The Federal Trade Commission (FTC) recently revealed its proposed amendments to the Children’s Online Privacy Protection Rule (COPPA). COPPA requires that operators of websites or online services notify parents and obtain their consent when collecting, using, or disclosing the personal information of children under the age of 13. FPF shares the FTC’s visions to protect children online and fully supports the Commission’s intention to revise the current rule in response to changing technologies.
Tomorrow, October 5, 2011, the SubCommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee holds a hearing titled Protecting Children’s Privacy in an Electronic World. We look forward to the discussion. We are still reviewing the proposed revisions to the Rule and will be filing formal comments. Generally, we think that keeping the age restriction at under 13 makes sense as do many of the changes proposed by the FTC. Other points raised, such as the extent that companies will be able to be responsible for unrelated 3rd parties may be a challenge for some businesses. But we are also not entirely clear about the intention of the FTC in some areas, such as location and tracking, and are hoping for some clarification so we and others can comment in a useful way.
The FTC proposes to amend the statutory definition of “personal information” to include include: (1) an identifier that links the activities of a child across different Websites or online services and (2) geolocation information. With regard to identifiers, it is clear that the FTC has been concerned about companies that create and use behavioral profiles to advertise to children. We don’t think any responsible company does this and support the proposed effort to ensure that doing so is a violation of the Rule. But the revision as worded would seem to cover any advertising on a kids site that would track which ads are bringing users to an advertiser’s site, even if the data is used in the aggregate. The same data that is collected and logged for basic analytics and ad reporting, logged individually but used in aggregate, is generally the same data that can be mined for use in behavioral advertising. Is the intention to restrict any collection of tracking data across sites, even if used in a more limited way? Or is the FTC staking out a broad position because the data is kids data? Is this a precursor of the FTC’s final position on Do Not Track and collection limits which we may see in their upcoming broader privacy report? Clarification will be useful here.
In addition, a better understanding of the proposal to include precise geolocation information as personal information that requires consent before collection will be useful. Clearly there are instances where precise location can be used in a very “personal” manner, enabling a user to be identified or contacted. In other instances, precise location is a simple service that can help a user find where they are on a map or to find nearby resources. What obligations are imposed on an app developer providing a kids app that collects no personal information, but which includes an option to “show me directions from my location to this place”? Since the location consent mechanisms are created by Apple’s iOS mobile operating system and by Google’s Andriod system, what options does an app developer have?
We hope the hearing will get into these issues. We welcome your thoughts. FPF will be submitting comments to the FTC on these as well as others proposals set forth in the report. The deadline for filing is November 28, 2011.