NYT: New Online Privacy Rules for Children

http://www.nytimes.com/2012/12/20/technology/ftc-broadens-rules-for-online-privacy-of-children.html

December 19, 2012

New Online Privacy Rules for Children

By NATASHA SINGER

In a move intended to give parents greater control over data collected about their children online, federal regulators on Wednesday broadened longstanding privacy safeguards covering children's mobile apps and Web sites. Members of the Federal Trade Commission said they updated [1] the rules to keep pace with the growing use of mobile phones and tablets by children.

The regulations also reflect innovations like voice recognition, location technology and behavior-based online advertising, or ads tailored to an individual Internet user.

Regulators had not significantly changed the original rule, based on the Children's Online Privacy Protection Act of 1998, [2] or Coppa. That rule required operators of Web sites directed at children under 13 to notify parents and obtain their permission before collecting or sharing personal information -- like first and last names, phone numbers, home addresses or e-mail addresses -- from children.

The intent of that was to give parents control over entities seeking to collect information about their children so that parents could, among other things, prevent unwanted contact by strangers.

The new rule, unveiled at a news conference in Washington, significantly expands the types of companies required to obtain parental permission before knowingly collecting personal details from children, as well as the types of information that will require parental consent to collect.

Jon D. Leibowitz, the chairman of the trade commission, described the rule revision as a major advance for children's privacy. "Congress enacted Coppa in the desktop era and we live in an era of smartphones and mobile marketing," Mr. Leibowitz said. "This is a landmark update of a seminal piece of legislation."

The agency's expanded privacy protections for children also represent the first step in a larger effort by a few regulators and legislators to give adult consumers some rights to control data collected about them.

"The Coppa rule revisions which we are announcing today are a critical piece in our overall approach to how we deal with consumer privacy in this technological age," said Julie Brill, a member of the commission.

Industry analysts said the new rule represented a partial victory for Web site operators, app developers and advertising networks because regulators watered down some of their original proposals to which companies like Apple, Facebook, Google and Twitter had objected. Apple and Google, for example, opposed proposals that suggested they would be responsible for the data collected by children's apps sold in their app stores. Regulators have now clarified that general-interest app stores would not be held liable for that.

Yet, few companies lent any support to the commission at its news conference; Viacom and Disney sent representatives, but other companies were absent.

"What we've got here is an expansion of Coppa that some in the industry would say has gone too far," said Alan Friel, a lawyer who leads the media and technology practice at the firm of Edwards Wildman Palmer. "But the F.T.C. has provided exceptions that continue to allow internal use of a child's data, including one-time use of contact information for facilitating promotions and send-a-friend e-mails."

In an era of widespread photo sharing, video chatting and location-based apps, the revised children's privacy rule makes clear that companies must obtain parental consent before collecting certain details that could be used to identify, contact or locate a child. These include photos, video and audio as well as the location of a child's mobile device.

While the new rule strengthens such safeguards, it could also disrupt online advertising. Web sites and online advertising networks often use persistent identification systems -- like a cookie in a person's browser, the unique serial number on a mobile phone, or the I.P. address of a computer -- to collect information about a user's online activities and tailor ads for that person.

The new rule expands the definition of personal information to include persistent IDs if they are used to show a child behavior-based ads. It also requires third parties like ad networks and social networks that know they are operating on children's sites to notify and obtain consent from parents before collecting such personal information. And it makes children's sites responsible for notifying parents about data collection by third parties integrated into their services.

Collecting data to show children contextual ads based on the content of a site or app, however, will not require parental consent. "The only limit we place is on behavioral advertising," Mr. Leibowitz said. "Until and unless you get parental consent, you may not track children to create massive profiles" for behavior-based ads.

Stuart P. Ingis, a lawyer representing several marketing associations, said that reputable online marketers did not knowingly profile children to show them behavior-based ads. He added that industry guidelines prohibited the practice.

He agreed with regulators that privacy protections for children online needed to keep pace with new technologies. But he said he was concerned that the restrictions on cookie-based identifiers might cause some children's sites to reduce their use of ad networks to avoid having to notify parents about data collection by those services.

"There might be overreaction that would limit just general third-party collection of data, which is very useful to businesses and consumers," said Mr. Ingis, who represents the Direct Marketing Association and the Association of National Advertisers.

The revised rule also clarifies requirements for sites that are not primarily directed at young children but whose audience may include them, like a Disney family site, for example. Those sites can now screen visitors by age, but they will be required to obtain permission from a parent to collect personal data about children under 13.

Children's advocates generally welcomed the strengthened protections.

"Clearly, this is a major step forward, but the devil is in the details," said Jeffrey Chester, the executive director of the Center for Digital Democracy, an advocacy group in Washington.

[1] http://www.ftc.gov/opa/2012/12/coppa.shtm

[2] http://www.ftc.gov/ogc/coppa1.htm