be used, and with whom the information will be shared. App developers also should alert parents if the app connects with any social media, or allows targeted advertising to occur through the app. Third parties that collect user information through apps also should disclose their privacy practices, whether through a link on the app promotion page, the developers’ disclosures, or another easily accessible method.”

This week, the Digital Advertising Alliance (the “DAA”) unveiled new “Self-Regulatory Principles for Multi-Site Data” (the “Principles”), aimed at expanding the scope of industry self-regulation with respect to online data collection. The Principles are designed to supplement the Self-Regulatory Principles for Online Behavioral Advertising which were issued in July 2009. The DAA is composed of several constituent industry groups such as the American Association of Advertising Agencies, Council of Better Business Bureaus, the Direct Marketing Association and the Interactive Advertising Bureau.

On November 8, 2011, the Federal Trade Commission announced that the operator of skidekids.com, a social networking website that advertises itself as the “Facebook and Myspace for Kids,” has agreed to settle charges that he collected personal information from approximately 5,600 children without parental consent, in violation of the Children’s Online Privacy Protection Act (“COPPA”) Rule. The proposed settlement will bar future violations of COPPA and misrepresentations about the collection, use and disclosure of children’s information.

On September 15, 2011, the Federal Trade Commission released proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”).  These revisions follow the FTC’s review of the COPPA Rule, which resulted in numerous comments from various groups and individuals, as well as a public round table that took place on June 2, 2010.  The proposed amendments reflect the FTC’s commitment to “helping to create a safer, more secure online experience for children” in the face of rapid technological change.

On August 15, 2011, the Federal Trade Commission announced a settlement with W3 Innovations, LLC, doing business as Broken Thumbs Apps (“W3”) for violations of the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule.  This marks the FTC’s first privacy settlement involving mobile applications.

On May 12, 2011, the Federal Trade Commission announced that Playdom, Inc., a Disney subsidiary, has agreed to pay $3 million to settle charges that the company violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Rule (“COPPA Rule”) “by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.”  This settlement marks the largest civil penalty imposed for an FTC COPPA Rule violation.

On September 15, 2010, New York State Attorney General Andrew Cuomo announced a $100,000 settlement with EchoMetrix, a developer of parental control software that monitors children’s online activity.  The settlement comes one year after the Electronic Privacy Information Center (“EPIC”) alleged in a complaint to the Federal Trade Commission that EcoMetrix was deceptively collecting and marketing children’s information.

The Federal Trade Commission is having a very busy week, announcing settlements in three high profile cases all before the close of business Tuesday.

The FTC today announced a settlement with MoneyGram International, Inc., the second largest provider of money transfer services in the U.S., which allegedly facilitated a host of fraudulent activities undertaken by telemarketers and other con artists.  The FTC charged that these practices violated both the FTC Act and the Telemarketing Sales Rule.  MoneyGram has agreed to pay $18 million into a fund that will be used to pay restitution to consumers for facilitating fraud on American consumers from Canada.  The $18 million settlement represents MoneyGram’s total return on $84 million in fraudulent transactions.  The settlement further requires implementation of a comprehensive anti-fraud program that is reminiscent of the Identity Theft Prevention Programs mandated by the FTC's Red Flags Rule, including employee training and ongoing monitoring to detect fraud.

On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the validity of the Act to Prevent Predatory Marketing Practices Against Minors (the “Act”), which is set to take effect on September 12, 2009.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for ...

On September 12, 2009, Maine’s Act to Prevent Predatory Marketing Practices Against Minors (the “Act”) will take effect.  The Act prohibits businesses from knowingly collecting or receiving a minor’s health-related information or personal information for marketing purposes without first obtaining verifiable parental consent.  Businesses are also prohibited from using any health-related information or personal information regarding a minor for the purpose of marketing a product or service to the minor.  Pursuant to the Act, the use of information in such a manner is a ...