FTC Proposes New Rules On Child Data Collection

Federal Trade Commission wants to regulate many more types of personal information for websites, mobile games, and online services that knowingly interact with children under the age of 13.

Mathew J. Schwartz, Contributor

September 16, 2011

5 Min Read
Dark Reading logo in a gray background | Dark Reading

The Federal Trade Commission is proposing new privacy rules that would change how websites and online services that interact with children can collect, store, or share much of the personal information they gather on minors.

On Thursday, the FTC released proposed amendments to the Children's Online Privacy Protection Act (COPPA). According to the agency, the updates are meant "to respond to changes in online technology, including in the mobile marketplace."

Specifically, the FTC's proposals--open for public comment until Nov. 28--seek to update rules for how businesses that collect children's information notify others, obtain parental consent, as well as keep collected data secure and confidential. It would also update self-regulatory safe harbor provisions by requiring members of such programs to undergo an annual audit and report the results to the FTC. Finally, it would expand COPPA to cover not just websites, but also online services such as mobile applications and even some types of text messaging services.

The COPPA Rule, as it's officially known, was written in 1998 and went into effect in 2000, and regulates how websites and online service providers can interact with children under the age of 13. Notably, the rule requires parental consent before collecting, using, or disclosing any information on children under the age of 13, and stipulates that only the minimum necessary personal information can be gathered.

The FTC last looked at updating COPPA in 2005, but made no changes. The regulations weren't due to be reexamined for 10 years, but due to "the rapid-fire pace of change ... including an explosion in children's use of mobile devices, the proliferation of online social networking and interactive gaming" since 2005, the FTC began reexamining COPPA in April 2010.

[Software that tracks laptop computers is another concern. Learn more here.]

The COPPA amendments aim to regulate many more types of personal data. "One of the most significant proposed changes to the COPPA Rule is to the definition of 'personal information.' The definition of 'personal information' is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen," said Eric Bukstein, an attorney at Hogan Lovells, in a blog post. Such personal information would include not just names and addresses, but geolocation data (that can be resolved to street and city name), screen and user names (if such information is shared with others by the data collector), persistent identifiers, as well as photographs, audio, or video of the child.

The FTC is also proposing a just-in-time notice that clearly communicates key information, rather than allowing businesses to refer to a privacy policy. That squares with recent public statements made by the FTC, criticizing the overly legalistic and hard-to-decode privacy policies that most websites currently employ.

In addition, the FTC has proposed changing how websites obtain the verifiable parental consent required by COPPA. New techniques to be allowed would include "electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent's ID is deleted promptly after verification is done," said the FTC. Businesses that only use collected information internally could also verify identities via email. The FTC is also proposing to have a voluntary 180-day program for any businesses that want to suggest other verification techniques, and have the FTC accept or deny them.

In short, the changes would make many more businesses subject to COPPA, over which the FTC has recently been keeping a much closer eye. Notably, it fined mobile application developer W3 Innovations last month for COPPA violations.

"That settlement, coupled with the FTC's express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past," said Bukstein. "This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an 'online service' and take appropriate steps to comply with COPPA if necessary." Notably, any company that collects children's data and serves them advertising will first have to obtain parental consent to do so.

Industry associations and privacy rights groups have begun commenting on the proposed COPAA changes. In particular, the Direct Marketing Association (DMA) has criticized the FTC's push for more stringent forms of parental consent. "In the report, the FTC recommends doing away with the existing 'sliding scale' approach to parental consent, in which the required method of consent varies based on how the operator uses a child's personal information," the DMA said in a statement. "DMA believes that this approach has proven to be a sound means for protecting children online and supports retaining a system that strikes the right balance between providing parents with control and not inhibiting children's beneficial Internet experiences."

Meanwhile, the Center for Democracy and Technology (CDT), has raised concerns over using government-issued identification to verify children's identity. "This method only proves that the operator has received someone's ID; it cannot verify that the person on the ID is a parent of the minor," said the CDT.

Join us for GovCloud 2011, a day-long event where IT professionals in federal, state, and local government will develop a deeper understanding of cloud options. Register now.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights