Feds Tighten Up Child Privacy Protection Rules
Over the years, marketers have exploited loopholes in the Children's Online Privacy Protection Act, but amendments made final on Wednesday close many of those. "I think this is a major step, because, up until today, companies could claim cookies and geolocation are not data that could be controlled," said Jeffrey Chester, executive director of the Center for Digital Democracy.
Dec 19, 2012 3:44 PM PT
The Federal Trade Commission on Wednesday announced final amendments to the Children's Online Privacy Protection Act Rule, which governs the online collection of personal information under the age of 13.
This is the culmination of a review that began in 2010 to ensure that the COPPA Rule keeps pace with changes in technology and the way kids use and access the Internet.
"This new set of rules has made them more granular and includes new techniques -- for instance, mobile is an extension of online but didn't exist in 1998 when the law was passed, but clearly the law was to cover all these communications that are targeted at children," Kathryn Montgomery, a professor at American University, told TechNewsWorld.
"The only limit we place is on behavioral advertising, and in this regard our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period," said FTC Chairman Jon Leibowitz.
The FTC declined to provide further details.
The New COPPA Rules
The new rules now include geolocation information, photographs and videos in the category of personal information that can't be collected about kids without parental notice and consent.
They also close a loophole that let apps and websites directed at kids allow third parties to collect personal information from children through plug-ins without providing parental notice or obtaining parental consent. Further, the rules extend coverage in some cases so that third parties that collect kids' personal information also have to comply with COPPA.
The amendments also extend the COPPA rule to cover persistent identifiers such as IP addresses and mobile device IDs that can recognize users over time and across different websites or online services.
Website operators and online service providers covered by the rules have to take reasonable steps to ensure that kids' personal information is released only to companies that can keep it secure and confidential. Website operators who come under COPPA's ambit now have to adopt reasonable procedures for data retention and deletion.
Finally, the amendments strengthen the FTC's oversight of self-regulatory safe harbor programs.
Love for Tomorrow's COPPA Today
"Children Now is pleased that the FTC updated their existing rules to protect children's privacy online," Eileen Espejo, director of media and health policy at the children's advocacy organization, remarked.
"I think this is a major step, because, up until today, companies could claim cookies and geolocation are not data that could be controlled," Jeffrey Chester, executive director of the Center for Digital Democracy, told TechNewsWorld.
Marketers "will have to disclose what they're collecting and how they're using the information so the burden will be upon them to be clear about what they're doing with that information when they inform parents," Montgomery remarked. "They can't just ask if parents agree to kids creating and posting content online and leave it at that, when they want to use the information to market to kids."
The Downside of the New COPPA
Sites and services that target kids as a secondary audience or to a lesser degree will have to provide notice and parental consent only for those users who identify themselves as being less than 13 years old.
However, the rules don't extend liability to platforms, such as Google Play, or Apple's App Store, which only offer access to apps directed at kids.
Further, parental notice and consent aren't required when an operator collects a persistent identifier solely to support its internal operations such as contextual advertising, frequency capping, legal compliance, site analysis or network communications.
"Will [the mechanism] be perfect? No," Montgomery said. "But it does put mechanisms in place that weren't there before."
Enforcing the Rules
Ensuring the new COPPA rules are followed "is always going to be a challenge, with industry having deep pockets and more and more lobbyists coming on board every day," Montgomery said. "On the other hand, we've been doing this a long time and have 50 groups in the coalition and we will be able to bring cases to the FTC."
The rules "are absolutely enforceable by the FTC," Espejo told TechNewsWorld. Complaints about websites that violate COPPA can be directed to the FTC.