Two years in the making, the amended rules to the decade-old Children's Online Privacy Protection Act go into effect in July. Privacy advocates said the changes were long overdue in an era of cellphones, tablets, social networking services and online stores with cellphone apps aimed at kids for as little as 99 cents.
Siphoning details of children's personal lives—their physical location, contact information, names of friends and more—from their Internet activities can be highly valuable to advertisers, marketers and data brokers.
The Obama administration has largely refrained from issuing regulations that might stifle growth in the technology industry, one of the U.S. economy's brightest spots. Yet the Federal Trade Commission pressed ahead with the new kids' privacy guidelines despite loud complaints—particularly from small businesses and software apps developers—that the revisions would be too costly to comply with and cause responsible companies to abandon the children's marketplace.
As evidence of online risks, the FTC last week said it was investigating an unspecified number of software developers that may have illegally gathered information without the consent of parents.
Under the changes to the law, known as COPPA, information about children that cannot be collected unless a parent first gives permission now includes the location data that a cellphone generates, as well as photos, videos and audio files containing a human image or voice.
The Congressional Bipartisan Privacy Caucus commended the FTC for writing the new rules. "Keeping kids safe on the Internet is as important as ensuring their safety in schools, in homes, in cars," caucus co-chairman Rep. Edward Markey, D-Mass., said at a Capitol Hill news conference.
Data known as "persistent identifiers," which allow a person to be tracked over time and across websites, are also considered personal data and covered by the rules, the agency said. But parental consent is not required when a website operator collects this data solely to support its internal operations, which can include advertising, site analysis and network communications.
The rules offer several new methods for verifying a parent's consent, including electronically scanned consent forms, video conferencing and email.
The FTC sought to achieve a balance between protecting kids and spurring innovation in the technology industry, said Jon Leibowitz, the agency's chairman.
The final rules expand the definition of a website or online service directed at children to include plug-ins and advertising networks that collect personal information from kids.
But the rules were also tightened in a way favorable to some Internet heavyweights, Google and Apple. Their online apps stores, which dominate the marketplace for mobile applications, won't be held liable for violations because they "merely offer the public access to child-directed apps," the FTC said.
Google and Apple had warned that if the rule were written to include their stores, they would jettison many apps specifically intended for kids. They said that would hurt the nation's classrooms, where new and interactive apps are used by teachers and students.
A Washington trade group that represents independent apps developers criticized the agency for addressing the concerns of large businesses while doing too little for the startups that make educational apps parents and teachers want. The FTC's belief that the apps industry will figure out how to thrive under the new rules is akin to jumping off a cliff then building a parachute, said Morgan Reed, executive director of the Association for Competitive Technology.
"While that may work for big companies, small companies lack the silk and line to build that parachute before they hit the ground," Reed said.
Companies are not excluded from advertising on websites directed at children, allowing business models that rely on advertising to continue, Leibowitz said. But behavioral marketing techniques that target children are prohibited unless a parent agrees. "You may not track children to build massive profiles," he said.
The agency included in the rules new methods for securing verifiable consent after the software industry and Internet companies raised concerns over how to confirm that the permission actually came from a parent. Electronic scans of signed consent forms are acceptable, as is video-teleconferencing between the website operator or online service and the parent, according to the agency.
The FTC also said it is encouraging technology companies to recommend additional verification methods. Leibowitz said he expects that this will "unleash innovation around consent mechanisms."
Emailed consent is also acceptable as long as the business confirms it by sending an email back to the parent or calling or sending a letter. In cases of email confirmation, the information collected can only be used for internal use by that company and not shared with third parties, the agency said.
The FTC's investigation of apps developers came after the agency examined 400 kids' apps that it purchased from Apple's iTunes store and Google's apps store, Google Play. It determined that 60 percent of them transmitted the user's unique device identification to the software maker or, more frequently, to advertising networks and companies that compile, analyze and sell consumer information for marketing campaigns.