The U.S. Federal Trade Commission issued updated rules on Wednesday that will ban online advertisers from tracking the online behavior of children without explicit consent from their parents.
In a press conference in Washington D.C, FTC Chairman Jon Leibowitz announced new guidelines for implementing the Children’s Online Privacy Protection Act (COPPA). Among other things, the changes expand the list of information that cannot be collected from children without parental consent to include photographs, videos and audio recordings of children and geo-location information.
“Unless you get parental consent, you may not track children and use their information to build massive profiles of online behavior,” said FTC Chairman Leibowitz.
The new rules are a major revision to the COPPA rule, which was first passed in 1998. The law is a kind of privacy Bill of Rights and applies to children 13 years old and younger.
Speaking at a press conference on Wednesday afternoon, Rep. Ed Markey (D-MA), one of the original authors of COPPA, said that the law was written in an era “before Facebook,” and that the advent of social networking and powerful mobile devices necessitated an update to the rules.
“These devices are personal computers in your pocket. People know where you are. So we have to protect children and make sure that information can’t be used,” said Rep. Ed Market (D-MA).
The new rules bar advertisers from collecting geo-location information from kids, strengthen security requirements for kids’ data and close a loophole that allowed third parties to collect personal information from kids using plug-ins to kid directed mobile- applications and web sites. The update also extend COPPA to clearly cover persistent cookies that can track users across multiple web sites and third parties that contract with website operators.
At a press conference, senior Congressional backers cited last week’s tragic shooting in Newtown, Connecticut, in trumpeting a law that protects children online.
“What happens in Connecticut shows how physically vulnerable children are,” said Rep. Joe Barton (R-TX). “Today is all about how vulnerable children are in cyberspace.”
“As we continue to mourn as a nation, we honor a rule that was put on the books to protect child safety and give parents the tools to protect them,” said Rep. Markey.
COPPA is the main instrument for protecting child online privacy, but it is limited in scope. A draft bill in the House of Representatives would expand COPPA to cover children 15 and under, rather than 12 and under. But Leibowitz and others note that it covers only a sliver of all the Web sites and online services available to children.
Among other things, the new law doesn’t explicitly cover mobile application stores (or “app stores”) because children are not the primary audience of such sites. Also, the bill’s definition of “collection” in regard to personal information had to be changed to allow for activity in interactive online communities that children use. Such collection is possible, but site owners must not retain any information on children longer than is “reasonably necessary” and protect against unauthorized access or use while the information is being disposed of.
The bill faced opposition from technology firms and online advertisers, who worried that it would impose technical restrictions that would hamper innovation and growth. Speaking on Wednesday, Leibowitz rejected that charge.
“Advertisers can still advertise on sites that cater to children. The only limit is on behavioral advertising,” he said.
The update to COPPA is part of a larger push by the FTC to strengthen online privacy protections. In November, a federal judge in San Francisco formally approved a $22.5 million settlement between the U.S. Federal Trade Commission (FTC) and Google for that company’s practice of misleading users of the Safari web browser about how it would track their movements online.
The agency has also pressured firms like Google and Facebook to be more transparent in telling their users how and when they are tracking their activities online. In September, Facebook agreed to stop using facial recognition technology to track users. A similar complaint has been lodged with the FTC. At the same time, the EU is weighing revisions to its Data Protection rules that would strengthen protections for individuals living in EU countries.