FTC Unveils Updates to COPPA Rules

Legislators Relate Protecting Kids in Online Playgrounds to Child Protection Issues Raised by Newtown Shootings

Joined by interested legislators from both parties and both Houses, Federal Trade Commission chairman Jon Leibowitz unveiled the final version of the FTC's proposed changes and updates to its rules enforcing the Children's Online Privacy Protection Act.

Those include bringing geolocation, cookies (plug-ins) and behavioral targeting explicitly within the rules.

He was joined by Sens. Jay Rockefeller (D-W. Va.) and Mark Pryor (D-Ark.) as well as Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), the latter two cochairs of the Bipartisan Congressional Privacy Caucus.

"Under the new Rule, when a children's website or application allows third-parties to collect information from children, those websites and apps will be liable under COPPA," said Rockefeller. "Furthermore, those third-parties will also be held liable if they know they are collecting information on websites or apps directed toward children."

Leibowitz outlined the key changes:

  1. The rules are expanded to include geolocation, photos and videos, IP addresses and mobile device IDs in the list of personal information that comes under COPPA protections.
  2. It closes a loophole that allowed third parties to target kids through plug-ins and without getting parental consent that they would have needed otherwise. 
  3. It also extends personal info collection restrictions to third parties including ad nets, though narrowed to make it clear that means only third parties with actual knowledge that the info is being collected from a child-directed, COPPA-covered site.

Leibowitz said networks can continue to advertise on sites directed to children and that it is only behavioral advertising that is covered, and in a simple and straightforward way that provides a "small congressionally mandated "oasis" sheltering privacy. That way is to ensure that, until and unless they get parents' consent, sites and marketers may not track kids to build massive profiles for targeting, "period," he said. The rules also do not apply to app stores, but only COPPA-protected sites collecting info.

Leibowitz also said the rules also now encourage the industry to come up with new and innovative ways to let parents provide that consent. They will have 120 days to come up with proposals for a flexible, easier way to provide parental choice and control. He also praised the positives of online education and access and of advertising to the economy, but said this was targeted, in part, at the "insatiable" of some marketers to track kids online.

Markey drew a parallel between protection kids online and protecting them in schools, invoking the Newtown, Conn. killings. He said that protecting kids was brought to the forefront by the shootings, and said it was just as important to protect kids online, which is their new playground, as it is to protect them in schools. Barton seconded that, saying that just as the events in Connecticut showed how vulnerable kids are online, what occurs on the Internet every day shows how vulnerable they are in cyberspace.

All the legislators pointed out that the online world has changed dramatically and rules need to catch up.

Rockefeller said that when writing the bill a decade ago they could not anticipate the explosion of targeted marketing and of mobile apps.

Both Markey and Barton put in a plug for their kids do-not-track bill, which would apply new restrictions to data collection from kids under 15 -- COPPA remains targeted to kids 12 and under -- and provide an "eraser button" for info that kids supplied but later regretted. They conceded the bill was not going to pass anytime soon, so it was important that the FTC stepped in to do what it could under existing law.

Dissenting from the report was FTC commissioner Maureen Ohlhausen, who said she thought they went beyond the FTC's authority granted by COPPA while saying she backed child privacy protection as a goal she strongly supports. "As the Supreme Court has directed, an agency 'must give effect to the unambiguously express intent of Congress.' Thus, regardless of the policy justifications offered, I cannot support expanding the definition of the term "operator" beyond the statutory parameters set by Congress in COPPA," she said.

The key changes came as no surprise. The FTC back in September 2011 proposed adding behavioral advertising tracking cookies and geolocation information to the definition of kids' personal information that behavioral marketers and websites must get permission from parents to obtain.

The cable industry had argued that COPPA was already working and no major changes were needed which could inadvertently stifle innovation or tailored online experiences.

"We applaud the Federal Trade Commission and chairman Leibowitz for standing with parents and making these vital updates to the COPPA rules," said Common Sense Media CEO James Steyer. "Parents -- not social networks or marketers -- will remain the gatekeepers when it comes to their children's privacy not only online, but also on phones. What's more, these updates to COPPA effectively balance growing privacy concerns and the paramount rights of children and families with the tech industry's need to innovate. "

"The Commission's decision today is a major step forward," said Jeff Chester, executive director of the Center for Digital Democracy, in a statement. "We are especially gratified that this decision puts to rest the longstanding and disingenuous claims by the digital marketing industry that cookies and other persistent identifiers are not personally identifiable information. The revised rules also address the increasingly pervasive use of geolocation, behavioral targeting, and social media data collection. But we are concerned about possible loopholes that could undermine the intent of the rules. CDD plans to continue closely analyzing the emerging marketing and data practices targeted at children -- with a sharp focus on app developers and social marketers like Facebook -- and will file complaints against any company that violates the new rules."

Chester told B&C/Multichannel News that was a reference to the app store carve-out. "Apple and Google don't want to be held responsible for the app industry data collection practices," he said. "But they should require that apps meet minimum privacy standards, including for children. We plan to press the app stores to play a role ensuring COPPA is implemented."

Leibowitz said he thought the resulting rule changes were balanced but still strong.