Remember the proposed changes to COPPA legislation which we blogged on way back last Autumn? To quickly remind you: new rules to better protect children against the collection of their personal data online are being proposed by the US Federal Trade Commission (FTC), including changes to the definition of personally identifiable information.
What is COPPA?
Introduced in 1998, the Children’s Online Privacy Protection Act (COPPA) requires that parental permission is sought before the collection of data for children under the age of 13. As an example of the Act in operation, parents will have noticed that when their children register for a website, they have to fill in the parent’s email address, which needs to be validated for the registration to be complete. That method of collecting permission – used by many sites aimed at under 13′s - is called the “e-mail plus” system.
Proposed changes to COPPA v1
Times have changed and, in the past 14 years, Facebook, Twitter, and mobile have come on the scene. Earlier this year the FTC released a report in which it suggested that current mobile app privacy disclosures were disappointing.
“The mobile app marketplace is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development. Parents need easy access to basic information so they can make informed decisions about the apps they allow their children to use,” they said. According to the FTC, marketers targeting users on such websites or on mobile could potentially avoid parental consent in data collection. “There are plenty of plug-ins or advertising networks that place ads on many, many websites that may be affected by this,” said Mary Engle, the FTC’s associate director of ad practices. Quoting from the FTC report on mobile apps:
While staff encountered a diverse pool of apps for kids created by hundreds of different developers, staff found little, if any, information in the app marketplaces about the data collection and sharing practices of these apps. Staff found almost no relevant language regarding app data collection or sharing on the Apple app promotion pages, and minimal information (beyond the general “permission” statements required on the Android operating system) on just three of the Android promotion pages. In most instances, staff was unable to determine from the promotion pages whether the apps collected any data at all, let alone the type of data collected, the purpose of the collection, and who collected or obtained access to the data.
To bring COPPA in line with 21st century marketing technology, in 2011 the FTC released recommendations for updating the Act. Briefly, the changes included changes to the definition of “personal information” (to include geolocation information & cookies) and parental consent mechanisms (to include electronic scans of signed forms, video-conferencing, ID cards but to eliminate the current “e-mail plus” method).
As Moshi Monster’s Chief Community & Safety Officer, Rebecca Newton, said to us last autumn, “e-mail plus” isn’t perfect. However, the proposed alternatives may be unworkable: financially (for the children’s websites such), or for the parents, who may find them confusing, or an invasion of their privacy.
Proposed changes to COPPA v2
Well, it’s been a while since the FTC first published their proposals, and it has been gathering opinions since. Now it has issued a Supplemental Notice of Proposed Rulemaking seeking to augment, clarify, and in some cases expand rule changes it proposed in September 2011. The proposed changes, according to Lexology.com, would expand the final rule so that it:
- Includes persistent identifiers that can be used for behavioral advertising and other tracking across web sites, while permitting some “internal” operations such as contextual advertising and anti-fraud measures;
- Covers data collection by plug-ins, software downloads, or advertising networks integrated into websites; and
- Reaches websites that may not be directed to children, but are likely to draw children under 13.
The supplemental proposed changes also would scale back an earlier FTC proposal to restrict the collection of screen names that do not enable contact with the child, but at the same time, contain a recommendation that general interest websites age-screen all users.
According to children’s safety expert Larry Magrid, writing in the Huffington Post, the changes may have unforeseen consequences:
The new rules would also allow sites and services with content designed to appeal to both young children and others, including parents to be able to “age-screen all visitors in order to provide COPPA’s protections only to users under age 13.” At first glance this seems reasonable, but I worry that it could have an unintended impact on news or sports-related sites aimed at adults and kids if those sites use any type of geolocation (IP address on a PC or GPS or WiFi data on a mobile device) to determine what city the person is in. If, for example, a person visited a sports site and got an ad suggesting they attend a local game, that could be construed as using personal information for advertising and potentially be a COPPA violation.
The new rules also create the notion of co-responsibility between companies that furnish apps or plug-ins along with those that operate the platform where the plug-in runs. The FTC said that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered ‘operator’ under the Rule.”
As Larry points out, COPPA revisions would impact greatly on small businesses, and also further restrict the number of online services available to people under 13, who would potentially benefit from them.
How can I find out more?
To find out more about these latest revisions, The Association for Competitive Technology and the Family Online Safety Institute (FOSI) will host a panel discussion on August 9 to brief lawmakers, staff, and interested parties about the FTC’s amended proposed changes (you can register for it here, or follow @FamOnlineSafety #COPPA #privacy for news).
Have your say
Comments on these further proposed definitional changes must be filed by Sept. 10, 2012. Needless to say, whatever changes finally go into law will have a massive impact on children’s online services globally.