The Federal Trade Commission has been seeking public comments on proposed amendments to the COPPA Rule, which enforces the Children’s Online Privacy Protection Act. COPPA gives parents control over what personal data can be collected from children under 13 by Web sites. After two years of review, the agency recently released updates to the rule and discussed some of the changes on its blog, Tech at FTC. The Washington Post and the New York Times, among other news outlets, have stories about the changes to the COPPA Rule and how it may affect companies.
The final amendments:
- modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
- offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
- close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
- extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
- extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
- strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
- require that covered website operators adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
“COPPA and Signaling,” Tech at FTC blog
As has been widely reported, the FTC recently amended its COPPA Rule enforcing the Children’s Online Privacy Protection Act. There’s a lot to be said about the new amendments to the Rule—indeed, a lot is being said—but as this is the FTC Tech Blog, I’m going to restrict my comments to technical aspects. Today, I’m going to talk about signaling—the way that a website can signal its COPPA status to the operators of other sites who provide it with some of the content that users see.
If you run a simple website, complying with COPPA is reasonably straightforward. If you’re covered—that is, if you have actual knowledge that a child is using your site, or if your content is directed towards children younger than 13— you must get parents’ permission before collecting personal information from kids. (N.B. Please see the formal rules to learn who is covered and for the precise definition of a “website or online service directed to children.” The Federal Register notice with the new rules is 167 pages of PDF; I’m not going to try to interpret or even summarize all that text. And ask your lawyers, not your computer scientists.) However, many commercial websites contain content from multiple sources: ad networks, third party plug-ins, etc. Who should be responsible for their COPPA compliance?
The announcement of the amended Rule makes this very clear: “The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors.” If it’s on your site, you’re responsible—period.
“FTC tightens rules to protect children’s privacy online,” Washington Post
Media and Silicon Valley giants such as Facebook and Disney have fought plans that they say would be difficult to implement and would stifle innovation. The FTC’s chairman and public interest groups have said an explosion of tracking tools and the swift adoption of smartphones and tablets in homes and schools have rendered the 1998 Children’s Online Privacy Protection Act too weak.
The revisions, the FTC said, seek to clarify that much of today’s most popular uses of the Web should be more closely guarded when done by children. […]
The amendments require companies to get permission from parents to collect a child’s photographs, videos and geolocational information — all content that social media, online games and mobile devices have made easy to share.
Companies such as Google and Viacom must also have a parent’s consent before using tracking tools, such as cookies, that use IP addresses and mobile device IDs to follow a child’s Web activity across multiple apps and sites. Amassing that data could help a marketing company stitch together detailed profiles of children to be used to deliver tailored advertisements, a practice that should be spared on children, some privacy groups say.
“Children’s Online Privacy Rules: Winners and Losers,” New York Times
But the rules have radically different implications for big Web sites and small app developers.
Some Silicon Valley executives and their lawyers lobbied for months to try to get the commission to water down some of its proposed rule revisions. […]
The final children’s online privacy rule uses an “actual knowledge” standard for collecting information about children. That means social networks and ad networks that collect information from children without knowing that their software is operating on a children’s site or app will not be liable. […]
Representatives of app developers, for example, told federal regulators that thousands of small developers of children’s apps had been able to comply with the old rule by choosing not to collect personal information from youngsters. Those app developers, they said, had outsourced the data collection to advertising networks and analytics companies because the apps themselves often did not have the financial or legal resources to handle children’s personal information.
The new rule, however, gives children’s apps and sites primary responsibility for the ad networks and social networks they incorporate into their services. That means even children’s educational apps that do not themselves collect personal information from children will now have to redesign their user interfaces to notify parents of their partners’ data collection practices and obtain parents’ permission, said Tim Sparapani, the senior adviser for policy and law of the Application Developers Alliance, a trade group.
Because children’s apps may incorporate different software from outside sources — for analytics, say, or interactive features — they may also face greater compliance burdens than established children’s Web sites with their own resources, he says.