The U.S. Federal Trade Commission (FTC) is proposing new rules under the Children’s Online Privacy Protection Act (COPPA). The current COPPA Rules date to 1999, long before the proliferation of advertising networks and plug-ins.
Given the fluid nature of the Canada-U.S. border when it comes to e-commerce activities, Canadian companies should pay attention to the proposed rule changes. The FTC is seeking comments until September 10, 2012. [UPDATE: The deadline for comments has been extended to September 24, 2012.]
Key amendments involve changes to the definition of “personal information”, “website or online service directed to children” and “operator”.
The definition of “personal information” would expressly include persistent identifiers. These are identifiers that can be used to recognize a user over different websites or online services, provided that it is used for functions other than the internal operations of the website or online services. This could include Cookies, Internet Protocol addresses, Media Access Control addresses, or any Unique Device Identifier. This is a very interesting amendment that could begin to decouple our understanding of what “personal information” is and focus the policy conversation more properly on the limits of surveillance.
Website or Online Service Directed to Children
The FTC proposes amending the definition of “website or online service directed to children” to include any operator who “knows or has reason to know” that it is collecting personal information from children. The FTC does not believe that this requires ad networks or the suppliers of plug-ins to monitor or to investigate websites and online services. However, the FTC states that this will prevent willful blindness to credible information that their services are being used in respect of children.
The FTC proposes amendments to the definition of “operator” to make the owner of the website or online service responsible for the activities of the network advertiser or plug-in. The rationale for this amendment is that even though the owner of the website or online service may not have direct access to the personal information collected by the third-party advertising network or plug-in, it is benefiting from that collection because those third-party services provide content, functionality or advertising revenue. Accordingly, these activities should be treated as being integrated with the website or online services being directed to children. The FTC considers the operator of the website or online service to be in the best position to control what advertising networks and plug-ins are integrated into its website or online service and to give notice and obtain appropriate consent.