FTC Said Closer to Improving COPPA as Comment Deadline Nears
The FTC review of the Children’s Online Privacy Protection Act (COPPA) could pioneer efforts to develop privacy frameworks in other areas and it could set an example for other countries to follow, some privacy advocates said Wednesday at the Family Online Safety Institute conference in Washington. The FTC proposed several changes regarding personal information and geolocation information as it relates to kids. Comments on the rulemaking are due Nov. 28.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The FTC proposed that persistent identifiers, like cookies and Universal Device ID, should be included in the definition of personal information, said Mamie Kresses, FTC senior attorney in the division of advertising practices. “We want to capture the use of persistent identifiers where they're used to track a child online across multiple sites and services for purposes other than for support for the internal operations of the site or service.” The review also addresses the use of screen names. In some instances, screen names “have the capability of being used as an instant messaging identifier and they are portable,” she said. The FTC views this use as outside of the structure or function of the site itself, she added.
Some of the proposals may have to be tweaked after they're adopted, said Jules Polonetsky, Future of Privacy Forum director and former AOL chief privacy officer. Kids are coming up with their own mechanisms to get on sites, he said. “We don’t yet see any of the platforms or networks having figured out what that ‘kid strategy’ is.” Organizations need to take a “privacy by design” and risk-based approach when forming their privacy programs, said Brendon Lynch, Microsoft chief privacy officer. During development they should think about possible abuses of those products and services and “put measures in place to mitigate those risks.”
Sites should include more information about their practices in direct notices to parents, Kresses said. The current rule says the notice can provide a link to the site’s larger privacy policy. The FTC proposes that sites provide more detailed, complete information to parents the first time their child wants to access a site, she said.
As the European Union reviews its data protection directive, portions of COPPA can be a guide, said Justin Weiss, Yahoo international privacy and policy senior director. Historically, there hasn’t been legislation targeted at children’s privacy, he said. COPPA’s application solely to children under 13 could guide the EU in its effort, he said. In the EU, it’s recognized that “children have not necessarily been identified as a sensitive category of data.” The EU also is considering the concept of the “right to be forgotten,” Weiss said: “In the age of social networking … there’s the sense that there could be an intersection between that concept … for children and the concept of data protection,” he said. Weiss cautioned the FTC to be thoughtful in its changes and recognize that “there are rights that we want to preserve,” like free speech.
Polonetsky commended the FTC for maintaining the age threshold of kids at under 13. The commission recognized that moving it up would have created a constitutional challenge with teens hanging out on sites where adults are, he said. Raising the age would create a bar that blocks adults from accessing sites, he added.