New rules aimed at protecting children using the Internet took effect Monday. This update makes the Children's Online Privacy Protection Act (COPPA) more relevant in the social media and mobile phone age, and places some additional burdens on companies that target kids under 13. The rules went live over objections from industry groups which recently requested a postponement.
Websites and phone apps that collect photos or geo-location data from children must now obtain express permission from parents, putting that data in the same category as kids' email or home addresses. The new rules also make firms more responsible for data collection by third parties, a loophole that had been exploited by marketers in the past.
Parents might not notice much change at first. Some apps that kids use might begin requesting parental permissions via emails or other methods, and parents should make sure kids don't circumvent those rules by using fake email address to grant themselves permission.
The Center for Digital Democracy, a privacy advocacy group, hailed the move, saying the law needed to be updated for the age of Big Data.
"Today marks an important moment for parents of children 12 and under," said Jeff Chester, the group’s executive director. "Finally their child's privacy online — whether they use a mobile phone, tablet, gaming device or computer — is protected. The new ... rules put the parent in charge of what data can be collected from their child."
Others worry that the stricter rules will mean some companies will stop making kids' apps and that young tech users will lie their way onto adult services instead of going through the steps needed to get parental permission.
"The Rule may be counterproductive, lessening the quality and scope of content directed specifically to children, which may encourage more children to visit general audience sites," wrote the law firm Hogan Lovells, which specializes in privacy, in a blog post.
Original law passed in 1998
Congress passed the original COPPA law in 1998, long before services like Twitter or Facebook existed, and put the Federal Trade Commission in charge of keeping it current.
Industry groups were sour on the changes from the minute the FTC proposed them last year. The Interactive Advertising Bureau, the U.S. Chamber of Commerce and several other groups made a last-ditch attempt this spring to convince the FTC to postpone implementation of the changes for six months in order to prepare for the update. But in a letter dated May 6, the FTC rejected the request, essentially saying the groups had plenty of time to get ready.
But the FTC signaled that it would go easy on enforcement for awhile.
“We continue to be mindful of the impact of the Rule on businesses. As with all of our enforcement activities, the Commission will exercise prosecutorial discretion in enforcing the Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months," the agency said.
Facebook and children
Kids already have a very complicated relationship with popular sites like Facebook, with various actors playing out an online kabuki dance. Facebook, for example, doesn't allow under 13 kids to use its site, so the firm isn't subject to COPPA restrictions. But millions of kids lie their way onto the social network anyway, and half the parents of 12-year-old kids say their kids use the site.
The new COPPA won't have any real impact on this circumvention, but it might impact third-party developers who target kids on Facebook, said privacy law expert Bradley Shear.
"I believe the updates will require Facebook to become more vigilant about policing the apps they allow on their website. The FTC has fired a warning shot to not only Facebook but to other digital ecosystems that they must do a better job of ensuring that they protect the personal privacy of children," he said. "I think the FTC may start cracking down on digital platforms that are looking the other way regarding the age of its users. "
Facebook told NBC News Monday that it's "in the process of updating our terms and policies" to reflect the new rules. "For our part, we encourage developers to become familiar with our revised policies, particularly around social plugins," a company representative said.
The COPPA update includes other provisions aimed at protecting children, too. Firms are forbidden from using digital identifiers, like cookies, to track kids and to serve them ads based on their behaviors. It also forces firms to delete data they do collect on kids for purely technological reasons as soon as possible.
While the changes might not be enforced immediately, or noticed by users, the Center for Digital Democracy has already begin a public effort to make sure the new rules have some bite. It sent a letter to dozens of partner organizations asking that they police the Web watching for COPPA violations.
"There are a lot of child-directed websites and apps out there, so we are going to need all the help we can get making sure that after July 1, all are following the new children’s privacy rules," the letter says, and includes an email address for notifying the organization and the FTC.
The FTC recently published a frequently-asked-questions primer on the new rules for parents and businesses.