In an age where Facebook-ready smartphones are the hottest accessory on the elementary school playground, children’s safety on the Internet is a topic of widespread, well-founded public concern. On September 15, 2011, the Federal Trade Commission responded to some of the current issues threatening children’s privacy on the Web by proposing amendments to its decade-old Children’s Online Privacy Protection Rule (“COPPA Rule”). The FTC hopes that these proposed changes will effectively “create a safer, more secure online experience for children” in the wake of recent technological evolution.

The COPPA Rule requires websites that are directed toward children under 13 to obtain verifiable parental consent before collecting, using, or disclosing “personal information” from a child. However, in its current state, the Rule narrowly defines “personal information,” does not adequately police websites that utilize persistent identifiers (like cookies) to track users, and fails to advocate modern methods of obtaining verifiable parental consent. In a nutshell, the Rule is a paper tiger in need of an update.

In order to combat privacy concerns surrounding increased youth usage of social networking websites, Internet-equipped mobile devices (and associated “apps”), and interactive gaming websites, the FTC proposed alterations to the COPPA Rule’s following provisions: definitions, parental notice, parental consent mechanisms, confidentiality and security requirements, and safe harbors. These changes are summarized below:

Definitions: The current COPPA Rule requires that covered website operators obtain parental consent before gathering “personal information” from kids. The FTC’s proposed amendments seek to broaden “personal information” to encompass “geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.”

Parental Notice: The FTC’s proposed amendments attempt to “streamline and clarify” the types of notice that operators are required to provide to parents before they collect personal information from children.

Parental Consent Mechanisms: The FTC proposes enhanced mechanisms for obtaining verifiable parental consent, such as “electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done.” Additionally, the FTC proposes eliminating the presently popular “e-mail plus” method of parental consent verification due to its lack of reliability.

Confidentiality and Security Requirements: In attempt to increase protection of children’s personal information, the FTC proposes to require that website operators “ensure that any service providers or third parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.” Additionally, the amendment would mandate “that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.”

Safe Harbor: The FTC seeks to heighten its oversight of “self-regulatory ‘safe harbor programs’ by requiring them to audit their members at least annually.”

While the proposed COPPA Rule amendments are laudable for their attempts to improve children’s online security, they threaten significant monetary and temporal expenses for websites and businesses that would be forced to implement the changes, as well as parents who would have to adhere to enhanced consent requirements. For example, installing heightened parental verification mechanisms (like video-conferencing) requires a great deal of money and manpower—burdens that could potentially be too great for small companies to shoulder. Additionally, the sensitive information that parents would be required to disclose during the consent process raises substantial privacy concerns because the data could easily end up in the wrong hands.

As the notice and comment period for the FTC’s proposed COPPA Rule amendments continues (until November 28, 2011), it is important that parents, interest groups, affected industries, and website operators provide feedback regarding the potential implications of the FTC’s proposed amendments. Specifically, is it unfair to impose these burdens on websites, particularly those that collect information solely for minimally invasive uses (like behavioral advertising)? Are the enhanced requirements likely to cause companies and parents to forbid children from accessing certain websites entirely, and thus deny them potential educational benefits of the Web? And if so, are there other, more efficient methods of protecting the Net’s most vulnerable users that are not accompanied by such significant costs?

While none of these questions are easily answered, the FTC is likely to be responsive to public feedback regarding all aspects of its proposed COPPA Rule amendments. So all of you interested parties: comment away.

Julie Latsko

Image Source


Tagged with:

7 Responses to Make Room for the Virtual Babysitter: FTC Proposes Amendments to the Children’s Online Privacy Protection Rule

  1. ADM says:

    I think protecting children’s privacy is one aspect of keeping children safe on the internet, but it is certainly not the only important aspect. To me, the major failing of this rule comes from its scope – it only applies to websites that are targeting children or have reason to know they are collecting information from children. To me, websites that children happen upon that are geared towards adults may provide the larger threat to child safety, and these sites would fall outside the scope of COPPA. I worry that COPPA could limit valuable aspects of the internet, such as development of quality educational websites, while doing little to limit a very serious threat. After hearing stories of toddlers who order hundreds of dollars of merchandise on their parent’s iPhones or children who click their way to an inappropriate website, it sounds to me that a more important solution would be engineering devices that can be easily programmed by their owners to permit or block particular aspects of the internet. This would keep children safe and keep parents in control of how they raise their child.

