COPPA Rule Revisions Would Bring in Ad Networks, Plugins, Encourage ‘Age-Screening’
Ad networks and plugins would fall under the Children’s Online Privacy Protection Act rule enforced by the FTC under its “supplemental notice of proposed rulemaking” published in the Federal Register (http://xrl.us/bniz45) Wednesday. The proposed revisions would also encourage websites with “mixed” audiences to “age-screen” everyone as a means of complying with COPPA and designate persistent identifiers used to communicate with devices as “personal information” in some cases, though fewer than the agency originally proposed. The commission said it received more than 350 comments in response to its original notice of proposed rulemaking on COPPA rule changes nearly a year ago, and that its proposed revisions in response demanded a new comment period.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
In its 1999 NPRM on the newly-enacted COPPA, the FTC “did not foresee how easy and commonplace it would become for child-directed sites and services to integrate social networking and other personal information collection features into the content offered to their users, without maintaining ownership, control, or access to the personal data,” the supplemental NPRM said. Hence the agency said now it will add a “proviso” to the COPPA definition of “operator” that “personal information is collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The operator of a “child-directed site or service” is able to give notice to and get consent from parents when personal information is collected through its site, which “can control which plug-ins, software downloads or advertising networks it integrates into its site,” the NPRM said.
In response to the Center for Democracy & Technology’s comment on the September rulemaking that the commission shouldn’t apply COPPA rules to ad networks, analytics services and social plugins because they don’t “intentionally” target children, the FTC in the supplemental NPRM said it would modify the definition of “directed to children.” They'd apply to an operator that “knows or has reason to know” it’s collecting information through a “host” site or service targeting children, the agency said. Those sites and services would “not be free to ignore credible information brought to their attention indicating that such is the case,” the FTC said.
Because relevant websites “fall along a continuum, targeting or appealing to children in varying degrees,” as Disney argued in its September NPRM response, the FTC will adopt in part its proposal that websites only have to provide notice and get consent for users who “self-identify” as under 13, the supplemental NPRM said. That reflects the “prosecutorial discretion” the FTC has shown in the past, only charging sites when it believes their “primary audience” is under-13s, it said. Under the new proposed definition of sites targeting children, those with “child-oriented content appealing to a mixed audience” and in which under-13s are “likely to be an over-represented group” won’t be covered if they “age-screen all users” prior to collecting information. Though many kids lie about their age, the FTC’s law-enforcement experience has been that many kids do give their real ages on such mixed-audience sites, the commission said.
The FTC said it’s modifying its proposal that users’ screen names count as “personal information” when a site or service uses them for more than “internal operations.” Several commenters had said that could limit the data-minimization benefits from single sign-on technology across platforms and not displaying kids’ real names online. The commission said it will only count as personal screen names that function as “online contact information,” such as email addresses or instant-messaging identifiers.
Following howls from industry and privacy experts that persistent identifiers can’t be defined as personal without mucking up normal site operations like user authentication and maintaining user preferences, the FTC modified its proposal for persistent modifiers. The new NPRM tightens and clarifies the definition of persistent identifier and lays out new examples of support for internal operations. A persistent identifier is personal when it can “recognize a user over time, or across different websites or online services,” in connection with being used for functions “other than or in addition to support for the internal operations of the website or online service,” the NPRM said. It includes a customer number in a Web cookie, an Internet Protocol address, a “processor or device serial number” or unique device identifier. The new internal-operations definition includes user authentication, maintaining user preferences, serving contextual ads and protecting against fraud or theft.
Behavioral ads are indeed covered, the FTC said. “The Commission notes the importance of the proviso at the end of the proposed definition: to be considered support for internal operations, none of the information collected may be used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for anyother purpose.” Comments on the supplemental NPRM are due Sept. 10 (http://bit.ly/OJE7zL) and should include “COPPA Rule Review: FTC File No. P104503” in the comment, the FTC said.
Rep. Joe Barton, R-Texas, said the proposed changes are a “step in the right direction” and commended the FTC for its work to protect children’s privacy online. “It is imperative that we protect our kids from the misuse of personal information because their safety and future is at risk,” said the Congressional Privacy Caucus co-chairman. “The potential changes proposed are a great foundation to start the conversation about how to protect our kids online by addressing how personally identifiable information should be used, how we should define a website geared towards children 12 and younger, and further defining the term ‘operator.'”
The proposed changes would “close some loopholes and give parents the peace of mind that their children aren’t being tracked on websites designed for kids without permission,” said Consumers Union Regulatory Counsel Ioana Rusu. They make clear to “industry partners” like third-party ad networks that “protecting children’s online privacy is a shared priority,” she said.