The Federal Trade Commission has recommended that ad
networks be subject to the Children's Online Privacy Protection Act when they
are collecting personal information through a child-directed website.
That is one of the steps it is taking to toughen online
protections related to the use or disclosure of children's personal
information, according to proposed revisions it put out for comment Wednesday.
The revisions in the definitions of "operator" and
"website" directed to children will clarify their application to
third parties, including ad networks and plugins that collect personal info
through child-directed sites or services.
The FTC proposes to include within the definition of covered
operator one whose site integrates services from others that collect personal
info. The FTC also specifies that persistent identifiers -- cookies, IP
addresses -- will be considered personal information "where it can be used
to recognize a user over time, or across different sites or services, or where
it is used for purposes other than support for internal operations."
The FTC also will change the definition of "support for
internal operations" to clarify that "site maintenance and analysis,
performing network communications, use of persistent identifiers for
authenticating users, maintaining user preferences, serving contextual
advertisements, and protecting against fraud and theft will not be considered
collection of 'personal information' as long as the information collected is
not used or disclosed to contact a specific individual, including through the
use of behaviorally-targeted advertising, or for any other purpose."
The definition of "website" would also be modified
"Clarify that a plugin or ad network is covered by the
Rule when it knows or has reason to know that it is collecting personal
information through a child-directed website or online service;
"Address the reality that some websites that contain
child-oriented content are appealing to both young children and others,
including parents. Under the current Rule, these sites must treat all visitors
as under 13 years of age. The proposed definition would allow these mixed
audience websites to age-screen all visitors in order to provide COPPA's
protections only to users under age 13; and,
"Clarify that those child-directed sites or services
that knowingly target children under 13 as their primary audience or whose
overall content is likely to attract children under age 13 as their primary
audience must still treat all users as children."
The FTC proposed changes to COPPA in September 2011,
including expanding the definition of personal information to include
identifiers, and received 350 comments. But some of the changes are new, so
Wednesday's proposals will also be put out for comment.
Jeff Chester, executive director of the Center for Digital
Democracy, was already commenting, and the assessment was positive.
"Today, the FTC took a giant step to protect children's
privacy by proposing that the online data broker industry be required to comply
with the Children's Online Privacy Protection Act (COPPA)," said Chester.
"Children -- like adults -- confront a pervasive data collection and
targeting system made up of ad networks, data exchanges, and other digital
marketing companies able to target anyone in real-time. The FTC's
proposal ensures that parents will have control over how information can be
collected from their children via mobile phones, online games and when they use
computers. In addition, the commission will also rein in the data brokers
targeting kids who use social media, so-called 'plugins,' to gather information
on a child and their friends."