* Proposal updates rule proposed in September
* Websites, apps, data brokers would all be under rule
* Family websites would be allowed to collect data on adults
By Jasmin Melvin
WASHINGTON, Aug 1 U.S. regulators proposed a revised rule on Wednesday to protect children's privacy online, aimed at boosting privacy safeguards on mobile devices and ensuring that websites and third-party data brokers get parental permission before they collect children's data.
The Federal Trade Commission would make websites, mobile apps and data brokers all responsible for data collected about children by third parties like data brokers, strengthening a proposed update of its Children's Online Privacy Protection Rule that it had released last September.
Previously it was unclear who had responsibility for third party collection.
"The commission did not foresee how easy and commonplace it would become for child-directed sites and services to integrate social networking and other personal information collection features into the content offered to their users, without maintaining ownership, control or access to the personal data," the commission said in its proposed rule.
The proposal also specifies that family websites, which are websites aimed at children and adults, would be allowed to screen users to determine their ages and only provide protection to children under age 13.
Currently, all visitors to the websites must be treated as if they are under age 13.
A privacy expert said the rule proposal could expand the reach of the Children's Online Privacy Protection Act (COPPA).
Any website directed at children that adds social networking plug-ins like Facebook Inc's "like" feature or that works with a third-party ad network to generate revenue could be held liable, under the proposal, if that data collection occurs without parental consent, said David Jacobs, consumer protection fellow at the Electronic Privacy Information Center.
"That's a good development," Jacobs said.
The FTC said ad networks and plug-ins would not have to probe or monitor whether their services were used on child-directed services, but if they have a "reason to know" then they could not ignore that information and would need to comply with COPPA.
"Before you could turn a little bit of a blind eye (to children on websites like Facebook) but if this rule is adopted as proposed it will be significantly harder to do that," said a privacy attorney who spoke anonymously to protect business relationships.
Facebook, which one study found has 7.5 million children as members even though it bans the 12-and-under set, said it was reviewing the FTC's proposal.
"While Facebook's policies prohibit children under the age of 13 from signing up for our service, we are committed to improving protections for all young people online and helping them benefit from new services and technologies," said Andrew Noyes, the company's public policy communications manager.
The FTC's proposal updates the definition of "personal information" to require parental permission before identifiers like IP addresses, that can be used to recognize a user over time or across different sites or services, could be collected while children surf the Internet.
Data-collecting tracking cookies placed on a computer were added to the definition of "personal information" last September since they can be used to identify the computer's user.
The proposal is open for comment until Sept. 10. The commission will then come out with a final rule, perhaps by the end of the year.
The COPPA law requires that website and online service operators obtain verifiable consent from parents before collecting, using or disclosing personal information of children under 13.
The FTC's rule implementing COPPA became effective in 2000.
After an FTC rule is approved, companies may be vulnerable to expensive class action lawsuits, said legal information technology expert Daren Orzechowski from the law firm White and Case, LLP.
"Any time you pass a new law or regulation you have to look at how the class action bar will take advantage of that," he said.
Lawmakers and privacy advocates have argued that tech companies are generally not doing enough to safeguard their customers' privacy.
The FTC and White House unveiled earlier in the year privacy frameworks that would give all Internet users, not just those under 13, greater control over how their personal data is collected, shared and used by advertisers and tech companies.
Those frameworks rely heavily on voluntary commitments by Internet companies and advertisers.