How will the new US rules affect children online privacy?

This post discusses the recently amended Children’s Online Privacy Protection Act, and highlights its likely impact on the Caribbean.

Earlier this week, the United States Government approved amendments to the Children’s Online Privacy Protection Act with the aim of increasing the protection of children online, and making the provisions more relevant to evolving technology and user behaviour. Industry analysts generally agree that the amendments strengthen the legislation and address some longstanding loopholes. This post highlights the key amendments that have been made, and discusses their implications in general, and specifically to the Caribbean.

Children’s Online Privacy Protection Act: then and now

The Children’s Online Privacy Protection Act (COPPA) is geared towards protecting the privacy of children under the age of 13 years when using the Internet. Initially enacted in 1998 and implemented through the Federal Trade Commission, the legislation sets out rules with respect to the online collection of personal information of children. In a press release issued by the FTC on 19 December 2012, it highlighted the approved amendments:

• modify the list of “personal information”  that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;

• offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;

• close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;

• extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;

• extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;

• strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;

• require that covered website operators adopt reasonable procedures for data retention and deletion; and

• strengthen the FTC’s oversight of self-regulatory safe harbor programs.

Implications of amendments

In addition to improving children’s privacy online, the approved amendments seek to broaden the scope of oversight given by remaining relevant to technological advances and the way in which children currently use and access the Internet, e.g. via portable devices and social networking.  In recent years, the FTC has been tracking the extent to which applications adhere to the specified practices with regard to products targeted at children, which may have been an impetus for the legislative review.

For example, earlier this month, the FTC published the findings of a survey conducted on privacy disclosures and practices with respect to mobile apps offered to children. The report, Mobile Apps for Kids: Disclosure Still Not Making the Grade, indicated, among other things, that

• Parents are not being provided with information about what data an app collects, who will have access to that data, and how it will be used.  Only 20 percent of the apps staff reviewed disclosed any information about the app’s privacy practices.

• Many apps (nearly 60 percent of the apps surveyed) are transmitting information from a user’s device back to the app developer or, more commonly, to an advertising network, analytics company, or other third party. … (Source: FTC)

These findings are consistent with earlier surveys conducted by the FTC. More importantly, they could offer justification for the nature of the approved amendments, which ultimately clarify and strengthen the COPPA rules.

How will the Caribbean be affected?

To varying degrees, Caribbean parents may benefit from the amendments to COPPA, since a considerable portion of the websites and applications that we use are hosted in the United States. However, two provisos ought to be considered:

• US rules need not apply outside of the US. Although websites and applications might be prohibited from collecting geo-location data, the online storefront or website may collect such information when engaging with the parents, or as a condition of downloading certain programmes or applications, which also ought to be done under parental supervision. Hence it is entirely possible that for websites and applications that are being used outside of the United States, the COPPA rules, particularly the amendments, do not have to be enforced. As a result, children in the Caribbean may find their personal information, including geographic location and online habits, can being harvested and disclosed to developers, advertisers and other third parties.
• Caribbean developers need to adhere to COPPA. The FTC and COPPA require all websites and applications that are being targeted towards children in the United States aged 12 years and under, be they US-based or originating overseas, to adhere to COPPA. Caribbean developers tend to create applications and websites primarily for regional users, but the longer-term viability of their products may require them to be promoted internationally. Hence for those in the Caribbean who are creating programmes or websites that might be targeted at children generally (regardless of location), it may become necessary to pay particular attention to the extent to which they comply with the COPPA rules to avoid contravening United States law.