* Proposal updates rule proposed in September
* Websites, apps, data brokers would all be under rule
* Family websites would be allowed to collect data on adults
By Jasmin Melvin
WASHINGTON, Aug 1 U.S. regulators proposed a
revised rule on Wednesday to protect children's privacy online,
aimed at boosting privacy safeguards on mobile devices and
ensuring that websites and third-party data brokers get parental
permission before they collect children's data.
The Federal Trade Commission would make websites, mobile
apps and data brokers all responsible for data collected about
children by third parties like data brokers, strengthening a
proposed update of its Children's Online Privacy Protection Rule
that it had released last September.
Previously it was unclear who had responsibility for third
"The commission did not foresee how easy and commonplace it
would become for child-directed sites and services to integrate
social networking and other personal information collection
features into the content offered to their users, without
maintaining ownership, control or access to the personal data,"
the commission said in its proposed rule.
The proposal also specifies that family websites, which are
websites aimed at children and adults, would be allowed to
screen users to determine their ages and only provide
protection to children under age 13.
Currently, all visitors to the websites must be treated as
if they are under age 13.
A privacy expert said the rule proposal could expand the
reach of the Children's Online Privacy Protection Act (COPPA).
Any website directed at children that adds social networking
plug-ins like Facebook Inc's "like" feature or that works
with a third-party ad network to generate revenue could be held
liable, under the proposal, if that data collection occurs
without parental consent, said David Jacobs, consumer protection
fellow at the Electronic Privacy Information Center.
"That's a good development," Jacobs said.
The FTC said ad networks and plug-ins would not have to
probe or monitor whether their services were used on
child-directed services, but if they have a "reason to know"
then they could not ignore that information and would need to
comply with COPPA.
"Before you could turn a little bit of a blind eye (to
children on websites like Facebook) but if this rule is adopted
as proposed it will be significantly harder to do that," said a
privacy attorney who spoke anonymously to protect business
Facebook, which one study found has 7.5 million children as
members even though it bans the 12-and-under set, said it was
reviewing the FTC's proposal.
"While Facebook's policies prohibit children under the age
of 13 from signing up for our service, we are committed to
improving protections for all young people online and helping
them benefit from new services and technologies," said Andrew
Noyes, the company's public policy communications manager.
The FTC's proposal updates the definition of "personal
information" to require parental permission before identifiers
like IP addresses, that can be used to recognize a user over
time or across different sites or services, could be collected
while children surf the Internet.
Data-collecting tracking cookies placed on a computer were
added to the definition of "personal information" last September
since they can be used to identify the computer's user.
The proposal is open for comment until Sept. 10. The
commission will then come out with a final rule, perhaps by the
end of the year.
The COPPA law requires that website and online service
operators obtain verifiable consent from parents before
collecting, using or disclosing personal information of children
The FTC's rule implementing COPPA became effective in 2000.
After an FTC rule is approved, companies may be vulnerable
to expensive class action lawsuits, said legal information
technology expert Daren Orzechowski from the law firm White and
"Any time you pass a new law or regulation you have to look
at how the class action bar will take advantage of that," he
Lawmakers and privacy advocates have argued that tech
companies are generally not doing enough to safeguard their
The FTC and White House unveiled earlier in the year privacy
frameworks that would give all Internet users, not just those
under 13, greater control over how their personal data is
collected, shared and used by advertisers and tech companies.
Those frameworks rely heavily on voluntary commitments by
Internet companies and advertisers.