Late last week, the Federal Trade Commission proposed an overdue update to the Children's Online Privacy Protection Rule that begins to address the industry's transformation.
The update to the rule, enacted in 2000, retains its simple goal: Stall online advertisers from building dossiers on kids, used to peddle them schlock more efficiently, at least until they hit puberty. Like other areas of law, it recognizes children as a special class worthy of special protection.
The FTC clarified that the existing rules, which limit the collection of personal data for children under age 13, apply to Internet use across devices. That includes sites or services accessed over a desktop browser or increasingly popular products like mobile apps. It covers Internet games, social networks, search tools and other applications accessed over a smart phone, tablet, laptop, desktop or devices not yet imagined.
One of the most notable revisions would update the definition of "personal information" to include data derived from tracking cookies and geo-location. That would force some services to secure parental consent before using these technologies to gather information about children.
Web browser cookies are data files that store information to help sites identify a particular computer. They're used to identifying an actual person in the hopes of targeting advertising. Meanwhile, geo-location data track a person's physical location from information collected over mobile devices, through check-in services such as Foursquare or map apps.
"The FTC is on the right track," said U.S. Rep. Jackie Speier, a California Democrat. "They recognize that the technology is advancing quickly and that it's incumbent on regulators to expand the definition of what cannot be collected."
The industry isn't thrilled about the proposals, but neither is it hopping mad. In particular, the usual trade groups were happy that the proposal didn't raise the age covered by the rules to 18, as some hoped for, including Speier.
"We're pleased that the commission correctly took into consideration the technical and legal complexities that would be involved," Stephanie Craig, spokeswoman for the TechAmerica Foundation, said in an email.
The FTC didn't propose changing what's known as the "actual knowledge" standard. That's critical because there are two sets of standards under the rules today. Sites that specifically cater to children must actively assess the age of its users, and often secure parental permission before collecting any data about those under 13. All other sites are only obligated to seek such permission if they receive a specific indication (i.e. "actual knowledge") that a user is below that age. It's kind of a "don't ask, don't tell" standard that prevents the rule from affecting most sites most of the time. And under the proposals, that will continue to be the case.
Still, industry concerns remain about some changes. The Direct Marketing Association criticized a proposal to do away with a "sliding scale" approach that allows companies to use different methods of parental consent based on how they use a child's information. It also raised concerns about defining a device ID (the number that identifies a specific phone or computer) as personal information, noting that multiple people can use a single gadget.
"It would be a disservice to our children -- and the U.S. economy -- if our regulations unnecessarily inhibited growth in new areas such as mobile technology," said Linda Woolley, an executive vice president at the Direct Marketing Association, in a statement.