Broad Opposition to FTC’s Proposed COPPA Changes

The FTC’s proposed changes to the COPPA rule are “very likely to create significant marketplace uncertainty,” Microsoft said (http://xrl.us/bmnbs7). The proposal “would have profound implications for online advertising” because ad networks would either be forced to bear “unnecessary costs” to comply with COPPA’s requirements, or be left with few users to whom targeted ads could be shown. The FTC should provide clear guidance on what specific activities constitute “tracking” before it moves to include screen names, user names and persistent identifiers into the definition of personal information, Microsoft said. “Absent clarification, it is not clear whether there can be any data collection online by ad networks and other third-party online service providers,” something which could discourage websites from offering any online services to children, the company said.

The Interactive Advertising Bureau bemoaned the “negative effects” that the FTC’s proposed changes could have on consumers and online companies and urged the commission to “rethink its approach” (http://xrl.us/bmnbug). The group objected to the FTC’s “burdensome” proposal to expand the COPPA definition of personal information. The proposals are “not warranted, workable or within the commission’s authority” and will burden parents and companies, and potentially reduce children’s access to “safe and engaging” online resources, IAB said. The group encouraged the commission to “reconsider its effort to create unnecessary rules that would undermine existing and effective industry self-regulation.”

Facebook restrained its criticism of the FTC’s proposed rule changes and applauded the agency’s “thoughtful approach” to the COPPA revision process (http://xrl.us/bmnbtb). The company’s delicate approach may stem from its recent settlement with the FTC on allegations that Facebook made deceptive claims about user privacy when it changed the framework of its social network in December 2009 (WID Nov 30 p1). Facebook did, however, ask for more clarification on the privacy responsibilities of third-party operators and asked the commission to exclude social media plugins like the Facebook “like” button from COPPA’s parental consent requirements. Without such exemptions the proposed changes would create “ambiguity” about whether websites and online services can include social media plugins at all, Facebook said.

The MPAA said the proposed changes are “unnecessary” and “exceed the authority granted to the FTC,” in its statement to the commission (http://xrl.us/bmnbsx). The MPAA also objected to the FTC’s proposed expansion of COPPA’s personal information definition because it “needlessly restricts uses of non-personal data that would improve children’s online experience and enhance their privacy.” Including new categories of personal information like screen names, persistent identifiers, photographs, videos and audio files in COPPA’s jurisdiction is “overly broad and inconsistent with the type of information that directly implicates children’s privacy,” MPAA said.

MPAA also urged the FTC not to eliminate its current parental consent system known as “email plus.” Adopted in 1999, the sliding-scale approach requires operators who are collecting personal information for internal use to obtain parental consent through an email and one additional step that verifies the individual is actually the child’s parent. “The FTC should not eliminate email plus absent evidence of its failure and, even more importantly, without a workable plan to replace it,” the MPAA said.

The National Cable and Telecommunications Association opposed the commission’s “sweeping changes,” particularly its proposals to expand the definition of personal information (http://xrl.us/bmnbsr). Such an expansion could “risk disrupting the existing equilibrium by significantly increasing obligations both for parents and for operators of child directed websites.” Furthermore, the FTC’s proposal would “likely have a negative impact” on the amount of child and family directed content available online and could “raise significant technology-related and other implementation issues,” NCTA said.

The National Association of Broadcasters called the agency’s proposal to incorporate interactive television under the rule both “premature” and “over-inclusive,” according to its filing with the agency (http://xrl.us/bmnbsv). “Now is not the time” to include “experimental endeavors” like interactive television under the COPPA rule, NAB said, because “premature government regulation can hinder the development or deployment of useful marketplace applications.” Rather than “casting too wide a net” the FTC should focus on current technologies and services that can “harvest or gather identifiable personal information from children,” the group said.

The Family Online Safety Institute (FOSI) was among the few advocates for the proposed rule changes, saying the increase of “troubling behaviors” like cyberbullying and sexting warrant another look at the 11-year-old rule (http://xrl.us/bmnbth). The group lauded the commission’s preservation and expansion of parental notification and consent requirements, the actual knowledge standard and safe harbor programs. But FOSI warned against the “abrupt elimination” of the email plus system of parental notification and suggested the FTC provide a sunset period to ease websites’ transition to another mechanism.

FOSI commended the agency for its increased vigilance on behalf of children and the aggressive approach it has taken towards companies that violate the COPPA rule. In May, the FTC agreed to its largest COPPA settlement ever, a $3 million civil penalty against Playdom, an online developer of multi-player games which it alleged had illegally collected and disclosed without parental consent personal information from thousands of children (WID May 13 p8). The FTC also agreed to hefty settlements against the owners of skidekids.com, a social networking site for children (WID Nov 9 p4) and W3 Innovations, a mobile applications developer (WID Aug 16 p6), for unlawfully collecting children’s information without obtaining their parents’ prior consent. Such enforcement actions “send a clear message not just to the violator, but to the entire online community about the importance of obtaining parental consent before obtaining personal information from kids,” the group said.

The Center for Democracy and Technology (CDT) said some of the proposed changes “raise significant technical and implementation questions that the commission must address” (http://xrl.us/bmnbun). The commission needs to make it “crystal clear” that a government-issued ID should not be used as online identification for non-governmental websites, CDT said. “The commission needs to be careful to ensure that, by allowing the use of government IDs for identity verification purposes in the COPPA context, it is not encouraging practices that reduce consumers’ sensitivity to security risk."

NetChoice had several recommendations around some of the definitions included in the proposed changes and the identifiers that constitute personal information (http://xrl.us/bmnbu5). Screen names, user names or identifiers “used to link a child’s activities across sites” should not be included in the definition of personal information, NetChoice said. The proposed changes around adding user names to the definition “would decrease website services to children and might actually increase the collection of information about children.” The commission shouldn’t require parental consent “when there is passive tracking of children but no collection of personal information,” NetChoice added. Passive, anonymous tracking allows for “more appropriate content for children since it helps sites to better monetize their ad-supported content."

The potential scope of the personal information definition is extremely broad, Visa said (http://xrl.us/bmnbu7). It covers many business practices that, “while not strictly necessary to maintain the internal function of the website or online service are nonetheless generally expected by consumers and, moreover, privacy neutral.” To avoid the risk of chilling legitimate, privacy-neutral internal business practices, the commission should revise the rule “to directly address the specific conduct that raises privacy concerns,” Visa said. Also, including precise geolocation within the definition “could have the unintended consequence of providing less, not greater, protection to children’s privacy,” the company added.

The Direct Marketing Association highlighted many proposals as areas that could discourage providers from developing and providing “interactive offerings to children online” (http://xrl.us/bmnbu9). A broad reading of the online service term “presents practical implementation challenges,” the sliding scale approach to obtaining verifiable parental consent should be preserved, and including “passive tracking” within the term “collection” has negative implications “for website and online service operations."

The Electronic Privacy Information Center supported the changes and made suggestions for improvements. The FTC should define the key terms “Internet” and “website located on the Internet” and “extend the rule to cover text messaging services” (http://xrl.us/bmnbvd), it said. Because “online” means “connected to a network or available from a network,” an online service can include text messages that are not Internet-based, it said.

The commission should take some factors into consideration when assessing “whether consumers may be harmed if businesses require parents to submit government issued identification over the Internet,” the Antitrust Law Section of the American Bar Association said in its comments (http://xrl.us/bmnbvh). Consumers may be reluctant to provide government issued identifiers online “even in situations in which representations are made that the information will not be maintained or recorded.” The FTC also should consider that transmitting truncated government identification numbers “may not be expressly required, by statute, to be encrypted,” it said. Therefore, the proposal may “lead to such information being sent in a form in which it could be intercepted by an unauthorized third party."

The Entertainment Software Rating Board said it mostly supported changes the FTC proposed. But ESRB said it was “concerned” about the “mandate” for “a minimum level of annual member auditing by safe harbor programs.” While the safe harbors “have similar guidelines, each is a unique entity, offering different services and focusing on different market segments,” ESRB said (http://xrl.us/bmnb7o). The proposed changes would encourage all safe harbors “to default to this minimum auditing standard where, in some situations, a greater frequency of auditing” by the safe harbor “may be appropriate,” it said. “As an alternative,” it suggested that the auditing provisions of the rule “require consideration of the types of businesses or industries the safe harbor services and the specific nature of their activities."

If a safe harbor services more than one industry, the oversight in which it engages “should factor in a specific industry’s needs, which may be different than that of another industry,” ESRB said. As an example, it said, ESRB members receive detailed quarterly compliance reports, which allow for “issues and problems” to be “spotted -- and corrected -- in a timely fashion, reducing a company’s risk for violating state and federal laws, including COPPA.” It recognized that quarterly monitoring “may not be necessary or appropriate for all operators” working with safe harbors. But ESRB said it believes “the minimum auditing standards now being proposed by the FTC can and should encourage appreciation of the wide-ranging nature and differing needs of various industries, and encourage safe harbors to structure their auditing plans accordingly.”