As innovation moves into the future at warp speed, the U.S. government has struggled to keep its own rules and regulations up to date with current technology. So when Congress and the Federal Trade Commission set out to do just that with a landmark children's online privacy law, it's no surprise that they may have fallen short of the mark. Already.
At issue is the Children's Online Privacy Protection Act of 1998, known as COPPA, a law that requires websites that specifically cater to children to obtain parental consent before gathering personal information about the kids. Until the new proposed amendments were announced on Wednesday, COPPA did not take into account new technologies like social networks and mobile apps that children might be using. The new amendments still need to be signed into law, but they're finalized as far as the FTC is concerned.
Insert Loopholes Here
This was not an easy revision, and indeed, the final proposed amendments to COPPA reflect a lot of compromises. For example, while individual apps will still be responsible for obtaining parental consent, Google and Apple will be off the hook for hosting and selling such apps in their respective app stores.
Facebook also avoided regulations that would have restricted under-13 users from joining the site. The amendment's language specifies that no consent is needed if acquired data is used only "for the sole purpose of supporting the website or online service's internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications."
Since this advertising can be contextual, and not behavioral, in nature, it clears the way for Facebook and other networks to bring in younger members, because adhering to COPPA rules is a whole lot easier.
The big players got what they lobbied for, which might make a lot of parents nervous for that reason alone. By dancing around the intent of online privacy for children, major software companies have washed their hands of real responsibility when dealing with young online visitors. Their motto seems to be: Leave it to the third-party vendors to comply.
And under the new rules, it will be the third-party vendors who will have to figure out what needs to be done and how to do it. When information like geo-location and behavior has to have consent, it puts a serious burden on those vendors. Don't look to the FTC, which will enforce these new rules, for much guidance either. In Wednesday's press conference, FTC Chairman Jon Leibowitz all but said that it would be up to the technology sector to figure out how to make compliance work.
"That's like telling someone to jump off a cliff and having them build a parachute on the way down," chided Morgan Reed, Executive Director for the Association for Competitive Technology.
Control Versus Consent
Reed acknowledged that Congress, the FTC and all the industry players in this discussion, including the smaller software companies his organization represents, are doing their best to protect children. But he clearly sees some shortcomings with the new set of rules, particularly when it comes to smaller software development shops.
Many times app developers may not even realize they may be subject to the new COPPA rules. Even the simple collection of analytics could fall within the new guidelines, putting developers at risk of breaking the rules if they aren't paying attention.
"A lot of these developers feel like they're not violating privacy rules, but by actual design, they may be," Reed said.
There is also the problem of the new COPPA rules already being behind the times. Many of the new regulations, which are focused on parental consent, completely miss the fact that many mobile platforms already have granulated controls that can enable parents to manage their child's privacy beyond the level of the COPAA amendments.
Controls such as location blocking and privacy management accomplish the same goals as the COPPA rules, Reed explained, thus outdating COPPA's scope. Even the language of COPPA itself is dated, calling for parent consent notification procedures that use what could be considered archaic technology, including fax transmissions.
"We need to make sure what is already happening with mobile technology will count under these rules," Reed said. "We need to put this new technology on a par with the fax machine."
Image courtesy of Shutterstock.