USA Law

Children’s Online Privacy Protection Act

Children’s Online Privacy Protection Act in the United States

by Pamela MacLean.

The federal Children’s Online Privacy Protection Act expands its reach.

Using digital cookies, global positioning, and online behavioral advertising, companies can locate children while they use mobile devices, lure them with targeted ads for a nearby ice cream shop, or tempt them to instantly buy a new gaming application. These entities can also track online behavior to build sophisticated user profiles and then sell the information to advertisers in real time.

When Congress gave the Federal Trade Commission (FTC) authority to protect the privacy of children age twelve and younger with the Children’s Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C §§ 6501-6506), Facebook wouldn’t be invented for another six years and the first iPhone sale was nine years away. Times have changed. So on July 1 new FTC regulations will expand the number of website operators and app developers who come under the jurisdiction of COPPA’s requirements for parental notification and consent, and impose limits on retention of a child’s private information. (16 C.F.R., Pt. 312.)

The new rules may address some of the concerns raised by an FTC staff report last year on 400 apps geared toward children: Only 16 percent gave parents a link to their privacy policies prior to downloading, the study found.

Now, for the first time, the FTC has gone beyond protecting the privacy of a child’s name, address, and phone number to safeguard “persistent identifiers” – such as a Web address unique to a computer (known as an Internet Protocol or IP address), a smartphone’s ID, geolocation tracking data, photos, and video and audio of children. The new rules also expand the definition of “websites directed toward children” to include social media plug-ins such as a “like” button on Facebook.

“What they are trying to get at with persistent identifiers is that they really don’t want online behavioral advertising targeted to kids, or the amassing of a child’s activities across websites,” says Julie O’Neill, who specializes in privacy and consumer protection in Morrison & Foerster’s Washington, D.C., office.

Not everyone, however, welcomes this development. Sweeping IP addresses into the definition of personal information “is hugely problematic for information transfer on the Internet,” says Alison Pepper, senior director of public policy for the D.C.-based Interactive Advertising Bureau (IAB).

Including IP addresses as persistent identifiers along with users’ names and addresses “is contrary to what a lot of federal courts are ruling,” she says. The IAB chided the FTC in September that the move oversteps the commission’s statutory authority.

Also unnerving for the gaming and entertainment industry is the expansion of liability for third-party content. Next month, companies that knowingly collect data through a site directed at children will be responsible for making COPPA privacy disclosures and getting parental consent.

But the law is limited. COPPA contains no private right of action, for example, and it does nothing for teens over age twelve.

California, for its part, has an added weapon in its arsenal. The California Online Privacy Protection Act (Cal. Bus. & Prof. Code §§ 22575-22579), passed in 2003, requires companies that collect personal information to display their privacy policies.

Attorney General Kamala Harris has put a high priority on protecting children’s online privacy and says she intends to bring enforcement actions under the federal COPPA. “The statute specifically authorizes a state AG to enforce it,” says Travis LeBlanc, special assistant attorney general and Harris’s top advisor on privacy. “The law will be enforced by the FTC and the California AG. No question about that.”

Cybersecurity Legislation

The United States deals with cybersecurity issues in a number of ways. The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) provides an avenue of legal redress for federal offenses perpetrated through a computer. The 2003 National Strategy to Secure Cyberspace guides the cybersecurity efforts of the Department of Defense, while the National Information Infrastructure Protection Act of 1996 (Pub. L. No. 104-294, which amended the CFAA) makes denial-of-service attacks illegal and punishable by up to ten years of imprisonment. The Patriot Act (Pub. L, No. 107-56) includes provisions allowing the FBI to investigate cybersecurity offenses and enabling the U.S. attorney general to take legal action.

Resources

See Also

  • Child Protection
  • Childrens Homes
  • Childrens Bureau
  • Constitutional Protection Of The Right To Privacy
  • Online privacy in the Constitution
  • Constitutional Protection Of Civil Liberties

Posted

in

, ,

by

Robert

Tags:

, ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *