Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 10th, 2012 in Government Policy by Simply Security | 2 Comments | Tags: Government Policy

Mobile devices are adding new urgency to children's data privacy debates.

The Children's Online Privacy Protection Act (COPPA) came into effect in April 2000, bringing a new sense of order and security to the way personal information of youth under the age of 13 was collected online. To ensure this legislation remains relevant in an era of expanded mobile Internet access and online behavioral advertising, the Federal Trade Commission (FTC) has released a new set of proposed amendments.

The first significant revisions to the legislation came in September 2011 as the FTC looked to expand and clarify terms such as "personal information" and "collection" and implement new parental notice and consent mechanisms.

"In this era of rapid technological change, kids are often tech savvy but judgment poor," FTC chairman Jon Leibowitz said at the time. "We want to ensure that the COPPA Rule is effective in helping parents protect their children online."

With the rate of web innovation only accelerating in the interim, the FTC is once again stepping in to introduce additional modifications to the legislation's language. This month, Leibowitz's team is taking aim at the definitions of "operator" and "website or online service directed to children." Most notably, the new proposals clarify how third-party advertising networks and software plug-ins factor into the data protection equation.

According to the Washington Post, one of the main developments bringing these issues to a head has been the popularity of mobile gaming. The content is naturally appealing to children, and these applications have also drawn the interest of social media sites such as Facebook and Twitter. The trouble is, the in-game plug-ins designed by these third parties rarely have their data security credentials vetted by the application developers.

In response, the FTC now hopes to bring external ad network and plug-in operators under the jurisdiction of COPPA and hold original content providers accountable for the actions of these business partners.

"Given these changes in technology, the commission now believes that an operator of a child-directed site or service that chooses to integrate into its site or service other services that collect personal information from its visitors should be considered a covered operator under the rule," the new amendment states.

Enabling parents

The primary controversy surrounding third-party services is not that they are collecting data, but how and when they are obtaining it. Original COPPA statutes have required websites producing child-oriented content to get parental consent before gathering the names and email addresses of users under the age of 13. But according to the Wall Street Journal, application developers and web marketers have been finding ways to circumvent these rules in recent years.

For instance, many smartphone games now connect to social communities. So to upload their latest high scores to online leaderboards, all kids have to do is provide some basic information and agree to privacy terms and conditions with a few taps on their mobile touchscreens.

"Now everybody's got a computer in their pocket," Mary Engle, head of the FTC's advertising practices division, told the Journal.

To address this potential data privacy vulnerability, the FTC is proposing that any third-party service provider attaching its software to a website or application designed for children must now explicitly obtain parental consent before collecting user information. Additionally, both website owners and their service providers will be held accountable for ensuring this practice is followed.

Although there has been some pushback from the online industry, it is important to remember that the statutes will not affect data that is collected to support the internal operation of a website. Additionally, websites that attract a mixed demographic will no longer have to treat all users as if they are children and can instead set up screening mechanism to determine user age and govern the data they supply accordingly.

Data Security News from SimplySecurity.com by Trend Micro