The Children’s Online Privacy Protection Act became law in October 1998, and the Federal Trade Commission promulgated its rule concerning the law in the next couple of years. It has been 20 years of ups and downs for privacy protection for children’s data. There continue to be numerous privacy challenges for parents seeking to safeguard their children’s personal information.
As soon as they are born and are issued identification numbers, children face the risk of identity theft. Such thefts can be undetected for years, until a young adult has reason to use her Social Security Number for a loan or credit card. We have schools tracking children (and college students) with camera surveillance systems or RFID-enabled school uniforms or ID cards. Some schools started using biometric ID systems for students to pay for their lunches. There are concerns about tracking apps such as ClassDojo, which can be used by teachers and parents to monitor students’ progress.
The FTC marked the 20th anniversary by noting it has made changes to its Rule over the years: “by amending the Rule to address innovations that affect children’s privacy – social networking, online access via smartphone, and the availability of geolocation information, to name just a few. After hosting a national workshop and considering public comments, we announced changes to the Rule in 2013 that expanded the types of COPPA-covered information to include photos, video, or audio files that contain a child’s image or voice.”
In an op-ed for the Hill, Kathryn C. Montgomery and Jeff Chester, two of the advocates who spearheaded the privacy campaign that led to COPPA set out four lessons learned that they believe will assist policymakers as they continue to consider federal privacy legislation. The first? “The Internet’s business model requires government regulation to protect consumer privacy.” Targeted behavioral advertising is a moneymaker for companies. It is key to avoid industry self-regulation for there to be strong privacy protections. An outside agency or auditor will have none of the conflicts-of-interest that would hamper an in-house group that might be pressured to overlook children’s privacy protections in order to feed the company’s bottom line.
What’s next for children’s privacy? Agencies and legislators are trying to move forward. One toy maker recently settled with the FTC over charges that it collected children’s personal data without direct notice and their parents’ consent. And U.S. senators have asked the FTC “to investigate the practices of app developers, advertising companies, and app stores, after a recent study found that thousands of apps were accessing children’s sensitive information, such as location information, without providing notice or obtaining the required consent.” The Do Not Track Kids Act, which seeks to update COPPA, continues to try to make its way through Congress.
The issues facing children, and adults, will continue to change as technology and societal norms change. It is important that the privacy laws protecting such personal data are flexible enough to remain strong in the face of change, and to be based on the Fair Information Practices and OECD Principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.