The House Subcommittee on Commerce, Manufacturing and Trade held a hearing this morning on "Protecting Children's Privacy in an Electronic World" to discuss new changes proposed by the Federal Trade Commission (FTC) to the Children's Online Privacy Protection Act (COPPA).
COPPA applies to: (1) operators of commercial websites or online services "directed to children" under 13 that collect personal information from children; and (2) operators of general audience sites that knowingly collect personal information from children under 13.
The FTC thankfully did not propose a key change demanded by many activists - the raising of the age threshold from under 13 to under 18. The FTC suggests that the requirements would be less effective for minors 13 or older. Moreover, the constitutional concerns about free speech rights remain the same as they did when COPPA was first written.
- Clarifying the definition of “online service” as any services that are available over the Internet, or that connect to the Internet or a Wide Area Network. This is because there has been confusion about whether COPPA applies to mobile devices.
- Expanding the definition of "personal information" to include: “screen or user names”; “persistent identifiers”; photos, videos, and audio to the extent that the file contains the child’s image or voice; and geolocation information.
- Clarifying that "online contact information" includes all identifiers that permit directly contacying a minor online.
- Adding several more factors to the test of whether a website is "directed" to minors, including musical content that is kids-oriented, the presence of kid celebrities, and using celebrities that appeal to minors.
- Streamlining the required privacy notices on websites, but expanding the requirements for direct privacy notices to parents.
- Changing the ways that parents can provide (and websites/services can verify) parental consent, such as allowing for checking of government-issued identification and forms that can be scanned and sent.
- Eliminating the "email plus" method of parental consent verification, which has allowed websites/services that collect personal information for internal uses only to obtain consent through an email to the parent, coupled with an extra confirmation step.
- Requiring "reasonable measures" from websites/services to ensure that any service provider or third party receiving minor's personal information takes similar steps to protect the information's privacy, integrity and security.
- Adding a new requirement that websites/services only retain data for as long as reasonably necessary to fulfill the purpose for which it was collected.
MRA's proposed best practices for survey research have long included a flexible application of the COPPA principles to research interactions with anyone under the age of majority, whether online or off.
The FTC is accepting comments on the proposed rule changes until November 28. MRA will be filing comments on behalf of the research profession, but we need your input. Please contact MRA Director of Government Affairs Howard Fienberg.