Saturday, September 29, 2012

Interpreting COPPA and Children's Privacy - A Step Too Far?

The main thrust of the Children's Online Privacy Protection Act (COPPA) was to limit Web site operators collecting personal information from children without the express permission of their parents.   The FTC (Federal Trade Commission), which oversees COPPA compliance, recently started considering expanding COPPA coverage and reach by broadening definitions of "personal information," "knowingly collecting," and website "operator."  While COPPA explicitly gives the FTC the ability to define, or re-define, those terms, the proposed expansions are substantial, and would significantly expand both the activities covered and the online sites and services covered.  While a number of children's and privacy advocacy groups fully support efforts to protect children's privacy, a number of industry groups have legitimate concerns that some of the proposed expansions could have significant unintended effects for all Internet users.  The Interactive Advertising Bureau (IAB), for example, indicated in formal comments to the FTC that enforcement of the expanded definitions (as formally proposed) could "restrict children’s access to online resources by undermining the prevailing business model" and "pose technical challenges to the effective functioning of the online ecosystem."
  So what are the issues, and what's really at stake?

"Operators" - or who does COPPA apply to? 
The statutory language of COPPA defined operators essentially as commercial website operators who collect personal information from users and where the website is either directed towards kids, or are general interest sites that knowingly collect personal information from children under the age of 13.  The current proposals would ad to that group third-party services such as social media plug-ins, ad networks, online gaming, and mobile apps.  In proposing the expansion, the FTC provided this rationale -
"The Commission now believes that the most effective way to implement the intent of Congress is to hold both the child-directed site or service and the information-collecting site or service responsible as covered co-operators... (A)n operator of a child-directed site or service that chooses to integrate into its site or service other services that collect personal information from its visitors should be considered a covered operator... Although the child-directed site or service does not own, control, or have access to the information collected, the personal information is collected on its behalf."
While the intent may be to assure that sites don't avoid protecting kids' privacy by farming data collection to a third party, it's difficult to frame regulatory language that would differentiate websites take use third parties to collect personal information, and/or benefit from collected user information, from websites with no interest in, or use for, user data yet link to services and sites that do. The proposed expansion would also make third party operators who collect user information liable for COPPA compliance if any affiliated or networked website is directed towards children, regardless of whether the "third party operator" has any interest in, or intent to, collect user information from children. If the implementing language is too broad, it could have the effect of making every website or online service provider legally liable for the content focus and user data collection practices of every website or online service they are linked to, or interact with. Given the nature of the internet, holding publishers liable for the COPPA compliance of affiliated services or linked sites and services would likely create a logistical nightmare of previewing and vetting of content, focus, and any user data collection practices. In their formal comments on the proposed changes, the Interactive Advertising Board (IAB) claimed that "pose technical challenges to the effective functioning of the online ecosystem." Particularly for website operators or online publishers who aren't commercial and have no interest in, or use for, user data.

"Knowingly collecting," or what evidence of intent or purpose is required?
The FTC is also proposing to expand the standard of intent by shifting from applying to operators who knowingly collect kids' personal information, to apply when operators might have "reason to know" that personal information is being collected from or content is directed towards children under the age of 13.
In regulatory and legal circles, reason-to-know is widely acknowledged as a broader, looser standard than actual knowledge of actions or behaviors. The FTC, as noted in the quote above, sees their mandated purpose as protecting children's privacy by requiring parental consent to collect personal information from kids, even if it is not knowingly and intentionally collected. The reason-to-know standard would extend COPPA to at least some incidental collection of covered user data, but not the absolute coverage that many advocacy groups have called for. They would prefer to see that privacy coverage and requirements for parental consent for data collection from kids be universal, to assure that no personal information is ever collected from children under thirteen without explicit parental consent.
Implementing a vaguer and looser standard can be problematic - "knowingly" is a clear and precise standard, even if can be difficult to provide. "Reason-to-know" is not precise, but has been interpreted in other settings as existing when an individual could reasonably expect something is probable - in this setting, would not be surprised if a third party operator collected personal user information or directed content or services to kids. Still, there's a lot of imprecision and uncertainty left - for example, should a blogger targeting seniors that links to an online social gaming app be e know what user information the app collects, or whether children under 13 are playing that social game app?
And if combined with an expansion if the definition of operators to second and third parties, the costs of compliance are spread to those who are only peripherally involved with children or collection of user data.

