Websites, mobile apps and online advertising networks targeting children will be required to follow new privacy regulations, including getting a parent’s permission before collecting geo-location information and photographs from kids, under new rules announced Wednesday by the U.S. Federal Trade Commission.
The new rules, a revision of existing regulations under the Children’s Online Privacy Protection Act (COPPA), also require websites and other online services to get parental permission before collecting IP addresses and mobile devices IDs for children under age 13.
The changes to the rules, praised by privacy advocates, also require third-party companies collecting information on websites targeted at children to get a parent’s permission, closing a “loophole” that allowed some plug-ins to collect children’s personal information without getting permission, FTC Chairman Jon Leibowitz said during a press conference.
Changes to the FTC’s COPPA rule are needed because the Internet has changed significantly, with an explosion of smartphones, mobile apps and social networking, since Congress passed COPPA in 1998, Leibowitz said.
“The Internet of 2012 is vastly different than the Internet of 14 years ago,” he said. “Some companies, especially some ad networks, have an insatiable desire to collect information from kids.”
The new rules, scheduled to go into effect in July, are designed to give online businesses that provide services to children clear guidelines about collecting personal data, Leibowitz said. The new rules do not prohibit advertising to children online, he said, but address the collection of personal data to deliver targeted, or behavioural, advertising.
“Our rule is simple, effective and straightforward,” he said. “Until and unless you get parental consent, you may not track children to build massive profiles for behavioural advertising.”
Four U.S. lawmakers attending the press conference praised the changes to the COPPA rules. The new rules will help prevent third-party companies on websites from using “technological tricks” to children’s personal information, said Senator John “Jay” Rockefeller, a West Virginia Democrat.
Strengthening the rules is “so much a no-brainer,” Rockefeller added. “It should be a universal issue.”
The FTC, in strengthening the rules, is doing “the lord’s work,” said Representative Joe Barton, a Texas Republican.
The rules create a new, streamlined process at the FTC for online companies to propose new ways to get parental permission to collect information. The rules also require online companies to take reasonable steps to release children’s personal information only to companies that can keep it secure and confidential.
Digital liberties group the Center for Democracy and Technology and e-commerce trade group NetChoice raised concerns that the new rules may target too many websites.
“COPAA should stay focused on websites that knowingly communicate with children — not cast a net so wide it is impossible to comply with,” Steve DelBianco, executive director of NetChoice, said by email. “I’m amazed at the ambiguity in determining whether a site is covered by COPPA. Despite two years of deliberation, the FTC still has not provided clarity the e-commerce industry needs.”
Web sites that serve a mixed audience could be vulnerable to FTC enforcement under COPPA, he added.
The new rules’ definition of when a website is directed to children “could expand COPPA’s reach to general audience sites and confuse website owners as to whether these new rules apply to them,” CDT said in a statement. This will likely prompt more sites to ask for age verification from all users before allowing access, the group said.
The new COPPA rules come just days after the FTC released a report saying that many mobile kids’ apps collect information without getting parental consent.
In the past eight days, privacy group the Center for Digital Democracy has filed two COPPA complaints with the FTC, one against popular mobile children’s game Mobbles and the second against television network Nickelodeon and mobile game-maker PlayFirst.
The new FTC rules are a “major step forward,” although the CDD will be on the lookout for loopholes, said Jeffrey Chester, executive director the group.
“We are especially gratified that this decision puts to rest the longstanding and disingenuous claims by the digital marketing industry that cookies and other persistent identifiers are not personally identifiable information,” he said in an email. “The revised rules also address the increasingly pervasive use of geo-location, behavioural targeting, and social media data collection.”