On November 19, 2014, the Federal Trade Commission announced that it is seeking public comment on a second proposed verifiable parental consent method by AgeCheq, an online privacy protection service. The Children’s Online Privacy Protection Act (COPPA) requires children and family-friendly website operators and app developers to (1) post privacy policies and (2) notify and obtain verifiable consent from parents prior to collecting, using, or disclosing personal information from children under the age of 13.
There are considerable challenges to obtaining verifiable consent from parents in real time–particularly for use of online services by children. The rule lays out a number of acceptable methods for gaining verifiable parental consent and includes a provision allowing parties to submit new consent methods to the FTC for approval. Age Cheq’s new proposal eliminates the need for paper signatures by providing a digitally signed parental declaration authenticated by a verification code on the parent’s mobile device.
Keeping your Facebook images private is a confounding problem. Ask Mark Zuckerberg’s sister Randi who couldn’t make sense of FB’s privacy settings. Kashmir Hill, a privacy commentator at Forbes posted a funny analysis of the Zuckerberg predicament and easy to follow directions on how to adjust your settings to keep family photos more private. The settings are easy once you know where to look. User posting behavior sometimes doesn’t match with User privacy concerns.
Websites should consider treating children as an attractive nuisance. Even consider putting up fences to keep them out.
The FTC is monitoring many websites that attract children (even unintentionally) for COPPA violations. The Children’s Online Privacy Protection Act, COPPA, requires websites to obtain verifiable parental consent before collecting personal information from kids under age 13. Sites that are “directed” to such children must also disclose to parents what it collects about their children, how it uses the information and what it discloses to third parties. If the websites do not comply with COPPA the Federal Trade Commission may investigate, and impose fines and consent orders to curb websites’ tracking of children under 13.
Many website policies include a disclaimer that the website is “NOT directed” to children under age 13 and prohibit or limit access by children under 13 only with direct parental supervision. Unfortunately, these policies will not limit the liability of a website operator if it knows kids under 13 are providing personal information to its website. Then, the website is likely to be considered to be directed to such children. If a website operator knows that kids are attracted to its website, then the website must comply with COPPA as if it the website is intentionally directed to children under 13.
Artist Arena manages fan sites for Justin Bieber, Rhiannon and Selena Gomez (among others) together collected personal information from more than 25,000 children under the age of 13 without seeking verifiable parental consent. Artist Arena’s fansites were intentionally directed to ‘tweens as the target audience of the celebrities featured on its fan sites and had COPPA policies, but failed to actually notify the parents and obtain their permission before collecting info from their children. Artist Arena settled with the FTC, agreeing to pay a cool million dollars, enter into a consent decree against future COPPA violations, and destroy all data it unlawfully collected from children.
Kids are adept at learning new technology and have unfettered access to smartphones, tablets and desktop computers. So, it goes without saying that many registration schemes aimed at preventing kids from accessing an attractive website are quickly overcome. A policy prohibiting use by children is definitely not sufficient. Operators of interactive websites (sites with blogs, forums, comment and sharing features) can’t ignore kids under 13 who are using the site . Their data stream will likely “rat them (and the operator) out.” With notice of kids, the operator must either block access or adopt a COPPA policy and enforce it. Get the COPPA FAQ’s here.
As for Beiberfever.com? Users who admit to being age 13 or younger are persistently blocked from registering:
We are sorry, but you can not register at this time.
Hat/Tip to Sharon Snyder for sending me this Washington Post article about Artist Arena’s woes.
The FTC hosted a super fascinating Twitter “conversation” following its announcement of the $22 million settlement with Google over its privacy violation in overriding the Safari browser’s privacy settings without notifying users. FTC Department of Enforcement staffers exchanged tweets with a few privacy-focused Twitter users. Many tweets focused on whether Google intentionally deceived users as to its privacy practices, or if the privacy breach was an accident. Other tweets keyed in on how Google’s fine was calculated, and asked when the FTC first learned of Google’s secret Safari tracking. The FTC responded that Goggle’s intent is irrelevant to the question of whether there are misrepresentations in privacy policies. This reflects FTC precededent. One FTC tweet reflected cynicism that the tech giant is unable to control its privacy practices, saying “unintentional is Google’s story.”
Tweeps who engaged with the FTC last week might wonder how their tweets are being used. The FTC’s privacy preactices are disclosed in the FTC’s Privacy Impact Assessment and chart showing how user information is collected when interacting with the FTC.
How about children? How often have you seen kids using tablets and smartphones while their parents are busy? How many younger ‘tweens have their own smartphones? Many children, even very young ones are quite adept with mobile devices. My secretary’s almost-two-old grandchild already knows how (more…)