July 03, 2013, 2:31 PM — This week saw a much–anticipated update to the Children's Online Privacy Protection Act (COPPA). The new rules are designed to keep minors from being the targets of advertisers, but the biggest changes as a result of the new guidelines may be hard for most parents and children to even notice.
The updated COPPA guidelines put companies that market to children online under increased scrutiny, cordoning off a wide range of meta data from advertisers, and making companies liable for shoddy privacy practices by their business partners.
The changes stem from a December, 2012 FTC update to the rule that was designed to bring COPPA – which became law in 1998 – in line with modern online advertising and data collection practices, said Merton Thompson, a partner in the Privacy and Data Security Practice at Burns & Levinson LLP in Boston.
"If you're, say, Nickelodeon and you have content that is directed at children, you now have to be extra vigilant," Thompson said. That added vigilance includes closer screening of web site visitors to determine if they are under the age of 13 – and thus covered by COPPA – and closer monitoring of how and what data on minors is collected and stored.
Specifically, new requirements make many types of "metadata" that is generated in online sessions protected personally identifiable information (PII) under COPPA. That includes so-called "persistent identifiers" like web site cookies and screen names, said Thompson. Online firms also have more explicit guidance on when it must obtain parental consent before collecting data on children, what kinds of data it can collect and the method for obtaining parental consent.
Even more important: companies are now responsible for the compliance of third party firms with COPPA. That means popular sites that attract a lot of online traffic from the 13 and under crowd will need to carefully vet third party ad networks and plugin providers that have a presence on their site, said Thompson.
Firms that operate online have been critical of the new requirements, arguing that they will be difficult and expensive to implement. But Thompson said that the FTC declined to offer businesses an extension to give them more time to comply.
The changes to COPPA also apply to firms that don't explicitly target children 13 years old and younger, but that knowingly collect their information. That includes firms like Google and Facebook, which cater to an older audience, but also count underage users among their population.
In a statement, Google said that it "put a compliance program in place to help us meet our obligations under the law," according to a statement from a spokeswoman. That includes new tools so Google's publisher partners can designate content as "child directed," allowing Google to disable interest based advertising and remarketing ads for that content.
In a statement, Facebook said that it "is in the process of updating our terms and policies to reflect the most recent COPPA Rule." The company is encouraging developers to become familiar with new Facebook policies, particularly around social plugins. "We appreciate that the FTC's goal, like ours, is to ensure that children and their parents have the benefit of transparent privacy protections," Facebook said.
But parents who expect to see new barriers to entry for their children may be disappointed, said Thompson of Burns & Levinson.
"I don't think parents will really notice. They may see things like targeted ads change as a result (of COPPA), though contextual ads are still allowed," he said.
The use of social networks by minors has exploded in recent years, even though sites like Facebook and Google – mindful of COPPA's restrictions - prohibit those younger than 13 from establishing accounts. Still, children younger than 13 merely lie when setting up their account. Popular sites like Instagram (now owned by Facebook) require little more than a mobile phone and a user name to create a new account and begin networking. In other cases, parents allow their underage children to establish accounts on social networking sites.
The privacy implications are huge. Researchers have shown that social networking sites can readily be used to harvest personal information on users, including their physical location. Social networks have also been caught playing loose and wild with privacy rules. Facebook, for example, acknowledged that it compiles so-called "ghost profiles" of non-users by collecting and correlating information on individuals from its billions of members.