Total Pageviews

Friday, December 21, 2012

Children\'s Online Privacy Rules: Winners and Losers

Now that the Federal Trade Commission has published its updated privacy protections for children online, Facebook may finally open its site to children under 13, industry analysts say.

But those very same new rules, they say, may prompt some small app developers to pull out of the children's market altogether.

The original rules, based on the Children's Online Privacy Protection Act of 1998, or Coppa, required operators of Web sites directed at children under 13 to notify parents and obtain their consent before collecting personal information from children, like their names, addresses and phone numbers.

The revised rules, made public at a press conference in Washington on Wednesday, widen th e list of children's personal information that will require parental permission to collect. It will now include children's photos, videos or voice recordings, the IP addresses of their computers and the locations of their mobile phones. The updated rule also requires social networks, advertising networks and other third parties to get parents' permission before knowingly collecting data from children's sites and apps.

But the rules have radically different implications for big Web sites and small app developers.

Some Silicon Valley executives and their lawyers lobbied for months to try to get the commission to water down some of its proposed rule revisions.

One of the agency's original proposals would have made social networks like Facebook and Twitter liable for collecting information from children's sites or apps, even if the companies had no actual knowledge â€" but just a “reason to know” - that developers had incorporated the social networks' plug- ins into their children's services.

In a meeting with Commissioner Julie Brill in September, Facebook executives including Sheryl Sandberg, the chief operating officer, opposed that requirement.

“Facebook representatives discussed the company's consideration of opening up the social media site to children under the age of 13,” an F.T.C. summary of that meeting said. In connection with that possibility, Facebook executives said they were concerned about the company's “potential liability for data collected by its ‘plug-ins' on other websites - the Facebook representatives pointed out that that it often does not know or have control when developers add the Facebook ‘plug-ins.'”

On that point, at least, Facebook got its way.

The final children's online privacy rule uses an “actual knowledge” standard for collecting informatio n about children. That means social networks and ad networks that collect information from children without knowing that their software is operating on a children's site or app will not be liable.

In an e-mail,  Erin Egan, Facebook's chief privacy officer, wrote:  “We are pleased the Commission clarified the limited circumstances under which providers of social plugins would be subject to Coppa when those plugins are displayed on other websites.”

Other lobbying efforts fared less well.

Representatives of app developers, for example, told federal regulators that thousands of small developers of children's apps had been able to comply with the old rule by choosing not to collect personal information from youngsters. Those app developers, they said, had outsourced the data collection to advertising networks and analytics companies because the apps themselves often did not have the financial or legal resources to handle children's personal information.

The new rule, however, gives children's apps and sites primary responsibility for the ad networks and social networks they incorporate into their services. That means even children's educational apps that do not themselves collect personal information from children will now have to redesign their user interfaces to notify parents of their partners' data collection practices and obtain parents' permission, said Tim Sparapani, the senior adviser for policy and law of the Application Developers Alliance, a trade group.

Because children's apps may incorporate different software from outside sources - for analytics, say, or interactive features - they may also face greater compliance burdens than established children's Web sites with their own resources, he says.

For example, the updated rule permits data collection from children for certain internal operations as long as that information is not used “for any other purpose.”

Support for the internal operations of the website or online service means those activities
necessary to:
(a) maintain or analyze the functioning of the website or online service;
(b) perform network communications;
(c) authenticate users of, or personalize the content on, the website or online service;
(d) serve contextual advertising on the website or online service or cap the frequency
of advertising;
(e) protect the security or integrity of the user, website, or online service;
(f) ensure legal or regulatory compliance; or
(g) fulfill a request of a child as permitted by §§ 312.5(c)(3) and (4);
so long as the information collected for the activities listed in paragraphs (a)-(g) is not used or
disclosed to contact a specific individual, including through behavioral advertising, to amass a
profile on a specific individual, or for any other purpose.

Mr. Sparapani said that app developers who incorporate free software to a nalyze use patterns for their children's apps, for example, will now have to notify their analytics companies that the children's data may not be collected and used for other purposes. And those analytics companies in turn may not want to provide free services if they cannot tap an app's user data for their own purposes. Some advertising networks, he said, could pull out of children's apps for the same reason.

“What you are going to end up doing is choking off the monetary flow that monetizes the app,” Mr. Sparapani said.

He added that the rule's new requirements could push some developers to revise their apps to aim at teenagers - because teenagers' data can be freely collected.

“You can build an app with relatively no regulatory burden or you can build an app with high burdens and strict liability and a lot of monitoring,” he said. “Which one are you going to produce?”