Changes to the U.S. children’s online privacy rules proposed by the Federal Trade Commission would require parental consent for behavioral advertising. The FTC yesterday published possible alterations to the 2000 Children’s Online Privacy Protection Act, noting that it decided to expedite a review of the law.
According to the proposal, “the new language would require parental notification and consent prior to the collection of persistent identifiers where they are used for purposes such as amassing data on a child’s online activities or behaviorally targeting advertising to the child.”
The requirement would apply to ad networks or even analytics services that track young users online.
The Direct Marketing Association, a leader of the online ad industry’s Digital Advertising Alliance, a self-regulatory program for the behavioral ad industry, was quick to oppose the proposals, stating in a press release that the rule “does not require many of the changes proposed by the FTC.”
The FTC also suggested an addition to the current rules which would stipulate that persistent identifiers should include cookie-based consumer information, IP addresses, or “an identifier that links the activities of a child across different websites or online services.” The agency would also include unique device identifiers in its definition, noting, “operators now have a better ability to link a particular individual to a particular computing device.”
Regarding the suggested changes to the definition of persistent identifiers, the DMA stated, “DMA strongly believes that such a definition should include only information that in fact permits the direct communication with a specific, identifiable person – not a device that could be used by multiple people, including children under 13 or adults.
The FTC stressed that because more and more kids have their own computers and phones, rather than using shared family devices, that argument no longer holds water.
Safe Harbor through self-regulatory programs is covered in the proposal, though the FTC suggested increased oversight of such programs and member company practices. In particular, the agency wants to require that self-regulatory programs audit member compliance with COPPA rules every 18 months and report disciplinary action taken against members.
“The Commission believes that instituting a periodic reporting requirement, in addition to retaining the right to access program records, will better ensure that all safe harbor programs maintain sufficient records and that the Commission is routinely apprised of key information about approved safe harbor programs and their members.”
Of note was the FTC’s decision to revisit the COPPA rules years before its next scheduled review in 2017. The rules originated in 2000.
The commission is accepting written comments in response to the proposals through November 28, 2011.