  2. KM says:

    I really like the idea of video-conferencing parental consent—kids are sneaky, I’m sure they’ve found a million ways to get around less verifiable requests for parental consent. I am slightly troubled by the expense it would add for websites—but I wonder if those costs are exaggerated. How much manpower does it take to watch videoconference consents? I certainly don’t feel like this is too great an imposition on parents—the online world can be a very dangerous place for kids and taking a couple of seconds to review a website and give consent is the least parents should be doing.

  3. Charles Michels says:

    If these sites that are harmful in the way they collect information from children are so bad, why allow the information to be collected w/ parental consent? Why not just prohibit websites that aim at children under the age of 13 from collecting personal information about the children?

    Maybe there could be a safe harbor, such as if you don’t plan to use the information for commercial purposes and it is only used to enhance the child’s experience on the website.

    I just don’t see how obtaining parental consent improves the situation, if what these sites collect is deemed to be so harmful that we need laws to “protect the children.” If parents just sign off b/c they don’t want to be bothered, have we really done anything to “protect the children?”

  4. Nick B. says:

    I’m not surprised that parents are turning out to be a large constituency group against such a rule. Most parents want to raise their kids how they want, not how the Federal government says they should. Certainly monitoring children’s internet access is difficult but it is a parent’s responsibility to protect their children.

    It doesn’t sound like these websites are deceiving people in some semi-fraudulent way and exposing children to things that parents do not want. Instead it sounds like the FTC thinks parents are a poor monitor of internet use and it wants to make them a better monitor. Maybe there is a better way to educate parents, rather than heaping on burdensome costs for business owners and parents alike.

  5. Caroline Fleming says:

    I think the spirit of the rule is good, because it would protect children if effective. It’s scary to think about how much they can potentially see online. But I agree with you that these measures will be unwieldy for websites to implement. I guess it would be easier for parents in the home to give consent for their children to visit certain websites, but how would this work at schools or in public libraries, when some children’s parents would give consent while others would not?

  6. Swathi Padmanabhan says:


    This is a very interesting proposal. Thank you for summarizing it. I’m left feeling somewhat unsettled about the proposal to require website operators to ensure that 3rd party websites have proper confidentiality and security mechanisms in place to protect child safety online. Correct me if I am wrong, but from my understanding, website operators receive financial compensation for sharing user information. If this is the case, they have a greater incentive to share the data as widely as possible than they do to ensure child safety as the information gets passed along. Do you think the COPPA will really be effective in promoting cyber security in this regard?

  7. Katharine Skinner says:


    I didn’t know much about COPPA until reading this, so I found your article really interesting. After looking up a little more about the issue, I was surprised to find that a lot of the opposition to the proposed amendments is coming from parents- the people you would think would support the amendment the most. One common complaint seems to be that monitoring what sites your child visits, or what sites they should be allowed to access, is a job for the parents, not the government. Many parents also expressed that these new requirements seem like a technical hassle, and they would rather avoid them than go through the trouble of sending in an electronic signature, or having a videoconference. However, this doesn’t necessarily mean that their children won’t have access to these sites. One significant unintended consequence of COPPA, which may be amplified if the new rules are put into law, is that parents help their children lie in order to avoid dealing with COPPA requirements. This practice is prevalent with Facebook, where you must be 13 in order to create an account. Often, with the consent and active help of the parents, children simply enter a false birth date to get around this rule. Though they may eventually be found out, it still doesn’t stop the root of the problem. Of course, parents may think they’re doing a great job of monitoring what sites their children visit, but I bet they would appreciate an electronic signature requirement when their children try to access websites that their parents don’t know about. It will be interesting to see whether these parents are ultimately responsible for blocking the implementation of rules that are designed to protect their children.