FTC Provides Limited “Safe Harbor” for Users of a “Do Not Track for Kids” Flag

The new Children’s Online Privacy Protection Act (COPPA) rule that went into effect earlier this month restricts almost all forms of tracking across child-directed sites other than for a set of limited “internal operations purposes.”  Child-directed sites are now strictly liable for any third party tracking on their sites that do not meet COPPA’s limited exceptions, unless they obtain verified parental consent.

Third party code providers, such as analytics companies, ad networks, or social plug-in providers, can also be liable under the new COPPA rule if they have “actual knowledge” they are dealing with children – that is, if the first party site has effectively communicated its online status to the third party or if a “representative of the online service recognizes the child directed nature of the site.”  Yet for many third party code providers, who distribute their code freely to millions of web developers, there is no way to assess whether they are being used by services directed at children.

Earlier this month, the Future of Privacy Forum (FPF) announced its support for a model proposed by FTC Chief Technologist Steve Bellovin calling for a special “flag” to be passed between companies that would indicate the child directed status of a site.  FPF has been working with a number of stakeholders to refine a technical proposal that could help standardize this type of communication, effectively creating a limited “Do Not Track for Kids” signal.  We have urged the FTC to provide a “safe harbor” for users of this flag in order to provide more certainty in this area and to help ensure compliance from web publishers and third parties.

Last week, the FTC released updated FAQs to help businesses comply with the COPPA rule.  These FAQs include a provision recognizing the COPPA flag as a viable tool for compliance; the FAQ sets forth a technical system for a site to affirmatively certify whether it is “child-directed” or “not child-directed.”  According to the FAQs, companies may rely on a signal that a site is “not child-directed,” but “only if first parties affirmatively signal that their sites or services are ‘not child-directed.’”  Companies cannot set this option for their clients as a default, if they wish to limit their liability. The FTC is requiring a “forced choice” or a “double flag” process, rather than the single flag that Bellovin proposed and that FPF championed.

We are pleased that the FTC recognized the COPPA flag as an effective way to both protect children and ensure that companies meet their obligations.  Technology can offer a meaningful, low-cost solution that can be widely implemented across industry to encourage compliance.

The new FAQs describe stringent requirements that must be met for a COPPA signal that companies “may ordinarily rely on.”  Our view is that this FTC language creates a safe harbor of sorts, providing protection for companies worried that they will be arbitrarily imputed actual knowledge.

While the FTC’s version of the flag will work for some companies, it will not be practical for many others.  And for those who it will work, it will likely be feasible for their new clients only, because retroactively forcing many thousands of current clients to make a forced choice or be terminated is not realistic.

A number of leading companies, including Facebook, AdMob, Twitter, The Rubicon Project, and Yahoo!, began to roll out a single flag option to their clients even before the FTC released its new FAQs.  We believe this single “Do Not Track for Kids” option still has value even though it may not meet the FTC standard for a safe harbor.  The FTC has reiterated that “actual knowledge” requires a fact-specific inquiry.  As a practical matter, companies that send and receive a COPPA flag as part of their compliance efforts are demonstrating a good-faith attempt to meet their obligations under the new COPPA rule.  Those who implement such technology as part of a broader compliance strategy will be in a far better position should the FTC come calling than those who do not.

The next step for companies is to standardize a format for the COPPA flag signal so that it can more easily be passed along from company to company.  If you are interested in learning more about the FPF’s efforts to standardize this Do Not Track for Kids signal, please email [email protected].

 

 

NTIA User Interface Mockups

“I am pleased to support the NTIA Short Form Notice Code of Conduct,” said Jules Polonetsky, Executive Director of the Future of Privacy Forum. “A ‘food label’ type approach to a privacy notice will give consumers a standardized way to get key privacy information at a glance and will help consumers better understand how apps collect and share data.”

The sample notices below show examples of implementations of the short notice developed by a number of the multi-stakeholders. We expect that consumer testing will lead to even better versions that will deliver easy to use information to consumers.

Example 1:  Data Use Highlighted

Example 2:  Data Used on Top & Data Not Used on Bottom

Example 3:  “YES/NO” Highlighted Accordion

Example 4:  Categories Separated (Long List)

Example 5:  Categories Separated (Short List)

Click to download a compilation of all five user interface designs.

Please also check out the short form notice example from the Association of Competitive Technology, which demonstrates  another clear way that apps can implement the code in an easy-to-use manner!

