DC is looking to expand the rules that protect kids online, which sounds good. Problem is, they’re targeting any app that can’t guarantee a kid-free audience, which is not good at all.
Upcoming: “The Future of the COPPA Rule: An FTC Workshop”
The Federal Trade Commission (“FTC”) will host a public workshop on October 7, 2019 called “The Future of the COPPA Rule: An FTC Workshop” to explore whether to update the Children’s Online Privacy Protection Act (COPPA). The FTC is additionally seeking request for public comments on COPPA, due October 23, 2019.
But what is COPPA?
If you or your company build kids apps, you already know the ins and outs of COPPA and what developers must do to limit the data they collect from kids and how they can use it. For those that don’t direct their apps to kids, it may be time to study-up.
COPPA was passed by the U.S. Congress in 1998 and took effect in April 2000. It was intended to give parents and guardians more control over what data websites can collect about their children. COPPA imposes specific requirements on operators of websites or online services directed to children under 13 years of age. Additionally, it imposes requirements on operators of any websites or online services that know that they are collecting personal information online from a child under age 13 – whether they intended that or not.
The FTC typically reviews rules every ten years to ensure that they have kept up with changes in the marketplace, technology, and business models. The last COPPA Rule review ended in 2013, however the Commission is conducting a supplemental review. Questions have arisen regarding its application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host third-party child-directed content.
COPPA was expanded in 2013 as children’s use of technology increased and changed. This expansion accounted for prevalent social media, mobile device, and application use. This expansion widened the definition of what constitutes a child’s personal information. This included persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings. The FTC is exploring the possibility of another COPPA revision this year, “in light of evolving business practices in the online children’s marketplace, including the increased use of Internet of Things devices, social media, educational technology, and general audience platforms hosting third-party child-directed content.”
On Capitol Hill, the Family Online Safety Institute is convening with FTC officials and U.S. Senator Ed Markey (D-MA) and his staff. On the table for discussion are proposed bills, one known as COPPA 2.0 — a bill that expands COPPA protections by content and age breadth, the CAMRA Act — a bill funding research to determine how technology affects kids, and a soon-to-be introduced bill on Kids Internet Design and Safety (“KIDS Act”) that seeks to “regulate online features designed to keep kids glued to screens, marketing that pressures children into spending, and violent, sexually explicit and inappropriate content.”
But why should I care?
The Developers Alliance continues to support the goal of protecting children by ensuring that their information is respected and handled with the utmost care. Despite good intentions, however, certain provisions in COPPA — and certain reforms of COPPA — go too far and make it a challenge for developers to continue to build our modern society and drive our economy.
Today, in order for parents to give proper consent for their children’s data to be shared, companies must comply with onerous COPPA rules that are challenging to implement. The rule for a “Website or Online Service Directed to Children” specifically is pretty broad. The current proposal triggers extensive COPPA-compliance obligations on children-directed apps and websites that explicitly do not collect or utilize children’s information. Thus, the rule arguably lumps websites and online services that have content directed at children with those that are actually using their data — and then making them both subject to the higher (and costlier) COPPA compliance standard.
Additionally, the “Reason to Know” standard in the Act is so vague that it potentially imposes COPPA liability on general audience apps and platforms. It essentially requires app owners to separate out general consumer data from that of children consumers. Put simply — an app with adult-only content is going to have to jump through fewer regulatory hoops and shell out less money for compliance than say, Words With Friends (or another app that your kids MAY use). The standard unfairly imposes COPPA liability merely because those apps inadvertently received children’s data from their app ecosystem partners. The cost to an app publisher of auditing its partners (such as those in advertising and analytics) dwarfs the resulting benefit to children, because an app that inadvertently receives the children’s information is not exploiting it in harmful ways.
That being said, any changes in the rule mean potential changes to the way developers must handle data and apps geared towards children. And if Congress’ COPPA 2.0 bill goes through, there would be lots of additional changes to implement — and not just for “children,” as his bill overhauls who COPPA applies to as well. If passed, the COPPA 2.0 legislation would strengthen “privacy protections specifically for children and minors by:
Prohibiting Internet companies from collecting personal and location information from anyone under 13 without parental consent, and from anyone 13 to 15 years old without the user’s consent
Banning targeted advertising directed at children
Expanding COPPA’s ‘Actual knowledge’ standard to a ‘constructive knowledge’ standard for the definition of covered operators
Requiring online companies to explain the types of personal information collected, how that in
formation is used and disclosed, and the policies for collection of personal information
Prohibiting the sale of internet connected devices targeted towards children and minors unless they meet robust cyber security standards
Requiring manufacturers of connected devices targeted to children and minors to prominently display on their packaging a privacy dashboard detailing how sensitive information is collected, transmitted, retained, used, and protected.”
Simply put, the proposed legislation, if passed, is going to give developers and tech companies as a whole quite a headache while figuring out the practical impacts to their business.
Developers will of course rise to the occasion and find a way to work with whatever the FTC or Congress throw at them, however with COPPA having been in force in its current form for the last 5-ish years, a change in the rule in any capacity would force reevaluation of what applies and to whom. For developers to implement new standards with a revised bill it would require legal/regulatory guidance and a possible change in business strategy. Our kids are definitely worth protecting, but it won’t be painless for developers and some services will likely buckle under the new burden. The question is: has Washington got the balance right?
Developers Alliance will be in attendance for the workshop at the FTC on October 7th. We are hopeful that the FTC invites voices from the developer community to be part of the conversation at this workshop and strongly considers the submitted industry comments in this rule revision. Additionally, the Developers Alliance intends to submit a reply to the request for public comments. As the process continues we will follow the rulemaking closely.
If you or your company is impacted by COPPA or any of its rule revisions, or would like to offer insight on your experiences with this rule or the issues covered in it, please do not hesitate to reach out to our Policy & Developer Relations Manager Sarah Richard using the form below.