Appealing to children can help to ensure lifetime brand loyalty, as well as provide a fairly direct means of accessing parents’ disposable income. But the interactive environment of the internet creates incentives for businesses not only to transmit messages to children, but also to collect information from them. To counteract the perceived threat to the privacy of children targeted by commercial sites, Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998. Now, the FTC is revisiting the Rule implementing the Act, accepting public comment on the proposed changes until November 28, 2011.
COPPA requires the FTC to set forth regulations establishing the baseline privacy requirements for websites that are either directed toward, or knowingly used by children under age 13. The current FTC Children’s Online Privacy Rule mandates that such sites clearly disclose their privacy policy, give direct notice to parents and obtain “verifiable” consent (subject to safe harbors), provide parents the option of prohibiting the disclosure of collected information to third parties (or other further use of the information), give parents access to the information collected and an option for deleting it, and maintain confidentiality of any information collected.
Because of the administrative costs incident to complying with COPPA, and the steep penalties for failure to comply, many websites have opted to prohibit use by persons under age 13 altogether. However, it is unclear whether COPPA’s strictures are actually serving their intended aim – for example, a recent study conducted by Consumer Reports found more than one-third of the 20 million minors who use Facebook are under age 13. Findings like this have been relatively unsurprising to academics like Berkeley Law professor Deirdre Mulligan, who testified about policy implications of COPPA before its enactment as part of her ongoing role with the Center for Democracy & Technology. “It’s good to have regulations that help parents parent, but if we could raise the floor [for privacy protection] across the board, we’d be less concerned about children specifically.”
Among the changes proposed are alterations to the definitions of “personal information” and “collection.” Under the proposed changes, “personal information” would explicitly include geolocation and “persistent identifiers” including cookies used for tracking and behavioral advertising. Thought most of the proposed changes have the effect of imposing stronger regulation on websites, the FTC has suggested amending the definition of “collection” so that it permits children to participate in interactive communities without parental consent as long as the site uses “reasonable measures” to delete any personal identifiers before the child’s comments are made live on the site. Professor Mulligan lauds the decision to permit more online participation and commentary from children. “Greater diversity of sites allowing children to speak is a good thing. The old “100% deletion” requirement [requiring sites to delete all personal information prior to posting] was a high cost adventure . . . it made it too risky for sites to allow kids to speak.”
Perhaps the most significant overhaul under the proposed Rule is to alter the parental consent mechanism. The proposal eliminates the “email-plus” method (consisting of a consent email from the parent, followed by a time-delayed confirmation), which had previously been permitted in cases where the site only planned to use the collected information internally. In its place, the proposed Rule adds a number of new consent mechanisms to the existing non-exhaustive list: parents may consent by submitting electronic scans of signed parental consent forms, participating in video-conferencing, or by supplying the site administrators with a government-issued identification which would be checked against a database. Policy groups have raised concerns, however, that the method does little to prove that the person supplying identification is the parent of the minor and presents an incursion into the parents’ privacy rights. As Professor Mulligan stated succinctly, “Protecting privacy by requiring everyone to prove who they are . . . that doesn’t seem like a win.” However, to facilitate the development of new and potentially superior consent methods, the proposed Rule establishes a 180-day “notice and comment” process, whereby website operators may seek FTC approval of newly devised consent mechanisms.
The proposed changes also alter the parental notice procedures and confidentiality requirements. No longer will sites be able to serve parents notice in the form of a privacy policy alone – instead, sites, must offer parents “just-in-time” notice prior to collecting information. With regard to confidentiality, the Commission’s proposal would impose a duty on website operators to ensure that adequate confidentiality measures are not only observed internally, but also by any and all third parties to whom private data is disclosed.
Finally, the proposal would strengthen oversight of “safe-harbor programs” established by industries to self-regulate COPPA compliance by requiring the programs to conduct an annual audit of all members and to submit a periodical report to the FTC.
While the FTC’s proposed changes tighten privacy rules on companies that market to children online, it’s not clear that they will prevent reasonably precocious children from circumventing them. Meanwhile, the increased regulation may cause more businesses to go the way of Facebook and prohibit children from using their sites (in theory), rather than undergo the expense of compliance.