Getting COPPA Right with a New Directed at Children Signal
One of the most important provisions of the updated Children’s Online Privacy Protection Act (COPPA) rule that took effect yesterday is the extension of child privacy protection to behavioral advertising, the practice of tracking users across online sites and services to tailor advertising. The Future of Privacy Forum supported the Federal Trade Commission’s move to restrict behavioral ads for children and we are pleased to see many companies working hard to come into compliance.
However, when the FTC focused on behavioral ads, they drew their rulemaking scope widely, capturing almost all forms of tracking across sites other than a set of limited “internal operations purposes”. Third party code providers, such as analytics companies, ad networks, or social plug-in providers are deemed to have “actual knowledge” they are dealing with children if the first party site has effectively communicated its online status to the third party or if a “representative of the online service recognizes the child directed nature of the site.”
This last provision is challenging, since many third party code providers distribute their code freely to millions of web developers, with no way to assess whether they are being used by services directed at children. Does an email from anyone in the world to an employee of a social network put the company on notice that it is dealing with a child directed site? How should an ad network know if a “representative” of its service has recognized the child directed nature of an app? Some apps are obviously directed at children, but for others the legal analysis is quite fact specific. Given the strict liability standard under COPPA, all third parties that distribute code widely are facing a substantial and amorphous risk. We trust that the FTC staff will be reasonable in their enforcement efforts, but more certainty in this area would help ensure compliance from web publishers and third parties.
One way to help provide certainty is to develop a technical method for child directed sites to communicate their status to third parties. FTC Chief Technologist Steve Bellovin proposed a promising model several months ago, calling for a special site flag to be passed between companies that would indicate the child directed status of a site. FPF has been working with a number of stakeholders to refine a technical proposal that could help standardize this type of communication, effectively creating a limited “Do Not Track for Kids” signal.
In this direction, we are pleased to note that a number of companies have started rolling out technical flag options for sites directed at children to use. Facebook just released a new kid_directed_site parameter, which sites can use to let Facebook know that they are directed towards the under-13 set. Google’s AdMob mobile ad network SDK now includes a new setting called tag_for_child_ directed_ treatment, which allows mobile apps to indicate they want their content treated as child directed for ad requests. The Rubicon Project emailed its clients advising them to use a new site naming convention “[Site Name] – Children’s Site, which publishers should insert in their ad tags. And Twitter just advised sites directed to children that they must use the data-dnt parameter, which Twitter provides for sites that wish to opt-out their users from tailored content and suggestions.
For many companies, creating such a flag will be far more complex. Tags will need to be created by complex content management systems for sites that dynamically assemble pages. For companies that operate ad networks or exchanges, flags will need to be reliably passed from one ad network to another; sites or networks that don’t pass site data will need to develop a means to generate a flag. But the effort to implement this flag could be an effective way to both protect children and ensure compliance.
The FTC could play a key role here to encourage this new technical method of COPPA compliance, if it recognized that services designating a primary technical method for sites to communicate their status or to restrict data use should not be deemed to have gained actual knowledge via alternate means. To be clear, services that get this flag are now on the hook for full COPPA compliance, as are their child directed site partners. By sending or distributing the flag, companies are distributing and expanding a significant legal compliance obligation and accepting the risk of substantial penalties. By choosing to use this flag, they should be have certainty that they will not held responsible for being attributed knowledge in an uncertain manner.
Much criticism of the COPPA rule has focused on the compliance burden it poses on small companies and start-up app developers. By looking to technology for a solution, the FTC and industry could turn a legal burden into an effective, no cost and widely distributed method to advance children’s privacy.