As expected, the Federal Trade Commission today officially proposed its update to the Children's Online Privacy Protection Act. The update brings the law, unchanged since it was passed in 1998, into the 21st century, acknowledging the massive growth of mobile device usage among kids and the data collection that goes along with it.
When COPPA became law, it "was like another era, number 10 pencils ...and yellow legal pads," said Senate Commerce Committee Chairman Jay Rockefeller (D-West Virginia). "We had no idea what the Internet would look like at the time," he added, noting that the original COPPA rule did not anticipate the growth of the mobile marketplace. Mr. Rockefeller introduced FTC Chairman Jon Leibowitz during a press conference this afternoon held in a Senate office building.
The changes would categorize geo-location information, photos and videos as personal information, requiring parental consent before such data are collected on children under age 13. They would also extend COPPA to cover persistent device identifiers such as IP addresses and mobile device IDs that allow companies to track a user across various personal devices. The COPPA changes do not cover mobile app stores.
"Some companies, especially some ad networks, have an insatiable desire to collect information, even from kids," said Mr. Leibowitz.
Mr. Leibowitz, who is expected to step down by early next year, has been instrumental in advancing privacy issues, including development of a Do Not Track standard for browsers, during his tenure. With Do Not Track at a standstill the official COPPA proposal outlining desired changes to the outdated law gives him a feather in his privacy cap. The FTC yesterday announced it has issued orders to nine data broker firms asking them to provide information on their data collection practices.
The FTC also is investigating companies that may be in violation of COPPA, though the agency has not revealed further details.
The COPPA amendments prevent companies from using plug-ins to collect personal information on kids without parental consent and in some cases require third-parties to comply with the law. They would also enhance the FTC's oversight of self-regulatory programs afforded safe harbor under the law. The amendments also provided a variety of acceptable ways to offer notice and garner consent from parents, and give stakeholders a 120-day notice and comment period to seek approval for specific consent methods. Violators of COPPA are subject to a $16,000 fine.
The press conference was a who's-who of privacy on Capitol Hill. Mr. Leibowitz was accompanied by Members of key Congressional Committees dealing with privacy issues in the House and Senate. Mr. Rockefeller and Senate Commerce Committee Member Sen. Mark Pryor (D-Arkansas) joined Rep. Joe Barton (R-Texas) and Rep. Ed Markey, D-Massachusetts.
It's no coincidence that three of them have introduced privacy bills. Mr. Rockefeller proposed his Do-Not-Track Online Act in 2011 while Mr. Markey and Mr. Barton - co-chairs of the House Privacy Caucus - co-sponsored their Do Not Track Kids Act that same year. Mr. Markey today said the bill has 50 co-sponsors though no movement on the bill is expected before year's end.
The Do Not Track Kids bill mirrors the mission of the FTC's COPPA changes. It would prohibit websites or mobile app operators from compiling or disclosing kids' personal data to third parties for targeted marketing purposes. Like many pending privacy bills it would let the FTC craft regulations requiring notice when apps or sites collect location data.
Mr. Rockefeller has also introduced legislation that would enable the National Academy of Sciences "to investigate the impact of violent video games and other content on children's well-being," according to a press release.
The COPPA changes come as government increases pressure on mobile app providers. An FTC study published earlier this month found that only 20% of 400 mobile apps aimed at children included any privacy disclosures before or after downloads.
Last week a bill sponsored by Sen. Al Franken, D-Minn. that would require companies to obtain consent before collecting or sharing a user's mobile-location information passed through committee. The Commerce Department has also met recently to develop a standard for mobile-app privacy notifications.