August Agenda Includes Privacy

On August 1, the Federal Trade Commission proposed to update the Children's Online Privacy Protection Rule. Currently, sites aimed at children are required by law to ask a parent’s permission when collecting personal identifiable information such as e-mail addresses and names. But vague language in the 1998 Children’s Online Privacy Protection Act (COPPA) could allow so-called third parties like Facebook and Twitter, whose services are attached to numerous smartphone games, to avoid the parental consent process.

Back in September 2011, the FTC issued a Notice of Proposed Rulemaking (NPRM) seeking comment on proposed changes to the its COPPA rule. The FTC received 350 comments. In response to those comments and informed by its experience in enforcing and administrating the rule, the FTC now proposes, in a supplemental NPRM, to modify certain definitions to clarify the scope of the rule and strengthen its protections for the online collection, use, or disclosure of children's personal information.

The proposed modifications to the definitions of "operator" and "website or online service directed to children" would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits ("plug-ins") collect personal information from users through child-directed websites or services. The FTC proposes to state within the definition of "operator" that personal information is "collected or maintained on behalf of" an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered "operator" under the Rule.

The FTC also proposes to modify the definition of "website or online service directed to children" to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA's protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the FTC proposes to modify the Rule's definition of "personal information" to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the FTC proposes to modify the definition of "support for internal operations" in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of "personal information" as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Because these changes diverge from those proposed in the September 2011 proposal, the FTC has determined they warrant additional public comment prior to finalizing the Rule. Public comments on the Supplemental Notice of Proposed Rulemaking will be accepted until September 10, 2012. After reviewing the comments, the FTC will vote on these proposed changes as part of a bigger overhaul of COPPA rules expected by the end of the year.

After an FTC rule is approved, companies may be vulnerable to expensive class action lawsuits, said legal information technology expert Daren Orzechowski from the law firm White and Case, LLP. "Any time you pass a new law or regulation you have to look at how the class action bar will take advantage of that," he said.

Consumer privacy advocates have pushed for stronger rules than what has been drafted for vote by the FTC. They say advertisers can avoid behavioral advertising limits on children by attaching themselves to children’s sites without notifying parents and children clearly.

“Today, the FTC took a giant step to protect children's privacy by proposing that the online data broker industry be required to comply to the Children's Online Privacy Protection Act,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a privacy advocacy group. “The commission will also rein in the data brokers targeting kids who use social media, so-called "plug-ins," to gather information on a child and their friends.”

Common Sense Media, an advocacy group focused on protecting children online, praised the proposed changes. "The FTC's recommendations are crucial steps toward keeping the Children's Online Privacy Protection Act up-to-date in a rapidly changing online and mobile world," CEO James Steyer said in a statement. "The digital world is constantly changing, but the goal of empowering parents to protect their children remains the same."

The new rules will make it a lot more difficult for ad networks and Facebook—which is reportedly considering a children's version of its social network—from tracking or targeting kids. Among the changes, Facebook, ad networks and other third parties could be held legally responsible if they collect personal data from children. Though Facebook argued against rules that could limit the use of its "like" button, the social network took the high road in an emailed comment on the FTC's proposal. "While Facebook’s policies prohibit children under the age of 13 from signing up for our service, we are committed to improving protections for all young people online and helping them benefit from new services and technologies. We commend the Commission for leading this thoughtful review process and we look forward to evaluating its most recent proposal," the company said.

By proposing that a parent's approval would stand between data-mining companies and their young targets, the FTC will certainly get an earful during the comment period, said Lorrie Faith Cranor, an associate professor at Carnegie Mellon University who studies online privacy.

"The most controversial part of the proposal is that companies would need parental consent before they can do any behavioral advertising to children," she said. "Most parents would love that. But the FTC is bound to get a lot of resistance from the companies. Their decision will be definitely controversial either way."

The FTC action this week is not the only development in the privacy arena. Also on August 1, the National Telecommunications and Information Administration provided more detail on the ongoing privacy multistakeholder process regarding mobile application transparency. The first meeting was held on July 12, 2012 and the NTIA released a schedule for future meetings including two this month -- August 22 and 29. The NTIA also posted the lists of discussion elements raised by stakeholders at the last meeting, as well as feedback from the non-binding polling that occurred. The NTIA is encouraging stakeholders to use the time between meetings to continue working on these issues with like-minded colleagues or in cross-cutting groups. The NTIA hopes that all stakeholders will work together to refine the substantive elements of a potential code and to develop concrete proposals for how to structure the process.

By Kevin Taglang.