The Children’s Online Privacy Protection Act (COPPA) is aimed at “prohibit(ing) certain unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children on the Internet.” (FTCa) The Children’s Online Privacy Protection Rule (COPPR), an implementation of the COPPA, was actually issued by the Federal Trade Commission (FTC) on November 3, 1999 according to the Commission’s mandated review of the Rule which was completed March 15, 2006. (FTCa) The COPPR is fundamentally a means to shield “young children (who) may not understand the safety and privacy issues created by the online collection of personal information, and are therefore particularly vulnerable.” (FTCd)
The COPPR requires web operators to adhere to certain practices as outlined in the previous paper. However, the COPPR does allow exceptions that allow children to continue communicating online. Children may continue “1. to ask questions via email without any parental involvement: 2. to sign up for an ongoing newsletter as long as the parent is notified and can cancel it; and, 3. to engage (in) activities the FTC finds necessary.” (CDTa, 2006) For example, operators may not be required to obtain parental consent for the collection of children’s email addresses when kids enter contests, get homework help, or use electronic postcards. While the FTC does continue to monitor sites, they also provide a guide to assist operators in complying with the Rule. (How to Comply With The children’s Online Privacy Protection Rule) (FTCe) Note: A survey by the FTC in 2002 showed a trend of increased compliance by operators regarding the general requirements of the COPPA. (EPIC)
As noted above, the COPPR required a review five years after its implementation. As part of that process in April 2005 the Federal Trade Commission solicited public comments on the implementation of the COPPR. Several organizations and individuals responded. (http://www.ftc.gov.os/comments/COPPArulereview/index.htm) During its review, the FTC took these comments into consideration, revisited the legislation itself, and examined the costs and benefits of its mandates. Finally, in March of 2006 the FTC announced its decision to “retain the Rule without modification.” (FTCa)
It is interesting to note that while the Commission received 25 separate comments with regard to the COPPR itself, it also received 91 comments with regard to “the Rule’s sliding scale approach to obtaining verifiable parental consent.” (FTCa) The sliding scale, that allows less stringent parameters for parental compliance from operators who collect information for their own use from children, was also extended with the FTC’s March 2006 decision.
Safe Harbors
Granting safe harbor status to web site operators is a means of encouraging industry self-regulation with regard to information gathered from children. The first safe harbor was granted to CARU; they were followed by ESRB, TRUSTe and PRIVO, Inc. TRUSTe is a good example of how safe harbors are operated. (See links below for further information on these safe harbors.)
“Cookies/Web Bugs”
Even though computer systems, at home,
school, and elsewhere, can be configured to reject cookies, there are still
concerns about how information from children, and others, may be
harvested. In February of 2000, Senator Robert Torricelli (D- NJ)
introduced a bill to limited the use of cookies. More recently, the European Union has asked
its member nations to adopt regulations that set “strict rules for installing
Internet ‘cookies’.” (AP 2004) These
attempts at regulating the use of ‘cookies’ reflect the growing concern with
regard to public surveillance over the Internet.
Chat Rooms, Instant Messaging, & eMail
If a web site has a chat option, and it is determined to be a
child oriented site, the operator (according to the COPPR) can delete
children’s personal information from the child’s messages and “from the site’s
records, prior to posting, or” get the parent’s permission by the Rule’s
accepted means. (FTCa) As noted previously,
children are allowed to participate in email interactions seeking answers to
questions, without parental consent.
The difficulty is in determining if the participant in the chat,
email, IM, or on a site that would collect personal information is actually a
child. Under the COPPA operators are
charged with the responsibility of employing a “reliable method for determining
the age of the websites’ users.” (EPIC)
This can prove problematic.
According to EPIC, children can manipulate information that will allow
them access to a site from which personal information may be gathered. Additionally EPIC notes that web sites may
just change their sites to avoid content that would otherwise classify it as
child oriented.
Conclusion
As the COPPR was retained without revision it appears that the FTC
is satisfied with the status quo regarding children’s privacy online. What is difficult to ascertain is to what
extent web site operators are willing to go to entice children to submit
personal information by skirting the COPPR.
By tweaking their web sites a little, for example by eliminating cartoon
characters, operators may be able to argue that their sites are not child
oriented. Of course, it is a bit more
complex than this but the concern remains that savvy operators will know how to
follow the letter of the law, rather than the spirit of the law.
It is certainly in the FTC’s favor that they have allowed the
industry a self-policing body in the form of safe harbors. These safe harbors provide operators with an
opportunity to garner parent trust through these affiliations. However, as many children are quite computer
literate in the 21st century it cannot be assumed that these safe
harbors, and the COPPR itself, will protect a naïve child. Parents and teachers need to remain vigilant
despite supposed protections. In
addition, the FTC must be pro-active in monitoring current and future online
trends as well as anticipating potentially problematic developments to ensure
our nation’s children receive protection online, as they should
Sources:
Associated Press. “EU orders legislation on spam, cookies.” April 2004. USA today.
Center for Democracy & Technology (CDTa). June 2006. “Analysis of Rules Implementing the Children’s Online Privacy Protection Act.” Retrieved June 3, 2006 at http://www.cdt.org/privacy/cdtanalysisofftc.shtml
Electronic Privacy Information Center (EPIC). April 2003. “The Children’s Online Privacy Protection Act (COPPA)”. Retrieved June 9, 2006 at http://www.epic.org/privacy/kids/
Federal Trade Commission. (FTC) March 2006. “Children’s Online Privacy Protection Rule.” Retrieved June 3, 2006 at http://www.ftc.gov/os/2006/03/P054505COPPARuleRetention.pdf
Federal Trade Commission.(FTCb) Nov 1999. “Children’s Online Privacy Protection Rules; Final Rule.” Retrieved June 3, 2006 at
http://www.ftc.gov/os/1999/10/64fr59888.htm.
Federal Trade Commission. (FTCc) Feb 2004. “The Children’s Online Privacy Protection Rule: Not Just for Kids’ Sites.” Retrieved June 2, 2006 at
http://www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm
Federal Trade Commission. (FTCd) “Frequently Asked Questions about the Children’s Online Privacy Protection Rule: Volume 1.” Retrieved June 3, 2006 at http://www.ftc.gov/privacy/coppafaqs.htm
Federal Trade Commission. (FTCe) “How to Comply with Children’s Online Privacy Protection Act.” Retrieved June 2, 2006 at http://www.coppa.org/comply.htm
Longley, Robert. U.S. Gov Info/Resources. Feb. 2000. “Internet Privacy Bill Would Control ‘Cookies’.” Retrieved June 3, 2006 at http://usgovinfo.about.com/library/news/aa021100a.htm
Links:
CARU http://www.caru.org/
ESRB http://www.esrb.org/about/privacy_statement.jsp
PRIVO, Inc. http://www.privo.com/
TRUSTe http://www.truste.com