"Personal information," or just how personal does information need to be?
To a very large extend, the Internet, mobile, and social media systems run on user data, because sending and receiving information requires some kind of address. Data transfers online need IP addresses; mobile communications require unique identifiers for devices or users; and social media need to know where to send whatever stuff we share with friends and followers. The original statutory language of COPPA used older offline definitions widely used in privacy contexts - names, street addresses, social security numbers, phone numbers; and added email addresses as a nod to the Online context. But in an ever-evolving online ecosystem, these aren't our only addresses, or unique identifiers. If the concern about collecting personal information is that whatever other information or behaviors that are being collected can be directly linked to a specific individual, then the FTC really does need to look at what it defines as personal information.
Last year, the FTC proposed expanding the definition of "personal information" to include any "unique identifier" that could be used to link a child's activities on multiple sites. The proposal identified a few examples of unique identifiers - IP addresses, device serial numbers, tracking cookies. The online world is replete with unique identifiers; as are the worlds of mobile devices, wireless services, mobile phones, and social media. As I said earlier, they all need addresses - and addresses that aren't relatively unique identifiers aren't that useful. Are the FTC's examples appropriate?
In one sense, clearly not. As the IAB pointed out, the problem with the listed identifiers is that they aren't necessarily user-specific - what they are are primarily device identifiers. If there are, or may be, multiple users, that can decouple these unique identifiers from an unique person. (We've gone through this with IP addresses, which were initially permanently assigned to a device. When the number of devices exploded, and Internet Service Providers noted they weren't always on, they switched to dynamic IP addressing, where the unique address is assigned when the device is actively connected, but tossed back into the ISP's pool of IP addresses when the device was disconnected, to be assigned to another device when it actively connects. To uniquely link an IP address with a specific computer, you now need both the dynamic IP address and the time). The proposed new unique identifiers permit the delivery of content and advertising to a device, not to an identified individual," the IAB argues.
In addition, device identifiers are largely automatically generated and provided with online activities without user input or direct authorization. This creates a variety of potential issues - are dynamic IP addresses new unique identifiers that require user or parental validation of permission to use? would COPPA be invoked if several distinct online services share a common password/login (linking across sites)? Would Internet-connected devices need to be child-proofed in the absence of parental consent to collecting device identifiers? How might this impact "TV Everywhere" implementation, which needs unique identifiers not only as device address, but for validation of eligibility to receive specific content? How might that affect the potential distribution of children's programming, or educational content or games? There's a real conflict between the need for tracking use and validating eligibility through the use of unique identifiers and tracking user behaviors and the primary funding mechanisms for websites and online services (advertising and subscriptions). Defining unique identifiers poorly or inappropriately would create significant compliance costs that could only be avoided by prohibiting children's access and use. In such a case, the IAB expressed concern that it could "restrict children’s access to online resources by undermining the prevailing business model."
A closer look at the FTC's proposals and supporting arguments suggests that their real concern was the potential use of behavioral advertising techniques on children under 13. The FTC did include a specific proposal for a ban on using behavioral targeting techniques on young children without their parents' permission. But the courts can be reluctant to apply content-related bans without specific evidence of harm. That could explain the FTC's choice of specific unique identifiers and emphasis on linking behaviors and information across sites - their list mirrors what is needed for behavioral advertising to occur. Thus, the FTC may have felt that expanding the definition of "personal information" in that specific direction could be a backdoor means to limit behavioral advertising to kids. The problem here is that these same elements are also at the heart of a great many other online services and activities, so this expansion would have unintended (I hope) negative consequences in many other areas. Particularly if the expansion of "personal information" to include a range of other "unique identifiers" and the idea of "persistent identifiers" defined as identifiers shared across sites or services, gets carried through to other privacy regulation.
Including device registration numbers as "personal information" could really impact the rapidly expanding growth of mobile services, as apps and services would need to find other means to identify and validate devices and uses. The whole foundation of social media and interconnected sites and services is similarly built on the availability of "persistent identifiers."

A Step Too Far?
The FTC clearly has the authority to consider redefining these key aspects of COPPA, and strong arguments can be made that it needs to, considering how the online world has changed in the last decade. (Not to mention the pressures being applied by a variety of advocacy and industry groups).  The most immediate need is for the FTC to seriously consider expanding the definition of "personal identifiers."  The original statutory examples are mostly borrowed from regulatory language applying to analogue and physical concerns.  The language, for the most part, is far too narrow to reflect data or information that can identify individuals in an online world filled with myriad "unique identifiers" that could easily be used to link individuals with the information they provide and the actions they take online. But you can't ban or limit the use of all unique identifiers without crippling the Internet, or an increasing number of media devices and services - or banning their use by the people who's privacy you're trying to protect. Redefining "personal information" needs to be approached with a surgeon's scalpel rather than a blunderbuss, as any change is likely to have widespread and profound implications.
  In any consideration of expanding the kinds of identifiers to be included in a definition of "personal information" the FTC (and regulators generally) shouldn't pick them because they might achieve a specific policy goal. Even if they do, they'll also impact any other uses that rely on or utilize that specific type of identifier. Regulators need to consider the other implications and effects of proposed regulatory changes before redefining things - otherwise someone's likely to wonder why it didn't do what it was supposed to, and/or how to fix the mess it's created somewhere else.

Sources  -  FTC Proposes New Curbs On Collecting Data From ChildrenOnlineMediaDaily
IAB: Proposed Children's Privacy Rules Undermine Business Model,  OnlineMediaDaily
FTC,  Proposed Rules Changes for Children's Online Privacy Protection Rule
FTC's COPPA website

1 comment: