-
Here in the US, the FTC is proposing changes to the Children’s Online Privacy Protection Act (COPPA). They recognize (correctly) that changes in data collection methods, as well as technological advancements including geolocation, smartphones, behavioral ad targeting and social networking, make it necessary to revise the rules for kids under the age of 13.
So what do the new rules include?
- Redefining “Online Services:” When COPPA was enacted in 1998, “online services” referred to websites. Now it includes mobile apps “that allow children to play network-connected games, engage in social networking activities, purchase goods or services online… or interact with other content or services.”
- Redefining “Personal Information:” Also called “personally identifiable information” or PII, this included stuff like full name, email address, street address, phone number. It now includes geolocation data and online tracking mechanisms used for behavioral targeting.
- New parental consent rules: Instead of referring parents to an online privacy policy, online services must provide “just-in-time” notification, which means that parents are informed at the time of sign-up what the privacy provisions are (ie text in an email instead of just a link)
- Added flexibility for online services: Kids under 13 can now participate in interactive communities without parental consent as long as the site takes “reasonable measures to delete all or virtually all children’s personal information before it is made public.”
Ok, sounds good.
Wait. “Reasonable measures?”
If you scan the new rules, you’ll see the word “reasonable” everywhere:
“The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”
“Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance”
“An operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of the operator’s practices with regard to the collection, use, and/or disclosure of the child’s personal information”
“If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records” (Emphasis mine)
What does “reasonable” mean here? And who gets to define it? Parents? Kids? Lawyers? The FTC? The “operators?”
Until there’s a common definition of “reasonable” for these new rules, we’re still caught between the scylla of unscrupulous advertisers and the charybdis of controlling family activitsts.
What do you think?
“Reasonable Measures:” COPPA Comes of Age
Posted on | One comment
One Response to ““Reasonable Measures:” COPPA Comes of Age”
Chiara
It sounds like they are trying not to paint themselves into a corner again, and in doing so are going to leave things wide open to abuse. It doesn’t feel right to specify in an act like this that x must happen with 48 hours or some such. And yet, by not being explicit it’s left gray and wiggly and, well, scary.
As a designer/creator of a system, I want the flexibility to to establish the nitty gritty details in the way that makes the most sense for my users, in my context.
As someone who cares about the safety of children, I want it to be clear so that no one can write the rules in the ways that only protect their ignoble practices.