FTC Privacy Veteran Molly Crawford Joins Future of Privacy Forum as Policy Director

Washington, DC, July 23, 2013   The Future of Privacy Forum (FPF), a  Washington, DC-based think tank advancing responsible data use and consumer privacy, today announced that former Federal Trade Commission staffer Molly Crawford has joined FPF as its first Policy Director.  In her new role, Ms. Crawford will be expanding and coordinating FPF’s focus on cutting-edge privacy issues.  Ms. Crawford will report to FPF Executive Director Jules Polonetsky.

Ms. Crawford brings to FPF her eight years of experience as a senior attorney in the FTC Division of Privacy and Identity Protection within the Bureau of Consumer Protection.  In that role, Ms. Crawford focused on privacy, data security, and technology matters, leading investigations into companies’ privacy and data security practices.  She developed particular expertise in the areas of mobile privacy, data brokers, and online tracking.  Ms. Crawford also was detailed by the FTC to the US Senate Committee on Commerce, Science, and Transportation, where she served as Counsel advising senators and their staff on privacy and privacy legislation.

FPF Founder and Co-Chair Christopher Wolf commented on Ms. Crawford’s arrival as the group’s first Policy Director by saying “I cannot imagine anyone better qualified than Molly Crawford to help lead the Future of Privacy Forum to the next level of constructive engagement on the knotty privacy issues facing consumers and businesses today.   We are honored and delighted that she chose FPF as her new professional home.”

FPF’s Executive Director and Co-Chair, Jules Polonetsky said, “Molly is a terrific addition to the FPF team and her great depth in privacy law and best practices will help us advance responsible data use.”

Commenting on her new appointment, Molly Crawford said: “Having dealt with the Future of Privacy Forum during my years at the FTC, I know it to be the most effective group at bringing practical and reasonable solutions to the privacy challenges posed by new technologies.  I am thrilled to join Jules and Chris, as well as Senior Fellows Mary Culnan, Peter Swire and Omer Tene, and the Junior Fellows, in working to advance FPF’s privacy-advancing mission.”

If you are interested in learning more about Future of Privacy Forum, please email [email protected] or call 202-642-9142.

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

The Ethics of Student Privacy: Building Trust for Ed Tech

Read FPF’s paper on ethics and trust in the ed tech environment, but Jules Polonetsky and Omer Tene, as published in the International Review of Information Ethics, Vol. 21 (07/2014).

July 16, 2013 – Companies To Develop Privacy Standards For Tracking Brick-And-Mortar MediaPost News

FPF begins work with technology companies, privacy advocates, and regulators to develop a code of conduct aimed at protecting consumers’ privacy. 

 

FPF Announces New Group to Develop Best Practices for Retail Location Analytics Companies

The Future of Privacy Forum Announces New Group to Develop Best Practices for Retail Location Analytics Companies 

First Step for Shaping Privacy Principles for Technologies Aiming to Improve the In-Store Shopping Experience

Date: July 16, 2013

WASHINGTON, D.C. – The Future of Privacy Forum (FPF) today announced that it is working with a group of leading technology companies to develop best practices for retail location analytics. The companies, including Euclid, WirelessWERX, Mexia Interactive and ShopperTrak, provide solutions to retailers to develop aggregate reports used to reduce waiting times at check-out, to optimize store layouts and to understand consumer shopping patterns.  The reports are generated by recognizing the Wi-Fi or Bluetooth MAC addresses of cellphones as they interact with store Wi-Fi networks.

FPF’s goal is to make sure these technologies are subject to privacy controls and are used responsibly to improve the consumer shopping experience.

“Companies need to ensure they have data protection standards in place to de-identify data, to provide consumers with effective choices to not be tracked and to explain to consumers the purposes for which data is being used,” said Jules Polonetsky, Director of the Future of Privacy Forum.  “By being transparent about what is going on, location companies and retailers can make sure shoppers understand the benefit of the bargain.

“New technologies are helping retailers better understand what customers want and make shopping more convenient for everyone,” said Will Smith, co-founder and CEO, Euclid. “Privacy has always been a priority as we’ve designed and built our services, and we are excited to work with FPF to develop best practices for the retail analytics industry.”

