The FTC got plenty of input on the proposed changes to its
rule implementing the Children's Online Privacy Protection Act to protect kids
that FTC Chairman Jon Leibowitz has called "tech savvy but judgment
poor." The comment deadline was midnight Monday, Sept. 24.
Those included the concerns of consumer groups that the
rules were not sufficiently tightened, and from cable and wireless operators
that there could be unintended consequences to the changes as proposed,
including putting a crimp in TV Everywhere online delivery of kids content.
The commission reviewed COPPA in 2005 and made no changes,
but this time around has plenty of new proposals, including:
"[U]pdating the definition of 'personal information' to
include geolocation information and certain types of persistent identifiers
used for functions other than the website's internal operations, such as
tracking cookies used for behavioral advertising. In addition, the Commission
proposes modifying the definition of ‘collection' so operators may allow
children to participate in interactive communities, without parental consent,
so long as the operators take reasonable measures to delete all or virtually
all children's personal information before it is made public.
"[S]eek to streamline and clarify the direct notice
that operators must give parents prior to collecting children's personal
information. The proposed revisions are intended to ensure that key information
will be presented to parents in a succinct ‘just-in-time' notice, and not just
in a privacy policy.
"[A]dding new methods to obtain verifiable parental
consent, including electronic scans of signed parental consent forms,
video-conferencing, and use of government-issued identification checked against
a database.
"[S]trengthening the Rule's current confidentiality and
security requirements.
"[S]trengthening its oversight of self-regulatory ‘safe
harbor programs' by requiring them to audit their members at least annually and
report periodically to the Commission the results of those audits."
In a joint filing, the National Cable and Telecommunications
Association and Motion Picture Association of America said the current rules
already strike the right balance and that some of the new changes "would
significantly extend the reach and the burdens of the COPPA regulatory
regime" without a corresponding benefit and, in fact, with a corresponding
adverse impact on the quality and viability of age-appropriate children's
content.
They argue that the FTC should not define a persistent
identifier -- IP address, for example -- as personal information in and of
itself, or if it does, have a more flexible definition of the "support for
internal operations" exception, so that it does not impinge on the
authentication of TV Everywhere delivery of content to kids.
"It is clearly in the public interest -- and consistent
with Congressional goals of encouraging the distribution of such content over
multiple devices and platforms -- to ensure that such innovation is allowed to
blossom on all websites and services," they argue.
In a joint filing, Citizens for Digital Democracy, Consumers
Union, Consumer Federation of America and more than a dozen others were
generally supportive, but were concerned with the proposed limitation of
liability for third-party operators to only situations where they have actual
knowledge or reason to know that they are collecting kids' personal info. They
are strongly opposed to the way the FTC would redefine child-directed websites,
which they say would reduce the number of sites that fall under the definition
of child-directed and create a "gigantic loophole" for Disney, which
proposed the change, resulting in less privacy protection for kids, not
more.
Disney argued that the current definition is overly broad
and treats adults as young children, suggesting instead that the FTC "adopt
a system that would permit websites or online services directed to larger
audiences, specifically those directed to children and families, to
differentiate among users, requiring such sites and services to provide notice
and obtain consent only for users who self-identify as under age 13." The
FTC agreed and proposed a three-part test for qualifying as a child-directed
site.
Ed Markey (D-Mass.), author of the original COPPA bill in
the House, sent
a letter to the commission supporting the changes, particularly extending
privacy protection to mobile devices and geolocation services, but he also said
more is needed.
Markey is also coauthor of a Do Not Track Kids Act that
would ban targeted marketing to kids, and expand the definition of kid from
under 13 to 15 and under. It would also attempt to legislate an "eraser
button" that would allow parents to delete kids personal info from the
Web.
"While the FTC's proposed changes are an important
step, Congress must also take action to ensure that children and teens are
fully protected when they go online," said Markey.
