New online privacy rules went into effect yesterday, July 1, for children under the age of 13. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child.
About the new rules effective July 1, the U.S. Federal Trade Commission (FTC) provided these guidelines for website, mobile app, online chat, and Internet-connected video game operators that target children under age 13 or know that children of that age use their service:
2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
4. Provide parents access to their child's personal information to review and/or have the information deleted;
5. Give parents the opportunity to prevent further use or online collection of a child's personal information;
6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use."
Operators Requirements with the new rule for website and mobile app operators:
"If [website and mobile operators] have collected geolocation information and have not obtained parental consent, you must do so immediately... If [website and mobile operators] have collected photos or videos containing a child’s image or audio files with a child’s voice from a child prior to the effective date of the amended Rule, you do not need to obtain parental consent... However, as a best practice, staff recommends that entities either discontinue the use or disclosure of such information after the effective date of the amended Rule or, if possible, obtain parental consent... Under the amended Rule, a screen or user name is personal information where it functions in the same manner as online contact information, which includes not only an email address, but any other “substantially similar identifier that permits direct contact with a person online” ... Persistent identifiers were covered by the original Rule only where they were combined with individually identifiable information. Under the amended Rule, a persistent identifier is covered where it can be used to recognize a user over time and across different Web sites or online services... the operator is required to obtain prior parental consent unless such collection falls under an exception, such as for support for the internal operations of the Web site or online service."
The new rule is a step in the right direction. Now, parents have a clearer idea about what to look for and when they should give/deny consent at websites and mobile apps their children use or are considering. Also, parents now have a clearer idea of the personal information collected where they should be able to give/deny consent:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different Web sites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
Of course, these added consumer protections can be rendered useless by parents that overshare on social networking websites with photos, videos, and/or messages about their minor children (under age 13). Remember, what you share is only as private as the weakest security settings by any of your friends you are connected to. Better to not share much about your minor children. Better to disable geolocation features on your mobile device for videos and photos.
There is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition and metadata tracking with videos/photos.