Modified online children's privacy rules take effect in US

Some websites and app developers are uncertain how to comply with the revised regulations

Some websites and mobile app developers are confused about how to comply with revised rules governing the online collection of personal information from children that took effect in the U.S. Monday, critics said.

The U.S. Federal Trade Commission, under updated regulations for the Children's Online Privacy Protection Act (COPPA), is restricting targeted advertising aimed at children and requiring that websites and mobile apps take extra care when handling children's cookies, geolocation information, photos and other identifying information.

The FTC last updated the FAQ about complying with the new rule just weeks ago, said Morgan Reed, executive director of the Association for Competitive Technology (ACT), a trade group that represents mobile app developers. App developers continue to have questions about how to comply with the revised rules, he said.

"How do we make the goals of COPPA function in a technological world where a parent might hand their tablet computer from the front seat of the car to the back seat of the car?" Reed said. "How does the developer know when he has to change behavior ... when that tablet goes over the divider?"

The FTC seems to be updating the FAQ "willy-nilly," added John Feldman, a technology-focused lawyer at law firm Reed Smith. In some cases, the FAQ seems to add requirements that weren't in the rule the FTC approved in December, he said.

The FTC didn't immediately respond to a request for comments on criticisms about the new rules.

Online businesses should focus on the big-picture issues with the new regulations, which limit the online tracking of children and eliminate targeted advertising aimed at them without parental consent, Feldman said.

Still, Feldman believes the FTC will give some companies time to work out compliance issues. "Those who are seeking to comply and are making bona fide efforts in that regard -- and can demonstrate that through documentation of modified procedures and monitoring practices -- will probably get more latitude for an extended timeline than those who are simply wringing their hands," he said.

COPPA, passed in 1998, requires that websites and online services that are either directed at children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their consent before collecting, using or disclosing that information.

The revised rules define cookies, geolocation information, photos, videos, audio recordings, IP addresses and mobile device IDs as personal information that websites and service providers must get parental consent to collect. The changes also closed what the FTC calls a "loophole" allowing third-party plug-ins to collect children's information without parental consent.

The new rules also strengthened data security protections by requiring that covered website operators and online service providers take reasonable steps to release children's personal information only to companies that are capable of keeping it secure and confidential.

COPPA allows civil penalties of up to US$16,000 per violation.

Privacy advocates praised the new rules.

"In essence, children ... are the only group of U.S. consumers who have at least some protections against the onslaught of digital marketing," Jeffrey Chester, executive director of the Center for Digital Democracy, said in an email. "As you know, junk food marketers are in the forefront of targeting kids and teens with powerful online campaigns."

Chester's group plans to "monitor the market very closely" for compliance, with the focus on large digital services such as Disney and the Cartoon Network, he said. The CDD has also published a parent's guide to the COPPA rules.

At Reed's ACT, the trade group is working with a group called Moms With Apps to help app developers adopt privacy practices and comply with the new COPPA rules. The ACT/Moms with Apps Know What's Inside campaign, launched Monday, will allow app developers to display a privacy seal if they comply with recommended best practices.

A big remaining question is whether parents will use the tools they're given to protect their children's privacy, Reed said. More parental education is needed, and some parents need to take a more active role in managing their children's data, he said.

"What are we going to do on the parent education side?" Reed said. "Ultimately, no matter how sleek or clever or awesome the tools we make are, if parents don't understand them or use them, they will fail."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionregulationCenter for Digital DemocracyJohn FeldmangovernmentAssociation for Competitive TechnologyinternetprivacyReed SmithMorgan ReedJeffrey Chestersecurity

More about ACTFederal Trade CommissionFTCIDGMorganTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place