FTC Gets Earful on COPPA Revisions

Comment Deadline Ends on Two-Year Effort to Modify Rule Implementing Child Online Protection Law

The FTC got plenty of input on the proposed changes to its rule implementing the Children's Online Privacy Protection Act to protect kids that FTC chairman Jon Leibowitz has called "tech savvy but judgment poor." The comment deadline was midnight Monday, Sept. 24.

Those included the concerns of consumer groups that the rules were not sufficiently tightened, and from cable and wireless operators that there could be unintended consequences to the changes as proposed, including putting a crimp in TV Everywhere online delivery of kids content.

The commission reviewed COPPA in 2005 and made no changes, but this time around has plenty of new proposals, including:

"[U]pdating the definition of 'personal information' to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of ‘collection' so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.

"[S]eek to streamline and clarify the direct notice that operators must give parents prior to collecting children's personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct ‘just-in-time' notice, and not just in a privacy policy.

"[A]dding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database.

"[S]trengthening the Rule's current confidentiality and security requirements.

"[S]trengthening its oversight of self-regulatory ‘safe harbor programs' by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits."

In a joint filing, the National Cable and Telecommunications Association and Motion Picture Association of America said the current rules already strike the right balance and that some of the new changes "would significantly extend the reach and the burdens of the COPPA regulatory regime" without a corresponding benefit and, in fact, with a corresponding adverse impact on the quality and viability of age-appropriate children's content.

They argue that the FTC should not define a persistent identifier -- IP address, for example -- as personal information in and of itself, or if it does, have a more flexible definition of the "support for internal operations" exception, so that it does not impinge on the authentication of TV Everywhere delivery of content to kids.

"It is clearly in the public interest -- and consistent with Congressional goals of encouraging the distribution of such content over multiple devices and platforms -- to ensure that such innovation is allowed to blossom on all websites and services," they argue.

In a joint filing, Citizens for Digital Democracy, Consumers Union, Consumer Federation of America and more than a dozen others were generally supportive, but were concerned with the proposed limitation of liability for third-party operators to only situations where they have actual knowledge or reason to know that they are collecting kids' personal info. They are strongly opposed to the way the FTC would redefine child-directed websites, which they say would reduce the number of sites that fall under the definition of child-directed and create a "gigantic loophole" for Disney, which proposed the change, resulting in less privacy protection for kids, not more.  

Disney argued that the current definition is overly broad and treats adults as young children, suggesting instead that the FTC "adopt a system that would permit websites or online services directed to larger audiences, specifically those directed to children and families, to differentiate among users, requiring such sites and services to provide notice and obtain consent only for users who self-identify as under age 13." The FTC agreed and proposed a three-part test for qualifying as a child-directed site.

Ed Markey (D-Mass.), author of the original COPPA bill in the House, sent a letter to the commission supporting the changes, particularly extending privacy protection to mobile devices and geolocation services, but he also said more is needed.

Markey is also coauthor of a Do Not Track Kids Act that would ban targeted marketing to kids, and expand the definition of kid from under 13 to 15 and under. It would also attempt to legislate an "eraser button" that would allow parents to delete kids personal info from the Web.

"While the FTC's proposed changes are an important step, Congress must also take action to ensure that children and teens are fully protected when they go online," said Markey.