Collecting kids' data online is a sticky problem for Internet companies, which are required to obtain consent from parents first. One company is trying to make the process easier, thanks to a $3.2 million federal grant -- but children's privacy watchdogs say kids' data shouldn't be turned over at all.
For online companies and services, getting parental consent to collect data from kids under 13 isn't just good practice. It's the law. Congress passed the Children’s Online Privacy Protection Act (COPPA) in 2001, and the Federal Trade Commission updated those rules last summer. In short: Kids under 13 can't grant permission for companies to collect their information. If you run a site or other online service that wants to collect personal information from a child under 13 -- or you own a site aimed at children -- you need parental consent before taking any data.
The rules apply to lots of personal information you might expect, like a child's full name or an email address. But it also includes other data, such as IP addresses or website tracking cookies, that can be used to identify a user over time and across the Web.
Protecting children's privacy is a worthy goal, but it's currently a complex process for both parents and companies.
Privacy Vaults Online, known as Privo, wants to fix that problem with a single system that solves two problems: verify parents' identities for companies looking to get consent for children's data, and create a one-stop shop to review those companies' requests.
Privo received the grant last fall and announced its plan this week, which includes partnering with Verizon for identity confirmation and other technical needs.
"Basically, even if you're just trying to send the kid a newsletter, you might need to tell Mom," said Privo CEO Denise Tayloe. "It can get really complicated and confusing, and we're trying to streamline that process,"
But critics of the COPPA expansion say the updated rules go too far. Groups including the Interactive Advertising Board have denounced the changes.
Still, Internet companies have to follow the rules as they stand, and obtaining parental consent -- plus making sure it's really Mom providing it -- can be tough, especially for small companies that don't have the staff or the time required to track parents down.
How Privo will workLet's say lil' Johnny is trying to sign up for a blogging service that works with Privo, and he tells the company honestly that he's under 13. The blog then asks Johnny for contact information for his parents.
From there, the blog service can go to Privo with that contact information to make sure it is indeed for Johnny's parent -- not, say, Johnny himself.
"The way it’s worked in the past has been convoluted -- each company using their own process to send parents a bunch of emails or phone calls," said Pete Graham, senior identity strategist of Verizon's enterprise solutions team.
By the end of the year Privo wants to include one million people in its system, which it's calling the "Minors Trust Framework." By 2015, the goal is a whopping 10 million. Privo isn't the only one tackling COPPA compliance, however: Companies including Imperium, iVeriFly and KidSAFE have also developed their own programs to verify parents and/or certify companies.
Tayloe, who co-founded Privo in 2001 just as COPPA became law, hopes the streamlined system will encourage more parents to learn more about what their kids are sharing with companies.
"As of now, a lot of parents buy into the fib -- they say, 'Just tell them you're 15 so I don't have to deal with it,'" Tayloe said.
'We shouldn't make it easier' for companies to market to kidsJosh Golin, the associate director of advocacy group Campaign for Commercial-Free Children, said children shouldn't be handing over their data at all.
"Anything that increases the chance of using personally identifiable information to market to children is not a good thing, period," Golin said. "Children are so susceptible to marketing, and we shouldn't make it easier for companies to target them in that way."
Tayloe insists that it puts both companies and parents who want to sign up through a careful vetting process.
"If it's really just about using the services, why do [companies] need any data at all from children?" Golin said. "They want to collect it for marketing."
And if a service really needs personal data in order to work, Golin said, "there's no reason they can't wait to sign up the child until age 13."
"There's no reason to simply shut out everyone younger than 13," she said. "I believe if you engage the parents appropriately and allow them to step in, it can work for everyone involved."