Updating Online Privacy Rules for Kids

September 11, 2012

COPPA revisionsThe current framework of rules designed to protect the privacy of children online was established under the Children’s Online Privacy Act of 1998 (COPPA).  The regulations established by the Federal Trade Commission (FTC) under COPPA are currently being revised.  Until September 24, 2012, the FTC is accepting public comments regarding changes it proposes to the COPPA rules (http://ftc.gov/opa/2012/08/coppa2.shtm).

Key aspects of COPPA in its current form are its notice and parental consent components.

Web site operators and other online service providers are currently required to provide notice and obtain parental consent before collecting personally identifiable information from children younger than 13 years of age.

One of the modifications proposed for COPPA would make it clear that the requirements imposed by the rules apply to online advertising networks and the software advertising “plug-ins” now widely used in Web sites and social media communities, such as Facebook through its “like” feature.  As currently drafted, it is not clear that the COPPA regulations apply to online advertising and social media networks.

Another proposed modification to COPPA would include geographic location associated with children as personal information.  Parties who collect geo-location information that enables identification of the location of a specific child would be required to comply with COPPA under the modified rules.

If these modifications to COPPA are enacted, a wider range of service providers will be included within the scope of the rules.  Social media networks, advertising networks, and location tracking system operators, among others, will all be required to provide notice and obtain parental consent before collecting personal information from children under thirteen.

Although the proposed rule changes seem to be substantively appropriate, the overall approach to privacy protection taken by the U.S. government, to date, is ill-conceived.  That approach relies on identification of specific classes of information (information collected from young people, in the case of COPPA) and implementation of protective measures solely for each protected class.

This approach to privacy protection is inadequate and inefficient.

Implementation of privacy protection on a category-by-category basis inevitably leaves gaps in the overall protection.  The system also requires continuous updating and modification as new technologies and new applications for personal information are constantly being introduced, and each of those changes forces re-consideration of the existing privacy protection framework.

COPPA and the proposed modifications are helpful in the effort to provide effective privacy protection.  They are, however, inadequate.

What is needed instead is comprehensive national privacy legislation which would grant all U.S. citizens control over all of their personal information, regardless of the proposed user or use of that information.