If you have an internet-using child under 13 in your home, chances are they've come to you saying something like, "Can you please check your email? I can't use [insert website name here] until you respond to your email! Pleeeeeeeese!"
When that happens, you are experiencing COPPA: the Children's Online Privacy Protection Act. Originally passed by Congress in 1998 and rolled out in 2000, COPPA was designed to protect the privacy of children in the new world of the internet. It focused primarily on regulating the information website operators could gather, use, and share about kids—especially for purposes of marketing—and set up requirements for parental consent. The goal of COPPA was to provide boundaries while encouraging self-regulation of a new industry.
But think about how much has changed since COPPA's implementation. That was before Twitter, Facebook, and Youtube. Before Flicker, Pinterest, LinkedIn and Wordpress. Before PopTropica and Club Penguin. Even before MySpace and Friendster. People still considered AOL, CompuServe, and Yahoo! pretty cool.
More importantly, the technologies of online marketing and data collection were still in their infancy. Back then, pop-up ads were cutting edge marketing and kid's names and birthdays were considered highly-sensitive data. Now, click and view tracking can gather photos, videos, audio of kids as well as geolocation and interaction history without a user even knowing. This data can be connected across sites using persistent identifiers. Marketers have become experts at using big data—the billions of tiny footprints of data about you and others that cover webspace—to tailor powerful sales messages at you. Modern internet marketing is based on building profiles by tracking you through webspace.
And your kids.
Which is why the Federal Trade Commission is updating the COPPA rules, effective July 1. There a quite a few changes and lots of details (as we would expect from federal regulations). But it seems to me that most notable items are:
Expansion of the definition of "personal information" to include photos, video, and audio that might include kids as well as geolocation data.
Privacy policies and parental consent notices must be easy to read, "to-the-point," and "just in time", giving parents what they need to know when they need to know it in a clear form. The rule also expands the means for parental consent to include an array of things beyond email response, including scans of consent forms, videoconferencing, or non-credit card based payment systems.
Expansion of the definition of "website or online service directed to children". Back in 2000, a website was a website. Now, a website may contain hundreds of pieces of media, widgets, plug-ins, and ads that are inserted into the page space by third parties contracted by the site's operators. In the previous rules, these entities were not covered under COPPA. With the revision, they will be if they know kids will be using their technologies on child directed sites.
Expansion of the things that need consent before using personal data, even internal to a site. As the FTC puts it, while sites can collect personal information without consent for internal operations like "contextual advertising [based on the information on a page], frequency capping, legal compliance, site analysis, and network communications. ...operators may not, without parental consent, use or disclose information collected to contact a specific person, including through behavioral advertising [based on information a user has encountered across different sites at different times], to amass a profile on that person or for any other purpose." Along with this, the rules note that persistent identifiers that enable connecting data across time or sites must be disclosed if they are used for anything other than just internal operations of the site or service. So, using information without consent to tweak experience on a site at a given time is ok, but drawing on information that is gleaned by following a kid over time or around the internet, not so much.
Of course, not everyone is happy about the update. Ultimately, the rules will make marketing to children more difficult, so revenue will be lost. Bloomberg Law notes one lawyer as saying that "The FTC chairman has 'made it clear that [the amended COPPA Rule] is the death knell of OBA [online behavioral advertising] directed to children.'" Because FTC is charged with prosecuting violations, there is a good deal at stake in not complying. Knowing the revision was on the horizon, a number of trade and marketing groups, as well as some application and interactive advertising developers groups, asked that the deadline be extended until the start of 2014, citing technical challenges and ambiguities in the legislation. Facebook and Twitter both opposed the expansion, noting that they don't know which children's sites use their plugins. At the same time, 19 consumer protection and digital privacy groups spoke out in favor of keeping the deadline in place. Ultimately the FTC decided to keep the July deadline in place.
There is no doubt that—at least in the short term—the new rules will offer challenges to marketers and programmers. Yet, these challenges seem to me to be worth it if we are to enable our children to take advantage of all the riches the web has to offer without being transformed into tools for other people's gain. Advertising certainly has its place in the healthy functioning of a society. The Vatican, for instance, describes this thoroughly in the document Ethics in Advertising. Yet, advertising falls short when it fails to uphold the dignity of the human person along the way. In advertising, this means always enabling people to make rational and informed decisions about their purchases in a context of human freedom. But, as Cardinal Foley put it:
Much advertising directed at children apparently tries to exploit their credulity and suggestibility, in the hope that they will put pressure on their parents to buy products of no real benefit to them. Advertising like this offends against the dignity and rights of both children and parents; it intrudes upon the parent-child relationship and seeks to manipulate it to its own base ends. (Paragraph 16)
By reducing the availability and use of children's personal data online, the FTC makes it harder to engage in the worst kinds of manipulation.
At least until the technology evolves again.
• • •
If you'd like more information, check out the Federal Trade Commission's press release "FTC Strengthens Kids’ Privacy, Gives Parents Greater Control Over Their Information By Amending Children’s Online Privacy Protection Rule" or the detailed material in the Federal Trade Commission "Complying with COPPA: Frequently Asked Questions." For the amended rule itself, see www.gpo.gov/fdsys/pkg/FR-2013-01-17/pdf/2012-31341.pdf.
Jim Caccamo, PhD is a former programmer and sound engineer who teaches Christian social ethics at Saint Joseph's University in Philadelphia. He specializes in media and technology ethics. When he's not teaching, you may find him blogging about tech ethics at RewiringVirtue.com.