by Larry Magid
The Federal Trade Commission (FTC) has issued a revised set of proposed rules (PDF) regarding the implementation of the Children’s Online Privacy Protection Act (COPPA).
When implemented, this will be the first time the FTC has revised the rules since 1999, back when there was no Facebook or such thing as an “App for that.” Even MySpace wasn’t founded until 2003. Facebook came on the scene in 2004 and the first iPhone was released in 2007 followed in 2009 by the first Android phone. And while there was Internet advertising back then, we didn’t have the plethora of ad networks and third party tracking cookies and your phone didn’t know your exact location as is common today.
Third party ad networks and plug-ins covered
So, to keep up with modern times, the FTC wants to revise COPPA rules so that they apply to third party advertising networks along with app and plug-in developers and to expand the definition of “personal information.”
According to the FTC, the new proposed rules “clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service.”
The new rules would also require sites with content designed to appeal to both young children and others, including parents to be able to “age-screen all visitors in order to provide COPPA’s protections only to users under age 13.” At first glace this seems reasonable, but I worry that it could have an unintended impact on news or sports related sites aimed at adults and kids if those sites use any type of geolocaton (IP address on a PC or GPS or WiFi data on a mobile device) to determine what city the person is in. If, for example, a person visited a sports site and got an ad suggesting they attend a local game, that could be construed as using personal information for advertising and potentially be a COPPA violation.
Sites and services that knowingly target children under 13 as their primary audience must still treat all users as children.
The new rules also create the notion of co-responsibility between companies that furnish apps or plug-ins along with those that operate the platform where the plug-in runs. The FTC said that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered ‘operator’ under the Rule.”
New rules on personal information
The new rules would also modify the definition of personal information to include “‘persistent identifiers’ that recognize a user over a period of time which are used for purposes other than “support for internal operations.” This rule is aimed squarely at tracking cookies that are capable of not only delivering advertising within a site but can also be used to track people across sites to deliver targeted information.
Another important change, especially for many mobile apps, is that personal information now includes “a home or other physical address including street name and name of a city or town.” Such geolocation data is often collected by smart phone apps along with phone numbers which are also now prohibited by the proposed rules.
What’s not covered
As I understand it, these rules apply to information that is being collected for the purposes of advertising or marketing — not information necessary to maintain a network or offer a service. And it’s only for sites that are specifically aimed at children (or aimed at both children and adults) but not sites that don’t allow children. Facebook, for example, requires users to state their date of birth and does not allow users who’s stated birthdate indicates that they’re under 13. Of course, it’s possible to lie about one’s age which is why Consumer Reports estimates that 5.6 million of Facebook’s users are under 13. There have been stories in the news that Facebook may open its membership to kids under 13, but the company has not confirmed its intention to do that and, as of now, remains available only to people 13 and older.
It’s unclear whether these rules would apply to Facebook apps and plug-ins, including those that put Facebook’s “Like” button on sites. Not withstanding that some kids lie about their age, any site that requires a user to sign-in via Facebook is certifying that that person claims to be 13 or older based on Facebook’s terms of service.
Impact on small businesses
The FTC acknowledges that these proposed rules could have a negative impact on small businesses. The agency estimates that “approximately 500 additional operators may newly be subject to the Rule’s requirements,” and that “approximately 85-to 90% of operators potentially subject to the Rule qualify as small entities.” When COPPA was first implemented in 2000, it did have an impact on a number of small sites, some of which went out of business or stopped serving children under 13. Large companies, such as Disney and Nickelodeon, were able to adhere to COPPA regulations and continue to serve children. To be fair, some small businesses also become “COPPA compliant” and there continue to be new companies entering the field that operate within COPPA rules. Still, the additional restrictions are likely to have a negative affect on some small operators while larger companies should have relatively little trouble complying.
The agency is currently seeking comments on its proposed rules. Comments must be filed by September 10, 2012