TrustArc Blog

On the Future of Protecting Children’s Privacy Online

June 04, 2010

Maureen Cooney
Chief Privacy Officer
Vice President for Public Policy


This past Wednesday I participated as a panelist at the Federal Trade Commission (FTC) roundtable held in Washington, D.C. titled “Protecting Kids’ Privacy Online: Reviewing the COPPA rule”. Audio and video from the roundtable is available here. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, regulates the online collection and use of personal information gathered from children younger than 13 years of age. It was ground breaking legislation in the 1990s, quickly agreed to by a cross-section of stakeholders, as was the COPPA rule, to protect children and family privacy. Today, it continues to be a model looked to across the globe.

The FTC’s roundtable this week begins an ongoing dialogue about whether the COPPA rule enforcing the Act needs to be updated, including the frequency of such reviews. The FTC’s current inquiry addresses new and rapidly changing technological developments and data collections and uses that may have attendant privacy risks for children. Specifically, the roundtable investigated:

-Whether the existing rule should be applied to emerging media such as mobile devices, interactive television, and interactive gaming
-Potential expansions of the rule to cover more items of information that might be collected from children as ‘personal information’, and
-Parental verification and monitoring methods used by Web site operators.

Participants agreed that the inquiry is necessary and some changes or clarifications could be helpful. At the same time, much credit was given to the flexibility of the statue and the rule to cover many emerging technology issues and data uses.

Here are my takeaways from the roundtable:

1) The FTC already has great adaptability under COPPA and its enforcement rules to address new technology developments and their privacy implications for children under 13 years of age.

2) The “Actual Knowledge” standard remains workable. Companies can draw inferences about whether children are on a site now by reviewing online behavior data and postings on their sites that can, indeed, create actual knowledge. Complaints from parents or others to a website publisher in and of themselves may not create actual knowledge, although the fruits of an investigation driven by the complaints can provide that knowledge.

3) On COPPA’s definition of ‘personal information’ — panelists argued that IP addresses alone should not be considered personal information for purposes of COPPA compliance, because it would be too broad of a reach. IP addresses tied with other data types could be personal information and could be covered by existing sections of the Act and the FTC’s COPPA rule. This includes behavioral, location, and certain ‘anonymous’ data. However, more research is necessary about actual use of technologies to collect data online and the use of such data to potentially contact specific individual children today, trends, and consideration of frameworks for providing additional guidance or interpretations under the existing rule or for determining how to classify additional data points as ‘personal information as innovation continues in online services.

4) On the provision of “verifiable parental consent” – panelists agreed that while it is awkward, the email-plus option is today the most workable and most widely used method of parental consent (accounts for perhaps 80 percent of consent events). Some panelists argued for alternative consent methods, such as cell phone confirmations or SMS text confirmations (as a email plus option). Further, many panelists addressed the need to explore identity verification systems that encourage timely and efficient parental participation and honesty by kids.

5) Exceptions to “verifiable parental consent”— panelists noted that white lists and some blacklists appear to work well on chat and other user-generated content services as an acceptable screening. However, the exceptions may see excessive use, such as the exception allowing multiple contacts of a child, which is used for online newsletters and updates on products and services and increasingly to advertise to children.

The FTC has more research to do to explore thoroughly the uses of new technology by children, actual activities and trends online, and how to best protect children’s privacy while encouraging creative use. Public comments may be submitted through June 30 to the FTC here.