IAB warns against FTC rules that could harm Children's Online Access

The Interactive Advertising Bureau (IAB) this week raised concerns about proposed changes to the Federal Trade Commission's (FTC) Children's Online Privacy Protection Rule (COPPA).

The trade association believes these changes could lead to services and content becoming inaccessible to children, while also undermining essential fraud protection activities.

Key Arguments from the IAB

• "Actual Knowledge" is Key: IAB supports the FTC's stance that websites and services should only be responsible for collecting age information if they have "actual knowledge" that they are dealing with children. Imposing a broader expectation could incentivize companies to collect more information than necessary, which is counterproductive for protecting children's privacy.
• Biometric Data Overreach: IAB argues the FTC's plan to include vast categories of biometric data (like derived voice, gait, and facial data) in its definition of "personal information" exceeds the agency's authority. This move would also create inconsistencies with state laws and could lead to the collection of even more sensitive data.
• Screen Names and Avatars: IAB believes the FTC plan to treat screen names and avatars as inherently identifying information would force many online services to either stop serving children or collect even more personal information from them to comply with the law.
• Internal Operations at Risk: The IAB argues the FTC's proposal could undermine the long-standing "internal operations" exception in COPPA. This exception allows companies to collect limited data for essential functions like fraud prevention and improving the user experience.

What's at Stake

The FTC aims to modernize COPPA to address privacy concerns in the ever-evolving digital landscape. However, the IAB fears that the proposed changes are too broad. Critically, they contend that some of the new rules will ultimately do more harm than good:

• Reduced Content for Children: Services might stop catering to children if compliance becomes too difficult, leading to reduced online options.
• Privacy Paradox: To comply, companies might need to collect more sensitive information from both children and parents to verify age.
• Safety Concerns: Limitations on data collection could hinder important fraud protection and safety measures that benefit all users, including children.

COPPA

COPPA stands for the Children's Online Privacy Protection Act. It's a US federal law designed specifically to protect the online privacy of children under the age of 13.

COPPA was enacted in 1998 and came into effect in April 2000. It has been amended over the years to keep pace with evolving technologies.

The Federal Trade Commission (FTC) is the primary agency responsible for enforcing COPPA.

Operators of websites and online services directed to children under 13, or those who knowingly collect personal information from children under 13, are directly responsible for complying with COPPA regulations.

COPPA requires operators to:

• Provide clear and comprehensive privacy notices: Explain what information they collect from children, how it's used, and with whom it might be shared.
• Obtain verifiable parental consent: Get permission from a child's parent before collecting, using, or disclosing certain types of personal information.
• Implement reasonable security measures: Protect the confidentiality, security, and integrity of children's personal information.
• Allow parents to review and control their child's information: Provide parents with access to their child's personal information, the ability to correct it, and the option to revoke consent for future collection.

COPPA exists to address these core concerns:

• Children's Limited Understanding: Young children might not fully grasp the implications of sharing personal information online. COPPA gives parents control in making those decisions.
• Data Collection and Tracking: Websites and services often collect extensive data for commercial purposes. COPPA limits the types of personal information that can be collected from children and how that data is used.
• Targeted Marketing: COPPA aims to shield children from manipulative or unsuitable marketing practices that may take advantage of their vulnerabilities.