In an acknowledgement of the tracking capabilities of online advertisers and social networks, the Federal Trade Commission on Wednesday proposed updating its rules on the conditions under which companies can collect online data about Web users under the age of 13.
The Children’s Online Privacy Protection Rule, also known as the COPPA rule, is a set of federal requirements that the FTC issued in 1999 and which went into affect in 2000, based on a law passed in 1998 known as the Children’s Online Privacy Protection Act (COPPA).
The requirements state that “operators of websites or online services” that are either geared toward or used by children must get parental consent before collecting information about child Web users, clearly explain how they collect such information and what they use it for, implement measures to “protect the confidentiality, security and integrity” of the information, and allow parents the opportunity to delete the information upon request.
While the FTC thought those requirements sufficed at first — it filed 19 cases of violations against companies under the rule and millions in fines, as The Wall Street Journal reported — by September 2011, it was clear to the agency that it needed to update the COPPA Rule to take account the fact that in the intervening decade, the Web had changed dramatically, with many so-called “third party” companies popping up — the FTC cites online ad networks as an example — that could collect information on children and didn’t expressly fall under the rule as written.
The FTC proposed changes to beef up the rule to account for the emergence of these new services and invited public comment.
After receiving 350 (a lot for an obscure government feedback effort such as this), the agency decided it needed to make the rules more nuanced — tougher in some senses but more lax in others. So on Wednesday it released even stricter rules and is again seeking public comment online and via snail mail, through September 10 of this year.
The FTC announced the new proposed changes on its website, promoting them as tougher in general, writing “The FTC now proposes to modify certain definitions to clarify the scope of the Rule and strengthen its protections for the online collection, use, or disclosure of children’s personal information.”
But a closer examination of what the FTC’s planned revisions reveal a more patchwork picture when it comes to protecting children’s information online.
Specifically, the FTC says it wants to make the rule apply to third-party ad networks and “plug-ins,” those website attributes such as Facebook “Likes” and Google “Plusses,” as well as other invisible ones, which could collect data from Web users under 13. As the FTC puts it, the rule would be modified to “clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service.”
But at the same time, the FTC also wants the rule to acknowledge that many websites have the technical ability to differentiate between child and adult users, and as such could treat each type of user differently. In a sense, the FTC wants to give websites and services that have child and adult users the ability to track adult users without paying attention to the COPPA Rule, but forcing them to comply with the COPPA Rule for their child user-base.
As the FTC spells out, the new version of the rule should:
Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13…
That said, the FTC wants everyone to be clear that if a website or service is “knowingly target[ing] children under 13 as their primary audience,” must treat all users, whether they be adults or children, as children under COPPA.
It’s unclear how either of these proposed changes would affect Facebook’s reported plans to create a safe space for under-13-year-old users, which the company openly acknowledges visit and use its website in droves anyway, despite a current age restriction that it attempts to enforce on new account sign-ups.
Still, some privacy advocates seem to be heartened by the FTC’s move, at least initially.
“Today, the FTC took a giant step to protect children’s privacy by proposing that the online data broker industry be required to comply to the Children’s Online Privacy Protection Act,” Jeffrey Chester, executive director of the Center for Digital Democracy told The Washington Post.
