After publishing a study last week showing serious breaches of children's digital privacy, the Federal Trade Commission has adopted final amendments to regulations under the Children's Online Privacy Protection Act, or COPPA.
The revised COPPA Rule aims to strengthen children's privacy protections and give parents greater control over the personal information that Web sites and online services can collect from children under 13.
In 2010, the FTC launched a review to make sure that the COPPA Rule keeps up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking. In the wake of that review, COPPA is getting stronger.
"The commission takes seriously its mandate to protect children's online privacy in this ever-changing technological landscape," said FTC Chairman Jon Leibowitz. "I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children's online activities."
Amending the Rule
The final amendments modify the list of "personal information" that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos. The new amendments also offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent.
Other amendments close a loophole that allowed child-directed apps and Web sites to permit third parties to collect personal information from children through plug-ins without parental notice and consent, require that covered Web site operators adopt reasonable procedures for data retention and deletion, and strengthen the FTC's oversight of self-regulatory safe harbor programs.
What's more, the definition of "collection of personal information" has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children's personal information before it is made public.
Breaking the Rule
The COPPA Rule was mandated when Congress passed the Children's Online Privacy Protection Act of 1998. COPPA also prohibits online services from conditioning children's participation in activities on the collection of more personal information than is reasonably necessary for them to participate. The rule contains a "safe harbor" provision that allows industry groups or others to seek FTC approval of self-regulatory guidelines.
And that's the problem. It's a rule, Rob Enderle, principal analyst at the Enderle Group, told us. He said stricter guidelines are a step in the right direction, but since online services make money selling this information, the FTC's move probably isn't strong enough to be fully effective.
"The problem is they are working against the financial interests of the companies that are doing this. When you are working against the financial interests, really the only way to stop the behavior is to make it uneconomic to continue the behavior," Enderle said. "The FTC has still fallen short of that. So while it certainly is a step in the right direction, until they really make it unprofitable to share this information I think you are going to find online services will still do it."