Unintended Consequences of FTC’s New COPPA Children’s Online Privacy Rules

by Larry Magid

Source: Federal Trade Commission

The Federal Trade Commission (FTC) has issued a revised set of proposed rules (PDF) regarding the implementation of the Children’s Online Privacy Protection Act (COPPA).

When implemented, this will be the first time the FTC has revised the rules since 1999, back when there was no  Facebook or such thing as an “App for that.” Even MySpace wasn’t founded until 2003. Facebook came on the scene in 2004 and the first iPhone was released in 2007 followed in 2009 by the first Android phone. And while there was Internet advertising back then, we didn’t have the plethora of ad networks and third party tracking cookies and your phone didn’t know your exact location as is common today.

Third party ad networks and plug-ins covered

So, to keep up with modern times, the FTC wants to revise COPPA rules so that they apply to third party advertising networks along with app and plug-in developers and to expand the definition of “personal information.”

According to the FTC, the new proposed rules “clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service.”

Services for both kids and adults

The new rules would also allow sites and services with content designed to appeal to both young children and others, including parents to be able to “age-screen all visitors in order to provide COPPA’s protections only to users under age 13.” At first glace this seems reasonable, but I worry that it could have an unintended impact on news or sports related sites aimed at adults and kids if those sites use any type of geolocaton (IP address on a PC or GPS or WiFi data on a mobile device) to determine what city the person is in. If, for example, a person visited a sports site and got an ad suggesting they attend a local game, that could be construed as using personal information for advertising and potentially be a COPPA violation.

Sites and services that knowingly  target children under 13 as their primary audience must still treat all users as children.

The new rules also create the notion of co-responsibility between companies that furnish apps or plug-ins along with those that operate the platform where the plug-in runs.  The FTC said that “an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered ‘operator’ under the Rule.”

New rules on personal information

The new rules would also modify the definition of personal information to include “‘persistent identifiers’ that recognize a user over a period of time which are used for purposes other than “support for internal operations.” This rule is aimed squarely at tracking cookies that are capable of not only delivering advertising within a site but can also be used to track people across sites to deliver targeted information.

Another important change, especially for many mobile apps, is that personal information now includes “a home or other physical address including street name and name of a city or town.” Such geolocation data is often collected by smart phone apps along with phone numbers which are also now prohibited by the proposed rules.

What’s not covered

As I understand it, these rules apply to information that is being collected for the purposes of advertising or marketing — not information necessary to maintain a network or offer a service. And it’s only for sites that are specifically aimed at children (or aimed at both children and adults) but not sites that don’t allow children. Facebook, for example, requires users to state their date of birth and does not allow users who’s stated birthdate indicates that they’re under 13. Of course, it’s possible to lie about one’s age which is why Consumer Reports estimates that 5.6 million of Facebook’s users are under 13.  There have been stories in the news that Facebook may open its membership to kids under 13, but the company has not confirmed its intention to do that and, as of now, remains available only to people 13 and older.

It’s unclear whether these rules would apply to Facebook apps and plug-ins, including those that put Facebook’s “Like” button on sites. Not withstanding that some kids lie about their age, any site that requires a user to sign-in via Facebook is certifying that that person claims to be 13 or older based on Facebook’s terms of service.

Impact on small businesses

The FTC acknowledges that these proposed rules could have a negative impact on small businesses. The agency estimates that “approximately 500 additional operators may newly be subject to the Rule’s requirements,” and that “approximately 85-to 90% of operators potentially subject to the Rule qualify as small entities.”

Via email, Morgan Reed, Executive Director of Association for Competitive Technology (ACT), which represents small and medium sized businesses, said that the FTC has underestimated the number of small businesses that could be affected. “Today’s app world is being driven by thousands of developers all over America  - many of whom are parents looking to just make educational tools their kids might use – and that’s a great thing.” He said that his group “works with more than 1,200 educational app developers through our Moms with Apps affiliation, and we added more than 500 kids apps developers in just the past year.”

When COPPA was first implemented in 2000, it did have an impact on a number of small sites, some of which went out of business or stopped serving children under 13. Large companies, such as Disney and Nickelodeon, were able to adhere to COPPA regulations and continue to serve  children. To be fair, some small businesses also become “COPPA compliant” and there continue to be new companies entering the field that operate within COPPA rules. Still, the additional restrictions are likely to have a negative affect on some small operators while larger companies should have relatively little trouble complying.

Unintended consequences

While COPPA is a well-intentioned law and the new proposed rules do bring it into the 21st century, there are unintended negative consequences.  For one, it discourages companies from offering services to people under 13 or even allowing pre-teens to use services that could benefit them. Because COPPA doesn’t apply to people 13 and over, there are a lot of great services aimed at teens and adults but since kids do want to use many of these services, they wind up lying about their age, often with parental consent or involvement. In a 2011 study,  danah boyd and other researchers demonstrated that nearby a fifth (19 percent) of the parents of 10-year-olds acknowledged that their child was on Facebook. About a third (32 percent) of parents of 11-year-olds knew their kid was on it. And the same was true for more than half (55 percent) of parents of 12-year-olds. For kids who were under 13 at the time they signed up, 68 percent of the parents “indicated that they helped their child create the account.” Among 10-year-olds on Facebook, a whopping 95 percent of parents were aware their kids were using the service and 78 percent helped create the account.

Seeking comments

The agency is currently seeking comments on its proposed rules. Comments must be filed by September 10, 2012

More from around the web

FTC: Privacy rules should apply to apps aimed at children (The Hill)

The ‘minimum age’ & other unintended consequences of COPPA (Anne Collier of NetFamilyNews & my co-director at ConnectSafely.org)

This entry was posted in Child safety. Bookmark the permalink.

Leave a Reply