Some websites and mobile app developers are confused about how to comply with revised rules governing the online collection of personal information from children that took effect in the U.S. Monday, critics said.
The U.S. Federal Trade Commission, under updated regulations for the Children's Online Privacy Protection Act (COPPA), is restricting targeted advertising aimed at children and requiring that websites and mobile apps take extra care when handling children's cookies, geolocation information, photos and other identifying information.
The FTC last updated the FAQ about complying with the new rule just weeks ago, said Morgan Reed, executive director of the Association for Competitive Technology (ACT), a trade group that represents mobile app developers. App developers continue to have questions about how to comply with the revised rules, he said.
"How do we make the goals of COPPA function in a technological world where a parent might hand their tablet computer from the front seat of the car to the back seat of the car?" Reed said. "How does the developer know when he has to change behavior ... when that tablet goes over the divider?"
The FTC seems to be updating the FAQ "willy-nilly," added John Feldman, a technology-focused lawyer at law firm Reed Smith. In some cases, the FAQ seems to add requirements that weren't in the rule the FTC approved in December, he said.
The FTC has updated the FAQ in response to ongoing questions about the new COPPA rule, said Kandi Parsons, a lawyer in the agency's Bureau of Consumer Protection. The FTC's intent is to give businesses as much information on how to comply as possible, she said.
"We're trying to be responsive to the questions we're receiving," she said. "As new issues arise, this will be an updated document."
The FTC has published a six-step compliance plan for businesses and has launched a COPPA compliance email hotline, at [email protected], she noted.
Online businesses should focus on the big-picture issues with the new regulations, which limit the online tracking of children and eliminate targeted advertising aimed at them without parental consent, Feldman said.
Still, Feldman believes the FTC will give some companies time to work out compliance issues. "Those who are seeking to comply and are making bona fide efforts in that regard -- and can demonstrate that through documentation of modified procedures and monitoring practices -- will probably get more latitude for an extended timeline than those who are simply wringing their hands," he said.
COPPA, passed in 1998, requires that websites and online services that are either directed at children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their consent before collecting, using or disclosing that information.
The revised rules define cookies, geolocation information, photos, videos, audio recordings, IP addresses and mobile device IDs as personal information that websites and service providers must get parental consent to collect. The changes also closed what the FTC calls a "loophole" allowing third-party plug-ins to collect children's information without parental consent.
The new rules also strengthened data security protections by requiring that covered website operators and online service providers take reasonable steps to release children's personal information only to companies that are capable of keeping it secure and confidential.
COPPA allows civil penalties of up to US$16,000 per violation.
Privacy advocates praised the new rules.
"In essence, children ... are the only group of U.S. consumers who have at least some protections against the onslaught of digital marketing," Jeffrey Chester, executive director of the Center for Digital Democracy, said in an email. "As you know, junk food marketers are in the forefront of targeting kids and teens with powerful online campaigns."
Chester's group plans to "monitor the market very closely" for compliance, with the focus on large digital services such as Disney and the Cartoon Network, he said. The CDD has also published a parent's guide to the COPPA rules.
At Reed's ACT, the trade group is working with a group called Moms With Apps to help app developers adopt privacy practices and comply with the new COPPA rules. The ACT/Moms with Apps Know What's Inside campaign, launched Monday, will allow app developers to display a privacy seal if they comply with recommended best practices.
A big remaining question is whether parents will use the tools they're given to protect their children's privacy, Reed said. More parental education is needed, and some parents need to take a more active role in managing their children's data, he said.
"What are we going to do on the parent education side?" Reed said. "Ultimately, no matter how sleek or clever or awesome the tools we make are, if parents don't understand them or use them, they will fail."