The Federal Trade Commission (FTC) released proposed amendments to the Children's Online Privacy Protection Rule last week, winning approval from privacy advocates but raising concern among members of the advertising industry.
The rule implements the Children's Online Privacy Protection Act (COPPA) and requires that operators of websites and other online services directed to children under the age of 13 obtain verifiable consent from parents before collecting, using, or disclosing information from children under 13. The rule's requirements also extend to operators of websites and other online services that have actual knowledge that they are collecting personal information from children under 13.
The FTC proposes modifications to the rule in five areas: definitions, parental notice, parental consent mechanisms, confidentiality and security, and the role of self-regulatory safe harbor programs.
The FTC proposes updating the definition of "personal information" so that operators would have to obtain parental consent before collecting location information or using cookies to build a profile about a child and monitor the child's online activities for purposes of behavioral advertising. Proposed revisions to the definition would also cover facial recognition technology. The FTC also proposes modification of the definition of "collection" so that children can participate in interactive communities without parental consent so long as the operators delete the children's information.
With regard to notice and consent, the FTC proposes to streamline and clarify the notice operators must provide to parents before collecting children's personal information and to provide additional methods through which operators can obtain parental consent—for example, through electronic scans of signed forms, video conferencing, and use of government-issued IDs. The FTC proposes eliminating the two-step verification method known as "e-mail plus" as a way to obtain consent.
To better protect children's personal information, the FTC proposes adding a requirement that operators ensure that third parties with which they share personal information have in place reasonable procedures to protect it, keep it only as long as is reasonably necessary, and then properly delete it.
Finally, the FTC proposes requiring self-regulatory safe harbor programs (such as the Children's Advertising Review Unit and TRUSTe) to audit their members annually and periodically report audit results to the FTC.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, told The New York Times that "he was especially heartened that the rules addressed new technology that allows for location-tracking and facial recognition." Meanwhile, the Direct Marketing Association released a statement on its Web site that the existing rule plays "an important role in providing protections to children in the online environment and does not require many of the changes proposed by the FTC."
The public comment period on the proposed rule changes will be open until November 28.