COPPA

On November 19, 2014, the Federal Trade Commission announced that it is seeking public comment on a second proposed verifiable parental consent method by AgeCheq, an online privacy protection service. The Children’s Online Privacy Protection Act (COPPA) requires children and family-friendly website operators and app developers to (1) post privacy policies and (2) notify and obtain verifiable consent from parents prior to collecting, using, or disclosing personal information from children under the age of 13.

There are considerable challenges to obtaining verifiable consent from parents in real time–particularly for use of online services by children. The rule lays out a number of acceptable methods for gaining verifiable parental consent and includes a provision allowing parties to submit new consent methods to the FTC for approval. Age Cheq’s new proposal eliminates the need for paper signatures by providing a digitally signed parental declaration authenticated by a verification code on the parent’s mobile device.

(more…)

Keeping your Facebook images private is a confounding problem. Ask Mark Zuckerberg’s sister Randi who couldn’t make sense of  FB’s privacy settings. Kashmir Hill, a privacy commentator at Forbes posted a funny analysis of the Zuckerberg predicament and easy to follow directions on how to adjust your settings to keep family photos more private. The settings are easy once you know where to look. User posting behavior sometimes doesn’t match with User privacy concerns.

Regarding content posted online as public is best– no matter what the privacy policy says.  Social media and other interactive businesses struggle  to keep their policies (and practices) current and reflective of how technology actually uses data to provide services online. Users who follow the steps in Kashmir Hill’s article and thinking before posting private content will have fewer social media privacy concerns.

Websites should consider treating children as an attractive nuisance. Even consider putting up fences to keep them out. 

The FTC is monitoring many websites that attract children (even unintentionally) for COPPA violations. The Children’s Online Privacy Protection Act, COPPA, requires websites to  obtain verifiable parental consent before collecting personal information from kids under age 13.  Sites that are “directed” to such children must also disclose to parents what it collects about their children, how it uses the information and what it discloses to third parties. If the websites do not comply with COPPA the Federal Trade Commission may investigate, and impose fines and consent orders to curb websites’ tracking of children under 13.

Many website policies include a disclaimer that the website is “NOT directed” to children under age 13 and prohibit or limit access by children under 13 only with direct parental supervision.  Unfortunately, these policies will not limit the liability of a website operator if it knows kids under 13 are providing personal information to its website.  Then, the website is likely to be considered to be directed to such children.  If a website operator knows that kids are attracted to its website, then the website must comply with COPPA as if it the website is intentionally directed to children under 13.

Artist Arena manages fan sites for Justin Bieber, Rhiannon and Selena Gomez (among others)  together collected personal information from more than 25,000 children under the age of 13 without seeking verifiable parental consent.  Artist Arena’s fansites were intentionally directed to ‘tweens as the target audience of the celebrities featured on its fan sites and had COPPA policies, but failed to actually notify the parents and obtain their permission before collecting info from their children.  Artist Arena settled with the FTC, agreeing to pay a cool million dollars, enter into a consent decree against future  COPPA violations, and destroy all data it unlawfully collected from children.

The take-away?

Kids are adept at learning new technology and have unfettered access to smartphones, tablets and desktop computers.  So, it goes without saying that many registration schemes aimed at preventing kids from accessing an attractive website are quickly overcome.  A policy prohibiting use by children is definitely not sufficient. Operators of interactive websites (sites with blogs, forums, comment and sharing features) can’t ignore kids under 13 who are using the site .  Their data stream will likely “rat them (and the operator) out.”  With notice of kids, the operator must either block access or adopt a COPPA policy and enforce it. Get the COPPA FAQ’s  here.

As for Beiberfever.com? Users who admit to being age 13 or younger are persistently blocked from registering:

We are sorry, but you can not register at this time.

Hat/Tip to Sharon Snyder for sending me this Washington Post article about Artist Arena’s woes.

@FTC: Google pays $22M for (unintentional) misrepresentation of privacy practices - no intent required

The FTC hosted a super fascinating Twitter “conversation” following its announcement of the $22 million settlement with Google over its privacy violation in overriding the Safari browser’s privacy settings without notifying users. FTC Department of Enforcement staffers  exchanged tweets with a few privacy-focused Twitter users. Many tweets focused on whether Google intentionally deceived users as to its privacy practices, or if the privacy breach was an accident. Other tweets keyed in on how Google’s fine was calculated, and asked when the FTC first learned of Google’s secret Safari tracking. The FTC responded that Goggle’s intent is irrelevant to the question of whether there are misrepresentations in privacy policies. This reflects FTC precededent. One FTC tweet reflected cynicism that the tech giant is unable to control its privacy practices, saying  “unintentional is Google’s story.”

The takeaway is that over promising protection of personal data in a privacy policy is a bad idea.  Even accidental violations of a privacy policy are actionable. Too many unforeseeable risks are poised by collecting and sharing user data (from hackers to a lack of coordination with technology partners) to make such promises. Ask Twitter about its own FTC settlement.  Expectations (of both consumers and regulators) about the content of privacy policies have changed. Most websites need new policies that contemplate the changes to COPPA,  increased expectations for privacy disclosures for mobile devices and protection of offline data.  Website operators must understand how their technology use the website’s customer data. Details about how both personally identifiable and non-personally identifiable information is collected, shared and protected should be disclosed.

Tweeps who engaged with the FTC last week might wonder how their tweets are being used.  The FTC’s privacy preactices are disclosed in the FTC’s Privacy Impact Assessment and chart showing how user information is collected when interacting with the FTC.

Does your website have a Facebook “Like” button? Is your website, mobile site or mobile app directed at adults but attracts children under age 13?  Pull out your pens.  The Wall Street Journal reports that today FTC is expected to issue new rules proposed last fall to protect children online and on mobile devices. The new rules take effect following  a 30 day comment period.  Take a minute to compare your website audience and information collection practices to the disclosures made in your website terms of use and privacy policy. There are often gaps and mismatches in even the most well meaning policies.  For example, a “Like” button on your website collects and reports a stream of data about your visitors to Facebook — whether they “Like” your website or not.  Is that what your privacy policy discloses?

How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices.  My secretary’s almost-two-old grandchild already knows how (more…)