The Federal Trade Commission (FTC) is asking educators and others to comment on its implementation and subsequent enforcement of the Child Online Privacy Protection Act (COPPA), the law that requires internet operators to get parental consent before collecting personal information from web surfers under age 13.
COPPA applies to individually identifiable information about a child that is collected online, such as full name, home address, eMail address, telephone number, or any other information that would allow someone to identify or contact the child, according to the FTC. The FTC regulation pertaining to the law also covers other types of information, including hobbies, interests, and information collected through cookies or other online tracking mechanisms–when tied to individually identifiable information.
The FTC is trying to determine whether to retain the rule as is, modify it, or eliminate it altogether and is asking for public comment on current practices for collecting and disclosing children’s information; opinions regarding children’s ability to access information online; and the operation of web sites that specifically target children.
The announcement comes because many web sites have been slow to meet COPPA’s guidelines–and schools continue to question what justifies legal consent under the law.
The review is part of an FTC procedure that requires the agency to revaluate the rule five years after its initial implementation. The commission says it plans to share the comments it receives with members of Congress in efforts to reform the law.
Since its inception in 2000, COPPA reportedly has created headaches for online content providers seeking to collect children’s personal information for marketing and other purposes. The rule also has created some confusion in schools, where administrators have questioned what authority educational institutions have to grant permission for accessing online content when students are in their care.
To address these challenges, some of the nation’s largest online content providers have developed tools intended to streamline the compliance process.
Some services, including Kids Passport from Microsoft Corp., try to collect personal information in a way that allows parents to manage their child’s online portfolio from one centralized location.
An extension of Microsoft’s “Passport” technology, Kids Passport is an online service that lets users create a single profile–including user name, password, and other information–that can be used on all participating web sites. Rather than complete hundreds of individual registrations, kids use Passport to log on to any number of sites without constantly having to repeat the registration process.
When a child tries to sign on to a web site that requires personally identifying information, the child can ask a parent or guardian for permission by sending an electronic request through Kids Passport. The parent or guardian reviews the request and can grant a specific level of consent or can deny consent altogether.
Originally, the product was billed as a way to keep children safe online while easing the administrative burden associated with COPPA. But Microsoft was forced to change its stance on the product after an internet watchdog group complained that it misrepresented itself to parents by leading them to believe that all of the sites featured as part of the Passport program were designed specifically for children.
Microsoft later admitted that many of the participating sites, including MSN Calendar, MSN Chat, and its free Hotmail eMail service, were, in fact, general-interest sites, saying it could not guarantee that children visiting these sites would not be asked to give away the types of personally identifiable information protected under COPPA (see “Microsoft to make ‘Kids Passport’ more parent-friendly).
Congress also has sought ways to make COPPA compliance more manageable. Under the Dot-Kids Implementation and Efficiency Act of 2002, lawmakers sought to carve out some child-friendly territory within America’s “.us” internet domain, where children under the age of 13 could work, play, and surf without being subjected to online marketing or inappropriate content such as pornography, gambling, and other adult fare.
But despite nearly four years of promotion, the Dot-Kids project has managed to recruit only a handful of participating web sites, according to NeuStar Inc., the internet security firm hired to oversee the program for the federal government.
Still, most educators say COPPA is necessary to help guard students against questionable and sometimes dangerous solicitations.
“In any mandate, there is paperwork and confusion in the beginning,” asserted Sandra Becker, technology director for the 4,300-student Governor Mifflin School District in Shillington, Pa. “We need COPPA or something similar to keep things safer.”
Although teaching online safety and promoting awareness among students is critical, Becker said, the internet still can be a dangerous place, even for savvy web-surfers. And the risks are even more serious for students, especially children in the lower grades.
“Our children know how to access web sites of all types. Third-grade students may have skills to get to places and to provide information,” she said. What’s troubling is that younger internet users don’t fully understand the consequences attached to giving away personal information.
The FTC also is seeking comments on several related issues.
The agency wants to know whether the criteria it uses for identifying web sites directed to children is adequate or should be modified. Currently, FTC officials look at factors such as the overall subject matter of the site, any visual or audio content, the age of models depicted, language used, and the target audience of advertising or marketing materials.
The FTC also seeks comment on the “actual knowledge” provision of the law. According to FTC officials, the rule applies to web site operators who seek to verify a child’s age before granting access to the site’s content. Despite the extra hurdles users must go through to access content, critics question whether asking students for their age or date of birth is enough to keep them from accessing questionable sites. In many cases, critics argue, all a child must do to circumvent these security measures is click the “back” button on their web browser and enter a different date of birth.
The FTC wishes to determine whether the term “actual knowledge” is sufficiently clear and whether some web site operators use the screens as a means of encouraging children to double-back and change their age.
Other issues under review include the use of credit card numbers as verifiable parental consent. Child safety experts have begun to question the use of credit cards–long a preferred method of consent to access online pornography and other adult-oriented content–as a means of proving one’s adulthood. These days, they say, credit card companies are marketing to younger audiences, making it difficult to use valid card numbers as a protective barrier in the online world.
The FTC also seeks comment on the COPPA “safe harbor” program, a provision that enables organizations to submit guidelines their web sites can follow to be deemed compliant under the law. To date, the commission has approved four safe-harbor programs, and the agency is interested in feedback on the effectiveness of these types of initiatives.
Lastly, the FTC seeks additional comment on COPPA’s sliding-scale mechanism for obtaining verifiable parental consent.
Under the current law, web site owners and online service providers that collect children’s personal information solely for internal use can obtain parental consent by sending an eMail message to the parent and by taking at least one additional step to make sure the person providing the consent has the legal right to do so.
It’s a bit trickier for operators seeking to disclose children’s information publicly or to third parties. These types of web sites must employ more reliable methods of obtaining parental consent, such as using a “print-and-send” consent form; a credit card transaction; a toll-free telephone number staffed by trained personnel; a digital certificate using “public key” technology; or an eMail message with a password or PIN obtained by one of the above methods.
The commission adopted the sliding-scale approach for parental consent when it issued its original rule in 1999. At that time, the agency anticipated that more sophisticated, reliable, and cost-efficient technology for obtaining parental consent would soon become available, so the sliding-scale approach was set to expire in 2002.
In 2002, the agency extended the sliding-scale approach until April 21, 2005, because such technology was still not available.
To be considered, all comments must be received by June 27.
Federal Trade Commission
FTC Seeks Comment on Children’s Online Privacy Rule