Broad Opposition Seen to FTC’s Proposed COPPA Changes

In September, the commission offered more than two dozen changes to the COPPA rule that would impose new requirements on website operators with the aim of protecting children from online threats. Among its proposed changes, the FTC sought to expand its governance of personal information, online services, and parental notification requirements relating to children under the age of 13.

The FTC’s proposed changes to the COPPA rule are “very likely to create significant marketplace uncertainty,” Microsoft said (http://xrl.us/bmnbs7). The proposal “would have profound implications for online advertising” because ad networks would either be forced to bear “unnecessary costs” to comply with COPPA’s requirements, or be left with few users to whom targeted ads could be shown. The FTC should provide clear guidance on what specific activities constitute “tracking” before it moves to include screen names, user names and persistent identifiers into the definition of personal information, Microsoft said. “Absent clarification, it is not clear whether there can be any data collection online by ad networks and other third-party online service providers,” something which could discourage websites from offering any online services to children, the company said.

The Entertainment Software Rating Board said it mostly supports the FTC’s proposed changes. But ESRB said it was “concerned” about the “mandate” for “a minimum level of annual member auditing by safe harbor programs.” While the safe harbors “have similar guidelines, each is a unique entity, offering different services and focusing on different market segments,” ESRB said. The proposed changes would encourage all safe harbors “to default to this minimum auditing standard where, in some situations, a greater frequency of auditing” by the safe harbor “may be appropriate,” it said. “As an alternative,” it suggested that the auditing provisions of the rule “require consideration of the types of businesses or industries the safe harbor services and the specific nature of their activities."

If a safe harbor services more than one industry, the oversight in which it engages “should factor in a specific industry’s needs, which may be different than that of another industry,” ESRB said. As an example, it said, ESRB members receive detailed quarterly compliance reports, which allow for “issues and problems” to be “spotted -- and corrected -- in a timely fashion, reducing a company’s risk for violating state and federal laws, including COPPA.” It recognized that quarterly monitoring “may not be necessary or appropriate for all operators” working with safe harbors. But ESRB said it believes “the minimum auditing standards now being proposed by the FTC can and should encourage appreciation of the wide-ranging nature and differing needs of various industries, and encourage safe harbors to structure their auditing plans accordingly.”

The Interactive Advertising Bureau bemoaned the “negative effects” that the FTC’s proposed changes could have on consumers and online companies and urged the commission to “rethink its approach” (http://xrl.us/bmnbug). The group objected to the FTC’s “burdensome” proposal to expand the COPPA definition of personal information. The proposals are “not warranted, workable or within the commission’s authority” and will burden parents and companies, and potentially reduce children’s access to “safe and engaging” online resources, IAB said. The group encouraged the commission to “reconsider its effort to create unnecessary rules that would undermine existing and effective industry self-regulation.”

Facebook restrained its criticism of the FTC’s proposed rule changes and applauded the agency’s “thoughtful approach” to the COPPA revision process (http://xrl.us/bmnbtb). The company’s delicate approach may stem from its recent settlement with the FTC on allegations that Facebook made deceptive claims about user privacy when it changed the framework of its social network in December 2009. Facebook did, however, ask for more clarification on the privacy responsibilities of third-party operators and asked the commission to exclude social media plugins like the Facebook “like” button from COPPA’s parental consent requirements. Without such exemptions the proposed changes would create “ambiguity” about whether websites and online services can include social media plugins at all, Facebook said.

The MPAA said the proposed changes are “unnecessary” and “exceed the authority granted to the FTC,” in its statement to the commission (http://xrl.us/bmnbsx). The MPAA also objected to the FTC’s proposed expansion of COPPA’s personal information definition because it “needlessly restricts uses of non-personal data that would improve children’s online experience and enhance their privacy.” Including new categories of personal information like screen names, persistent identifiers, photographs, videos and audio files in COPPA’s jurisdiction is “overly broad and inconsistent with the type of information that directly implicates children’s privacy,” MPAA said.

MPAA also urged the FTC not to eliminate its current parental consent system known as “email plus.” Adopted in 1999, the sliding-scale approach requires operators who are collecting personal information for internal use to obtain parental consent through an email and one additional step that verifies the individual is actually the child’s parent. “The FTC should not eliminate email plus absent evidence of its failure and, even more importantly, without a workable plan to replace it,” the MPAA said.

NCTA opposed the commission’s “sweeping changes,” particularly its proposals to expand the definition of personal information (http://xrl.us/bmnbsr). Such an expansion could “risk disrupting the existing equilibrium by significantly increasing obligations both for parents and for operators of child directed websites.” Furthermore, the FTC’s proposal would “likely have a negative impact” on the amount of child and family directed content available online and could “raise significant technology-related and other implementation issues,” NCTA said.

NAB called the agency’s proposal to incorporate interactive television under the rule both “premature” and “over-inclusive,” according to its filing with the agency (http://xrl.us/bmnbsv). “Now is not the time” to include “experimental endeavors” like interactive television under the COPPA rule, NAB said, because “premature government regulation can hinder the development or deployment of useful marketplace applications.” Rather than “casting too wide a net” the FTC should focus on current technologies and services that can “harvest or gather identifiable personal information from children,” the group said.

The Family Online Safety Institute (FOSI) was among the few advocates for the proposed rule changes, saying the increase of “troubling behaviors” like cyberbullying and sexting warrant another look at the 11-year-old rule (http://xrl.us/bmnbth). The group lauded the commission’s preservation and expansion of parental notification and consent requirements, the actual knowledge standard and safe harbor programs. But FOSI warned against the “abrupt elimination” of the email plus system of parental notification and suggested the FTC provide a sunset period to ease websites’ transition to another mechanism.

FOSI commended the agency for its increased vigilance on behalf of children and the aggressive approach it has taken towards companies that violate the COPPA rule. In May, the FTC agreed to its largest COPPA settlement ever, a $3 million civil penalty against Playdom, an online developer of multi-player games which it alleged had illegally collected and disclosed without parental consent personal information from thousands of children (CED May 13 p11). The FTC also agreed to hefty settlements against the owners of skidekids.com, a social networking site for children and W3 Innovations, a mobile applications developer, for unlawfully collecting children’s information without obtaining their parents’ prior consent. Such enforcement actions “send a clear message not just to the violator, but to the entire online community about the importance of obtaining parental consent before obtaining personal information from kids,” the group said.

The Center for Democracy and Technology said some of the proposed changes “raise significant technical and implementation questions that the commission must address” (http://xrl.us/bmnbun). The commission needs to make it “crystal clear” that a government-issued ID should not be used as online identification for non-governmental websites, the center said. “The commission needs to be careful to ensure that, by allowing the use of government IDs for identity verification purposes in the COPPA context, it is not encouraging practices that reduce consumers’ sensitivity to security risk.”