- Subscribe to JETLaw
- Volume 15
- Volume 14
- Volume 13
- Volume 12
- Volume 11
- Volume 10
- Volume 9
- Volume 8
- Volume 7
- Volume 6
- Volume 5
- Volume 4
- Volume 3
- Volume 2
- Publish With JETLAW
In an age where Facebook-ready smartphones are the hottest accessory on the elementary school playground, children’s safety on the Internet is a topic of widespread, well-founded public concern. On September 15, 2011, the Federal Trade Commission responded to some of the current issues threatening children’s privacy on the Web by proposing amendments to its decade-old Children’s Online Privacy Protection Rule (“COPPA Rule”). The FTC hopes that these proposed changes will effectively “create a safer, more secure online experience for children” in the wake of recent technological evolution.
The COPPA Rule requires websites that are directed toward children under 13 to obtain verifiable parental consent before collecting, using, or disclosing “personal information” from a child. However, in its current state, the Rule narrowly defines “personal information,” does not adequately police websites that utilize persistent identifiers (like cookies) to track users, and fails to advocate modern methods of obtaining verifiable parental consent. In a nutshell, the Rule is a paper tiger in need of an update.
In order to combat privacy concerns surrounding increased youth usage of social networking websites, Internet-equipped mobile devices (and associated “apps”), and interactive gaming websites, the FTC proposed alterations to the COPPA Rule’s following provisions: definitions, parental notice, parental consent mechanisms, confidentiality and security requirements, and safe harbors. These changes are summarized below:
Definitions: The current COPPA Rule requires that covered website operators obtain parental consent before gathering “personal information” from kids. The FTC’s proposed amendments seek to broaden “personal information” to encompass “geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.”
Parental Notice: The FTC’s proposed amendments attempt to “streamline and clarify” the types of notice that operators are required to provide to parents before they collect personal information from children.
Parental Consent Mechanisms: The FTC proposes enhanced mechanisms for obtaining verifiable parental consent, such as “electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done.” Additionally, the FTC proposes eliminating the presently popular “e-mail plus” method of parental consent verification due to its lack of reliability.
Confidentiality and Security Requirements: In attempt to increase protection of children’s personal information, the FTC proposes to require that website operators “ensure that any service providers or third parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it.” Additionally, the amendment would mandate “that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.”
Safe Harbor: The FTC seeks to heighten its oversight of “self-regulatory ‘safe harbor programs’ by requiring them to audit their members at least annually.”
While the proposed COPPA Rule amendments are laudable for their attempts to improve children’s online security, they threaten significant monetary and temporal expenses for websites and businesses that would be forced to implement the changes, as well as parents who would have to adhere to enhanced consent requirements. For example, installing heightened parental verification mechanisms (like video-conferencing) requires a great deal of money and manpower—burdens that could potentially be too great for small companies to shoulder. Additionally, the sensitive information that parents would be required to disclose during the consent process raises substantial privacy concerns because the data could easily end up in the wrong hands.
As the notice and comment period for the FTC’s proposed COPPA Rule amendments continues (until November 28, 2011), it is important that parents, interest groups, affected industries, and website operators provide feedback regarding the potential implications of the FTC’s proposed amendments. Specifically, is it unfair to impose these burdens on websites, particularly those that collect information solely for minimally invasive uses (like behavioral advertising)? Are the enhanced requirements likely to cause companies and parents to forbid children from accessing certain websites entirely, and thus deny them potential educational benefits of the Web? And if so, are there other, more efficient methods of protecting the Net’s most vulnerable users that are not accompanied by such significant costs?
While none of these questions are easily answered, the FTC is likely to be responsive to public feedback regarding all aspects of its proposed COPPA Rule amendments. So all of you interested parties: comment away.
– Julie Latsko