WASHINGTON — Unbeknownst to the lucky children who unwrapped tablets or smartphones this holiday season, new rules issued in Washington to protect their privacy on those devices could have profound implications for the future of the Internet and mobile apps.
The Federal Trade Commission recently updated the 14-year-old Children’s Online Privacy Protection Act rule, or COPPA, to cover smartphones and social media. The revised rule expands the list of “personal information” that cannot be collected from children under 13 without parental consent to include location, photographs and videos. It forbids child-directed apps and websites to track children’s activities on the Internet or to pass their data on to other companies without their parents’ knowledge. Third-party operators also will be liable for information gathered from child-oriented sites.
Privacy advocates say the changes set the stage for adult consumers to demand the same kind of privacy protection themselves.
The tech industry, which lobbied against the changes, warns that over-regulation of data collection will stifle innovation, increase costs for consumers, and put some app developers and websites out of business.
One trade group, the Interactive Advertising Bureau, published a cartoon that depicts Santa wielding a mallet labeled “NEW REGS” to smash children’s tablets and smartphones. The distraught youngsters clutch their broken devices and wail as a grinning elf offers them a box of safety goggles. “Don’t let the FTC steal Christmas,” the caption reads.
“We suspect this will dramatically diminish the number and kind of new education tools which are built for kids,” said Tim Sparapani, vice president for law policy and government relations with Application Developers Alliance, an industry association. “We were in the midst of an incredible innovative cycle which had great potential for advancing educational apps for free or nearly free. . . . The FTC’s actions threaten to grind that to a halt.”
Companies will have to hire lawyers and designers and build specially designed servers in order to comply with the new regulations, Sparapani said. “That might be the difference between you staying in business and thriving and hiring new people and closing up shop.”
Online advertising models rely on data culled from browser cookies, IP addresses and click histories to provide targeted ads to consumers based on their location, past purchases, web-surfing habits and other details.
A report issued earlier this month by the FTC found that many mobile apps for children collect personal information without letting parents know who has access to the data or how it will be used.
Almost 60 percent of the apps reviewed by FTC staff transmitted data from a child’s device back to the app developer or to an advertising network, analytics company or other third party. Using information from multiple apps, the third parties could develop detailed profiles of children based on their behavior in the apps, the report stated.
This practice of digital profiling is at the heart of an ongoing battle in Washington over whether data mining should be regulated by the government, and if so, how.
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., introduced a bill in 2011 that would task the FTC with creating a “Do Not Track” option online, a concept modeled on the agency’s Do Not Call registry, which allows consumers to opt out of phone calls from telemarketers. Consumers would have to give explicit permission for their personal information to be used by websites or apps for targeted ads.
The legislation stalled in Congress, but the Obama administration and FTC officials are pushing for the industry to establish a voluntary “Do Not Track” standard.
It’s part of a growing focus on privacy at the FTC, which this year reached settlements with Internet giants Google and Facebook for privacy violations and opened an inquiry into data brokerage firms that collect, analyze and sell consumers’ personal information.
“We have taken a step back to look at how we’re approaching privacy, whether it makes sense with the types of technologies and different business models that are out there,” said Peder Magee, senior staff attorney for the FTC.
With the revised rule, the FTC broke new ground by defining data such as IP addresses and mobile device IDs as private information, said Daniel Castro, senior analyst at the Information Technology & Innovation Foundation, a Washington-based think tank. The agency also put limits on targeted advertising, and made it less attractive for third parties to do business with app and website developers, Castro said.
He’s concerned that COPPA rules could “leak out” of the children’s environment and impact other websites.
“Right now, many websites ‘embed’ content, but if third parties are concerned about liability, they may impose restrictions on which websites can embed their tools,” Castro said. “If it is more difficult to embed third-party content, some websites may just not do this, which would be a loss for everyone.”
But consumer groups aren’t buying the argument that more regulation means less quality content online.
“If the industry wants to build a robust and long-term marketplace among families, they have to respect privacy and build trust,” said Jim Steyer, CEO of the nonprofit Common Sense Media. “Privacy is a fundamental right.”