The new, revised COPPA
The US Federal Trade Commission’s revisions to the COPPA Rule announced today (12/19/12), are aimed at syncing up a rule mandated by a 1998 law with today’s technology and with “the way children use the Internet, mobile devices and social networking,” the FTC says in its press release. For example, the personal information that services cannot collect from children under 13 without parental consent now includes photos, videos and geolocation information; the FTC will have a “streamlined, voluntary and transparent” process for approval of new ways children’s sites can obtain parental consent; and the COPPA Rule now rules out the use of “persistent identifiers” like cookies that would allow businesses to send kids behavioral ads based on their online activities.
In addition to “personal information,” the FTC also updated a number of other terms. For example, “operator” now means a kids’ site or service that integrates third-party services “such as plug-ins or advertising networks” that collect personal information from its visitors – not app stores like Apple’s or Google Play that just offer children’s apps. So an “operator” like Facebook or Apple’s App Store “will only be responsible if they have ‘actual knowledge’ that an … app is not complying,” the Los Angeles Times reports.
Also, “collection of personal information” no longer includes information children themselves post as a form of participation in “interactive communities” (e.g. online games) – sites and services don’t have to obtain parental consent as long as they “take reasonable measures to delete all or virtually all children’s personal information before it is made public.”
Collaborative regulatory power needed
From that last point, you can see that sites and services will be struggling for some time to understand the exact meaning of some of these revisions and how they apply to the user-driven content on their services. Both the confusion and some of the updates could either chill innovation (by increasing startup costs) or help shutter small businesses serving children. For example, in its coverage of the revisions, the Washington Post cited the view of a developer of children’s book apps. The developer “fears heavy legal costs that she estimates could be as high as $10,000 [because] she would like to collect information about children to personalize her app so that users can create logs and reading goals.” This indicates confusion because the FTC states that “no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting … internal operations.” Collecting information for the sole purpose of enhancing a user’s experience – by allowing them to create “reading goals” in a book app – would probably be seen by the FTC as perfectly compliant, as an “internal operation.”
So as I watched the new rule’s unveiling live-streamed from Capitol Hill today, I noted two things:
- The pressure on regulators to keep up with new media and technologies and…
- A lack of understanding of how the “user-driven” aspect of new media and technologies changes the regulatory equation.
The former aggravates the latter. Until governments stop trying to apply regulation to the conditions of the former (mass) media environment, in which professionally produced media was published or broadcast to people who merely consumed it, they will not fully protect “consumers,” who are now producers and participants every bit as much as consumers and whose media is the content of their lives. Under these conditions, self-regulation (personal as well as corporate) becomes as essential to “consumer” protection as the government kind, and regulatory power is increasingly distributed and shared among users, media companies, and government (see this in my post about the unintended consequences of COPPA last summer). Regulation in today’s media environment is necessarily a collaboration, and effective consumer protection under these new conditions requires a lot more consumer education not only about the importance of self-regulation but also about not having a false sense of security about regulation!
Obtaining your consent
The new COPPA Rule will also change the ways you can give your consent to children’s sites and services. New methods include “electronic scans of signed parental consent forms; video-conferencing [sounds like you could have a Skype chat with a kids' Web site or app company]; use of government-issued identification [a scan of your driver's license, perhaps]; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria,” according to the FTC. How do you feel about giving consent in these ways? Please feel free to comment below!
The new rule goes into effect next July 1, CNN reports.
- A study released late last month from New York University found that COPPA has likely increased minors’ risk online – see this.
- A study released last year about how, despite COPPA, a large proportion of US parents of children under 13 help their kids set up accounts in social network sites
- ConnectSafely.org submitted a comment to the FTC about the proposed revisions this past September.
- In 2010, a task force I co-chaired, sent Congress our report “Youth Safety on a Living Internet” – here’s a post about why we chose that title.
- A year before that, my ConnectSafely.org co-director and I published a document entitled “Online Safety 3.0: Empowering and Protecting Youth,” explaining why youth agency (and not treating youth or adult users only as potential victims) is essential to their protection.