2010 Children's Online Privacy Protection Act Rule Review
Today's web practices suggest that something is wrong with the current framework. It also reveals marketplace practices inconsistent with stated privacy promises. To shift the trends here, the Federal Trade Commission should advance several changes as part of its review of the COPPA Rule. • In its current form, COPPA is not protecting children’s privacy. Children are still creating accounts on social networking sites without first obtaining their parent’s consent. They simply lie about their age. We need to shift the paradigm. Congress should revise COPPA to impose stronger restrictions on how website operators use child data, and place less emphasis on notice and parental consent. • The Commission should require commercial website operators to make reasonable efforts to determine if a child is registering online, taking into consideration available technology. Too many operators turn a blind eye when child users falsify age information, and few face legal risk for deploying this passive approach. • The Commission should regularly audit COPPA Safe Harbor programs to enhance industry compliance. It is unclear if the Commission has ever leveraged its legal right to inspect records of Safe Harbor programs. • The Commission should adopt data breach notification rules for child data. Commercial website operators should notify parents whenever the confidentiality, security, and integrity of personal information about child users is compromised. Without it, parents can’t take steps to protect their children. • The Commission should develop a model COPPA privacy form to make disclosures to parents more readable and understandable. The Commission has already implemented similar tools for financial institutions, and adopting them to COPPA is achievable. • Teens today are migrating away from traditional desktop web models with hand-held mobile platforms, and this technology should be developed to behave responsibly with child users. • The Rule’s definition of “personal information” doesn’t need to be expanded. In fact, as technology advances, the line between personal information and non-personally identifiable information continues to diminish. What we need are better controls on how child information is used, secured, and shared. • Updating the COPPA Rule to allow operators to leverage mobile text messaging to obtain verifiable parental consent for uses other than the “disclosures” defined by 16 C.F.R. § 312.2 is appropriate.