Children and Digital Advertising Collection Practices: FTC to issue new COPPA Rules

Does your website have a Facebook “Like” button? Is your website, mobile site or mobile app directed at adults but attracts children under age 13?  Pull out your pens.  The Wall Street Journal reports that today FTC is expected to issue new rules proposed last fall to protect children online and on mobile devices. The new rules take effect following  a 30 day comment period.  Take a minute to compare your website audience and information collection practices to the disclosures made in your website terms of use and privacy policy. There are often gaps and mismatches in even the most well meaning policies.  For example, a “Like” button on your website collects and reports a stream of data about your visitors to Facebook — whether they “Like” your website or not.  Is that what your privacy policy discloses?

How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices.  My secretary’s almost-two-old grandchild already knows how to find her favorite app on her mom’s iPhone.  Since 2000, the FTC rules issued as a result of COPPA, the Children’s Online Privacy Protection Act, have required website operators to obtain verifiable parental permission PRIOR to interacting with users under age 13.   Does your website privacy policy currently address the requirements of COPPA? Many sites claim to be solely targeted to adults but adolescents frequently use websites that only target adults and it is not sufficient to simply post a disclaimer and turn a blind eye to underage users.  Facebook, the prototypical adult site populated by teens, paid a $3 million fine to the FTC and is scrambling to address privacy protections for younger teens.

COPPA’s rules, however, have not kept pace with technological changes in digital advertising and mobile devices. The FTC is moving to catch up. Most websites, kid friendly or not, will need to make changes and work with vendors to ensure that their online marketing and data collection practices and policies are also compliant with COPPA’s changes.

Proposed changes include redefining “personal information” to include geolocation information and persistent tracking cookies used not for website functions but for behavioral advertising. Another change certain to be ‘Liked” by Facebook will be to redefine “collection” so that children may participate in interactive communities without parental consent, if all or virtually all of a child’s personal information is deleted before it is made public.

Other changes proposed include:

  • requiring notices to parents be made in “real time”;
  • stricter verification procedures for parental consents; and
  • requiring website operators to ensure that service providers and third-parties, such as ad networks, who collect children’s personal information (PI) take reasonable procedures to: protect children’s PI; retain children’s PI only as is reasonably necessary; and dispose of children’s PI in a manner that ensures that the PI is properly deleted and prevent unauthorized access during disposal.

You have 30 days to comment and comply — better get busy!