Just in time for Christmas, the Federal Trade Commission (FTC) issued its final rule on the Children’s Online Privacy Protection Act (COPPA). The final rule isn’t terrible, but it’s not something we were looking for.
Let’s start with the disturbing parts of the rule.
First is the expansion of who is covered by COPPA. Prior to the new rule, COPPA covered only child-directed websites. But now, web plugins, like YouTube videos, may find themselves subject to COPPA restrictions, liability, and enforcement actions. This will stifle innovation by plugin providers and raise costs for child-directed sites.
So how does this play out in the real world? Right now, PinewoodDerby.org (a site directed to Cub Scouts) has YouTube videos embedded on its site. If one of YouTube’s employees knows that PinewoodDerby.org is for Cub Scouts, YouTube (and its parent company Google) becomes covered by COPPA. So when a Cub Scout views one of the site’s YouTube videos and the child’s IP address is collected without parental permission, YouTube will have violated COPPA.
The FTC knows the harm to child-directed sites from its new COPPA rule — “The Commission also appreciates the potential for discouraging dynamic child-directed content.”
So how does YouTube avoid being covered by the new COPPA rules? It could ask every employee to create a list of child-directed websites and then somehow block those sites from using the YouTube plugin.
YouTube could also ask child-directed sites to self-identify in the referrer header — an idea the FTC suggested just yesterday. But what happens if a child-directed site fails to self-identify? YouTube is still covered by COPPA if an employee (especially a former Cub Scout) recognizes that a pinewood derby website is most definitely directed to kids.
Second, the FTC appears unconcerned about the cost its new regulations would impose on child-directed sites. The FTC estimates nearly $17,000 in new costs for a website to comply with the new COPPA rules. That’s a chunk of change for a child-directed website that is just scraping by. The FTC acknowledged as much in its rule explanation — “The Commission also appreciates the potential for discouraging dynamic child-directed content.”
Finally, the FTC now says that any persistent identifier is “personal information.” Although a computer may have multiple users, or an IP address may be shared by dozens of devices on a network, the FTC now says the IP address identifies a specific individual. This creates a dangerous precedent: expect the FTC to similarly limit the use of persistent identifiers for interest-based advertising to adults, too. And it’s those interest-based ads that pay for all our free online content and services.
That’s some of the bad, but the rule isn’t as bad as we feared. That’s partly because the FTC accepted some of the changes requested by businesses and trade groups like NetChoice.
For instance, the new rule allows unified sites to share parental consent info instead of requiring each site to obtain its own consent. So a child visiting Nickelodeon.com could use the same user ID and associated parental consent for the related website NickJr.com.
Also, the FTC recognized our concern that COPPA exceptions must evolve along with new technologies and services. By creating a mechanism for businesses to request new “support for internal operation” exceptions, websites can continue experimenting with new services directed to kids.
We’ll continue to review the COPPA rule and expected clarifications from the FTC. While the new rules were not as bad as we feared, Chairman Leibowitz shouldn’t be surprised that we left him no cookies or milk on Christmas morning.