Regulations from the late '90s designed to protect children's privacy got an update today for the world of smartphones, apps and browser plugins.
After a two-year review, the Federal Trade Commission has released its updated regulations based on the Children's Online Privacy Protection Act (COPPA), which applies to kids under age 13. The FTC aimed to bring its rules for companies that cater to children online up to date with technology.
In 1998, Apple introduced its first iMac, Google launched its search engine and Congress passed COPPA to protect the privacy of the Internet's youngest users by preventing websites from collecting their personal information without their parents' consent. Since then, social media , smartphones and location-based data have become part of the grade-school lexicon.
The FTC has extended its regulations beyond websites to now also cover mobile devices, apps and browser plug-ins to give parents control over how their children's personal information can be shared and collected. As with websites, parents must now be notified and give their consent before a company can collect personal information about their children.
The FTC also expanded the definition of personal information, which now includes geolocation data , photos, audio files and videos. None of these items (along with text-based data like a child's name, which was already included in the old rule) can be collected by a website or other entity such as an ad network without notifying a parent and getting their consent.
However, this notify-and-consent requirement does not apply to what the FTC calls platforms that include apps for kids, such as Apple's App Store and Google Play. In these cases, the app companies themselves are responsible for getting permission from parents.
Further, personal information now also extends to device-identifying data, such as an IP address sent from a computer and the ID number associated with a mobile phone. The FTC classifies this type of data as "persistent identifiers" subject to the same restrictions as a child's photo.
However, persistent identifiers may be collected by a company as long as they are not tied to the identity of a child, meaning ads can't be shown to an individual because they live in a particular town that happened to be identified using their IP address, for example.
The FTC has also broadened the ways a company can get verifiable parental consent, which include electronic scans of signed parental consent forms and video conferencing . Previously, the FTC allowed a phone call and what it calls "email+," in which an email could constitute consent if it was verified with a phone call or with a follow-up email from the company that was later confirmed by the parent.
While these changes are designed to increase parental control, one change seems at odds with the rest. The update allows children to participate in interactive communities without parental consent, so long as the operators of the service "take reasonable measures to delete all or virtually all children’s personal information before it is made public."
The update will go into effect on July 1, 2013.