If you thought wood splinters and strangers offering candy in the park were the biggest threats to children, you haven't been paying attention to the modern playground - the Internet. Using digital cookies, global positioning, and online behavioral advertising, companies can locate children while they use mobile devices, lure them with targeted ads for a nearby ice cream shop, or tempt them to instantly buy a new gaming application. These entities can also track online behavior to build sophisticated user profiles and then sell the information to advertisers in real time.
When Congress gave the Federal Trade Commission (FTC) authority to protect the privacy of children age twelve and younger with the Children's Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C §§ 6501-6506), Facebook wouldn't be invented for another six years and the first iPhone sale was nine years away. Times have changed. So on July 1 new FTC regulations will expand the number of website operators and app developers who come under the jurisdiction of COPPA's requirements for parental notification and consent, and impose limits on retention of a child's private information. (16 C.F.R., Pt. 312.)
The new rules may address some of the concerns raised by an FTC staff report last year on 400 apps geared toward children: Only 16 percent gave parents a link to their privacy policies prior to downloading, the study found.
Now, for the first time, the FTC has gone beyond protecting the privacy of a child's name, address, and phone number to safeguard "persistent identifiers" - such as a Web address unique to a computer (known as an Internet Protocol or IP address), a smartphone's ID, geolocation tracking data, photos, and video and audio of children. The new rules also expand the definition of "websites directed toward children" to include social media plug-ins such as a "like" button on Facebook.
"What they are trying to get at with persistent identifiers is that they really don't want online behavioral advertising targeted to kids, or the amassing of a child's activities across websites," says Julie O'Neill, who specializes in privacy and consumer protection in Morrison & Foerster's Washington, D.C., office.
Not everyone, however, welcomes this development. Sweeping IP addresses into the definition of personal information "is hugely problematic for information transfer on the Internet," says Alison Pepper, senior director of public policy for the D.C.-based Interactive Advertising Bureau (IAB).
Including IP addresses as persistent identifiers along with users' names and addresses "is contrary to what a lot of federal courts are ruling," she says. The IAB chided the FTC in September that the move oversteps the commission's statutory authority.
Also unnerving for the gaming and entertainment industry is the expansion of liability for third-party content. Next month, companies that knowingly collect data through a site directed at children will be responsible for making COPPA privacy disclosures and getting parental consent.
But the law is limited. COPPA contains no private right of action, for example, and it does nothing for teens over age twelve.
California, for its part, has an added weapon in its arsenal. The California Online Privacy Protection Act (Cal. Bus. & Prof. Code §§ 22575-22579), passed in 2003, requires companies that collect personal information to display their privacy policies.
Attorney General Kamala Harris has put a high priority on protecting children's online privacy and says she intends to bring enforcement actions under the federal COPPA. "The statute specifically authorizes a state AG to enforce it," says Travis LeBlanc, special assistant attorney general and Harris's top advisor on privacy. "The law will be enforced by the FTC and
the California AG. No question about that."