Citing concerns that children are being increasingly tracked and targeted by online services and advertisers, the Federal Trade Commission on Wednesday announced a major update of rules that limit what information can be collected when kids under 13 visit websites or use mobile apps.
But the agency stopped short of enacting some changes that were fiercely opposed by Silicon Valley companies like Apple (AAPL), Facebook and Google (GOOG), which argued it would be unfair and impractical to make them responsible for other companies’ apps and websites that primarily serve young kids.
Even with those compromises, the new rules will force many online services to significantly change the way they operate, by requiring them to obtain a parent’s permission before collecting some of the information that increasingly serves as valuable currency in the Internet industry — such as GPS location data and browsing histories, which can be used to deliver the personalized ads that fuel many online businesses.
The rules mean that “parents — not social networkers or marketers — will remain the gatekeepers when it comes to their children’s privacy not only online, but also on phones,” said James Steyer of the nonprofit group Common Sense Media, who argues that parents have the right to shield their children from personalized commercial messages.
Speaking at a Washington, D.C., news conference, federal officials said the new regulations, which take effect July 1, are needed to protect kids in an era when youngsters use smartphones and tablets to access all kinds of Internet games and services. Parents and privacy groups praised the action as a long-overdue update to rules enacted 12 years ago, when Internet browsing involved relatively simple websites viewed on desktop computers.
But some industry groups complained the changes will make it more difficult for smaller, independent developers to create new apps for kids. And big Internet companies cautiously welcomed some of the changes but said they are still trying to determine how the rules will affect their business.
“We’re initially concerned” that the rules “will not be workable because they fail to account for the technical realities of the Internet,” said a statement by the Internet Association, a Washington trade group that represents Google, Facebook and other major online companies.
The new rules expand a 1998 federal law known as the Children’s Online Privacy Protection Act, or COPPA, which required website operators to obtain parental consent before collecting identifying information such as names, phone numbers or addresses of children under 13.
The commission is now extending those rules to mobile apps, while adding children’s photos, videos and location information to the list of data that can’t be collected without a parent’s consent. The FTC is also requiring parents’ consent when children’s apps or websites use “persistent identifiers,” such as cookies, that can track a child’s online history and preferences even without knowing her name, if that tracking is used to deliver ads based on the child’s online activity.
The rules give online businesses several options for obtaining a parent’s consent. Companies can hold a video conference call, require a valid credit card account or accept a signed permission form that has been scanned and submitted online.
East Bay parent Mike Katz-Lacabe said he welcomed the new rules, saying they sound “better than what we have now.” The San Leandro father of two under-13 daughters said he tries to adjust his computer to minimize tracking by cookies, but added that it’s difficult to control where a child goes online.
The FTC will also require children’s websites or apps to get parents’ consent if they use software “plug-ins” that collect personal data from users, even if the programs come from third-party companies. Such programs might include advertising, embedded videos or links to social networking sites — such as Facebook’s “Like” button — which may track or share information about a viewer’s browsing habits.
Developers and online ad companies, including Google, opposed that move.
“I’m afraid that, quite frankly, the FTC will be pushing people out of that market because of this,” said Tim Sparapani of the Application Developers Alliance, who added that many small and independent developers use third-party plug-ins — even if they don’t use any of the data that’s collected — and don’t have the resources to obtain parents’ permission.
In a partial victory for some Silicon Valley firms, the agency ultimately decided that the third-party companies, including Facebook and Google, were not liable for getting consent, unless they have “actual knowledge” that a website or app is primarily serving kids under 13.
In another concession, the FTC dropped a proposal that would have held online app stores, such as the Google Play or Apple iTunes markets, liable for getting parents’ consent to any data collection by children’s apps.
But watchdog groups said they will continue pressing Google and Apple to adopt tighter controls on the apps they distribute. “They need to do more,” said Steyer at Common Sense Media.
Apple did not respond to a request for comment, while a Google spokeswoman declined to comment except for a brief statement that said the company is evaluating the new rules.
Protecting kids online:
These are among the Federal Trade Commission’s legal changes taking effect July 1 to give parents more control over the information gathered online from children under 13.
- Adds geolocation information, photos, videos and voice recordings to the types of personal information that can’t be collected by children’s websites or apps unless they have obtained a parent’s consent.
- Also adds “persistent identifiers” to that list, including so-called cookies or other digital code that track users across different websites or apps, even without knowing the individual’s name.
- Requires parental consent when children’s websites or services use “plug-ins” or embedded programs created by third-parties, if those programs collect personal information from kids.
- Strengthens requirements that website operators and online service providers take reasonable steps to release children’s personal information only to companies that can keep it secure and confidential.
FTC