“Our emerging industry has focused on building innovative analytics products that help our retail partners compete more effectively and deliver better value and service to consumers, while always protecting their anonymity and privacy.  By proactively establishing these standards of conduct, we hope to demonstrate our continued commitment both as a company and as an industry to adhere to the highest standards of consumer privacy and protection,” said Jim Riesenbach, CEO, WirelessWERX.  

“ShopperTrak is working with FPF because we believe in individuals’ rights to privacy.  ShopperTrak’s wireless solution only stores anonymous data and enables consumers to opt-out of any tracking whatsoever, should they so desire,” said Christopher Ainsley, CEO ShopperTrak.

Working together with retailers and the in-store location technology companies, FPF will seek to input from a range of stakeholders and will release a proposed code of conduct by November 2013.

If you are interested in learning more about the project, please email [email protected].

For any questions, or to schedule an interview, please contact Heather Federman at [email protected].

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

Getting COPPA Right with a New Directed at Children Signal

One of the most important provisions of the updated Children’s Online Privacy Protection Act (COPPA) rule that took effect yesterday is the extension of child privacy protection to behavioral advertising, the practice of tracking users across online sites and services to tailor advertising. The Future of Privacy Forum supported the Federal Trade Commission’s move to restrict behavioral ads for children and we are pleased to see many companies working hard to come into compliance.

However, when the FTC focused on behavioral ads, they drew their rulemaking scope widely, capturing almost all forms of tracking across sites other than a set of limited “internal operations purposes”.  Third party code providers, such as analytics companies, ad networks, or social plug-in providers are deemed to have “actual knowledge”  they are dealing with children if the first party site has effectively communicated its online status to the third party or if a “representative of the online service recognizes the child directed nature of the site.”

This last provision is challenging, since many third party code providers distribute their code freely to millions of web developers, with no way to assess whether they are being used by services directed at children.  Does an email from anyone in the world to an employee of a social network put the company on notice that it is dealing with a child directed site?  How should an ad network know if a “representative” of its service has recognized the child directed nature of an app?  Some apps are obviously directed at children, but for others the legal analysis is quite fact specific.  Given the strict liability standard under COPPA, all third parties that distribute code widely are facing a substantial and amorphous risk.  We trust that the FTC staff will be reasonable in their enforcement efforts, but more certainty in this area would help ensure compliance from web publishers and third parties.

One way to help provide certainty is to develop a technical method for child directed sites to communicate their status to third parties.  FTC Chief Technologist Steve Bellovin proposed a promising model several months ago, calling for a special site flag to be passed between companies that would indicate the child directed status of a site.  FPF has been working with a number of stakeholders to refine a technical proposal that could help standardize this type of communication, effectively creating a limited “Do Not Track for Kids” signal.

In this direction, we are pleased to note that a number of companies have started rolling out technical flag options for sites directed at children to use.  Facebook just released a new kid_directed_site parameter, which sites can use to let Facebook know that they are directed towards the under-13 set.  Google’s AdMob mobile ad network SDK now includes a new setting called tag_for_child_ directed_ treatment, which allows mobile apps to indicate they want their content treated as child directed for ad requests.  The Rubicon Project emailed its clients advising them to use a new site naming convention “[Site Name] – Children’s Site, which publishers should insert in their ad tags.  And Twitter just advised sites directed to children that they must use the data-dnt parameter, which Twitter provides for sites that wish to opt-out their users from tailored content and suggestions.

For many companies, creating such a flag will be far more complex.  Tags will need to be created by complex content management systems for sites that dynamically assemble pages. For companies that operate ad networks or exchanges, flags will need to be reliably passed from one ad network to another; sites or networks that don’t pass site data will need to develop a means to generate a flag. But the effort to implement this flag could be an effective way to both protect children and ensure compliance.

The FTC could play a key role here to encourage this new technical method of COPPA compliance, if it recognized that services designating a primary technical method for sites to communicate their status or to restrict data use should not be deemed to have gained actual knowledge via alternate means.  To be clear, services that get this flag are now on the hook for full COPPA compliance, as are their child directed site partners.  By sending or distributing the flag, companies are distributing and expanding a significant legal compliance obligation and accepting the risk of substantial penalties.  By choosing to use this flag, they should be have certainty that they will not held responsible for being attributed knowledge in an uncertain manner.

Much criticism of the COPPA rule has focused on the compliance burden it poses on small companies and start-up app developers. By looking to technology for a solution, the FTC and industry could turn a legal burden into an effective, no cost and widely distributed method to advance children’s privacy.