Here's a primer on the Federal Trade Commission's authority over the privacy and safety of children online, and the origins of the Children's Online Privacy Protection Act, or COPPA.
The adoption of COPPA was in direct response to the lack of industry compliance with the law as articulated by the FTC in the KidsCom/Center for Media Education letter.
In June 1998, the FTC presented its Privacy Online Report to Congress, documenting the online collection of personal information from children. The FTC rearticulated its prior concerns that collection of personal information from a child under the age of 13 without informed parental consent would be a deceptive trade practice. The FTC reported to Congress that even in chat rooms, children innocently and without request may reveal where they live or go to school or their real E-mail addresses.
The FTC informed Congress that parents need to understand the risks and consent to any such collection and disclosure of personal information. Congress apparently agreed, and wasted no time in acting on the FTC's report. Within months COPPA was law.
In May 1996, the Center for Media Education, a consumer-watchdog group, filed a petition with the FTC requesting the FTC investigate KidsCom and bring an enforcement action against it. The center asserted that KidsCom's data-collection practices violated section 5 of the FTC act's "anti-deception" laws in two ways. First, KidsCom collected information from children without accurately disclosing the purpose, and, second, KidsCom failed to disclose that it was paid to endorse certain products.
In July 1997, the FTC issued its findings in a letter ("KidsCom letter"). The FTC determined that KidsCom's disclosure was "likely" inadequate and misleading, but declined to take any punitive action against KidsCom since it had already changed its data-collection practices and cooperated in the FTC investigation. In issuing this ruling, the FTC for the first time publicly announced its guidelines for data collection from children on the Internet.
The FTC discovered that KidsCom was sharing information collected from children at its site with third parties. However, this information was provided to third parties only in an anonymous, aggregate form--for example, all 10-year old boys from New York preferred baseball over football, rather than Joey Smith from Queens prefers baseball over football. Relying on section 5 of the FTC Act, which prohibits unfair and deceptive practices in, or affecting, commerce, the FTC stated its first principle relating to data collection from children online: "It's a deceptive practice to represent that a Web site is collecting personally identifiable information from a child for a particular purpose (e.g., to earn points to redeem a premium), when the information will also be used for another purpose which parents would find material, in the absence of a clear and prominent disclosure to that effect."
The FTC articulated its second principle that, when collecting personally identifiable information, "adequate notice" of such practices must be given to a parent because of a child's limited ability to understand the disclosure. "Adequate notice" requires disclosure of: (1) who is collecting the personally identifiable information; (2) what information is being used and for what purpose it's being used; (3) whether it will be disclosed to third parties, and if so, to whom and in what form; and (4) how parents can prevent the "retention, use, or disclosure" of that information.
The third principle is more vague, as it deals generally with safety. The FTC has had broad regulatory powers when dealing with safety issues, under its unfairness authority in section 5. Under section 5, a practice is unfair if it causes or is likely to cause substantial injury to consumers which isn't reasonably avoidable and isn't outweighed by countervailing benefits to consumers or competition. In its KidsCom letter, the FTC articulated its "unfairness" test for Internet child safety, noting that the disclosure of children's personal information to third parties is of particular concern, and parents must be given adequate notice of such use and the opportunity to deny their consent to it.
In its fourth and final principle, the FTC criticized KidsCom's endorsement practices as misleading and deceptive. KidsCom had "New Product" areas, where products were reviewed and endorsed. What it hadn't disclosed was the fact that, in exchange for an endorsement, product manufacturers had to contribute at least $1,000 worth of product, which was used for premiums and prize redemptions. The passing-off of an advertisement as an independent review or endorsement is a deceptive practice under section 5 of the FTC Act. KidsCom failed to clearly and conspicuously disclose that the product information was solicited from manufacturers and printed in exchange for in-kind payment.
Following the issuance of the KidsCom/Center for Media Education letter, the FTC broadened its principles to include offline consent for children age 12 and under any time their personal information may be shared online, in chat rooms or similar third-party communications, and before any site collects and stores their personal information, even an E-mail address.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.