FTC Plans Changes in Online Child Privacy Protection Rules
The U.S. Federal Trade Commission has proposed amendments to online privacy rules for children that aim to give parents control over what personal information websites may collect from children under 13.
The proposed amendments to the Children's Online Privacy Protection Act (COPPA) rule updates the definition of "personal information" to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising, FTC said on Thursday.
Consumer access to computers is shifting from the model of a single, family-shared, personal computer to person-specific, Internet-enabled, handheld devices, often used by children below 13. Such handheld devices often have one or more unique identifiers associated with them that can be used to persistently link a user across websites and online services, including mobile applications, FTC said while explaining the need to include persistent identifiers in the definition of personal information.
With this change in computing use, operators now have a better ability to link a particular individual to a particular computing device, it added. The FTC, however, recognized the need for operators to use certain persistent identifiers in their internal operations to provide basic online services to children, other than collect data on the computer user.
The FTC, which initiated a review of the COPPA rule in 2005, decided not to make any changes in the rule by March 2006.
But in the light of "the rapid-fire pace of technological change" since that review, including an explosion in children's use of mobile devices, and the proliferation of online social networking and interactive gaming, the FTC said it initiated a review of the COPPA rule in April last year on an accelerated schedule.
Of the 20 million minors who actively used Facebook in the past year, 7.5 million of them were younger than 13, although Facebook's terms of service require users to be at least 13 years old, according to a survey by Consumer Reports released in May. The accounts of the minors were largely unsupervised by their parents, exposing them to malware or serious threats such as predators or bullies, it said.
The FTC proposes additional methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent's ID is deleted promptly after verification is done.
FTC also proposes eliminating "e-mail plus" which it describes as a less-reliable method of parental consent, and is available to operators that collect personal information only for internal use. The method currently allows operators to obtain consent through an e-mail to the parent, coupled with another step, such as sending a delayed e-mail confirmation to the parent after receiving consent, FTC said.
The Commission has also proposed modifying the definition of "collection" so that operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.
The proposed amendments by the FTC have been commended by Rep. Edward Markey (D., Mass.) and Rep. Joe Barton (R., Tex.), who earlier in May introduced children's online privacy legislation H.R. 1895, the "Do Not Track Kids Act of 2011", which aims to amend COPPA. Some of the proposals of the FTC, such as including geolocation data under personal information that requires a parent's permission before it is collected or used, are similar to those in the bill, Markey said in a statement on Thursday.
"We're especially glad the FTC recognizes that, in today's smartphone world, online privacy protections for kids and teens must extend to all apps and mobile platforms as well," said Common Sense Media, a nonprofit organization in San Francisco that guides children and parents on technology and media.
But the Direct Market Association in New York is critical of the proposed expansion of the definition of personal information to include unique device identifiers. "DMA strongly believes that such a definition should include only information that in fact permits the direct communication with a specific, identifiable person -- not a device that could be used by multiple people, including children under 13 or adults, it said in a statement.
The FTC has invited written comments from the public on the proposed amendments on or before November 28.