FTC Moves To Strengthen Online Privacy For Children
September 16, 2011

FTC Moves To Strengthen Online Privacy For Children


The Federal Trade Commission (FTC) is proposing tougher privacy protections to help safeguard children's personal information online.

The new rules, which apply to children under the age of 13 years old, would tighten requirements covering the collection and storage of personal information by websites, and the way in which websites solicit and obtain parental approval.

The Commission said the amendments to the Children's Online Privacy Protection Rule (COPPA) are designed to keep pace with the growing use of new technology and devices, such as social networks and smartphones.

"In this era of rapid technological change, kids are often tech savvy but judgment poor," said FTC Chairman Jon Leibowitz in a statement on Thursday.

The Commission is proposing modifications to the COPPA Rule in five areas: definitions, including the definitions of "personal information" and "collection;" parental notice; parental consent mechanisms; confidentiality and security of children's personal information; and the role of self-regulatory "safe harbor" programs.

"We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses," said Leibowitz.

"We look forward to the continuing thoughtful input from industry, children's advocates, and other stakeholders as we work to update the Rule."

COPPA currently requires that operators of websites or online services directed to children under 13, or those that have actual knowledge that they are collecting personal information from children under 13, obtain verifiable consent from parents before collecting, using, or disclosing such information from children.

The major proposed amendments include changes in the following:
•  Definitions -- The COPPA Rule now requires operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of "personal information" to include geolocation information and certain types of persistent identifiers used for functions other than the website's internal operations, such as tracking cookies used for behavioral advertising.  The Commission also proposes modifying the definition of "collection" so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.

•  Parental Notice -- The proposed amendments seek to streamline and clarify the direct notice that operators must give parents prior to collecting children's personal information. These revisions are intended to ensure that key information will be presented to parents in a succinct "just-in-time" notice, and not just in a privacy policy.

•  Parental Consent Mechanisms - The Commission is proposing the addition of new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent's ID is deleted promptly after verification is done. The FTC proposes eliminating the less-reliable method of parental consent, known as "e-mail plus," which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

•  Confidentiality and Security Requirements -- The Commission seeks to strengthen the Rule's current confidentiality and security requirements by adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child's personal information have in place reasonable procedures to protect it.  The operators may then retain the information for only as long as is reasonably necessary, and must properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.

•  Safe Harbor — The Commission is proposing to strengthen its oversight of self-regulatory "safe harbor programs" by requiring them to audit their members at least once per year, and report periodically to the Commission the results of those audits.


On the Net: