Comments of the Privacy Rights Clearinghouse
Federal Trade Commission
COPPA Rule Review, 16 CFR Part 312
Project No. P-104503
Submitted December 23, 2011
I. "Personal Information"
II. Definition of “Collects or Collection”
III. Confidentiality, Security and Integrity of Personal Information Collected from Children
IV. Data Retention and Deletion Requirements
V. Conclusion
The Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the Federal Trade Commission’s (Commission) proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule). As a nonprofit consumer privacy education and advocacy organization, the PRC is pleased with the Commission’s proposed rule updates.
Since the COPPA Rule was implemented in 2000, the ways in which individuals access and utilize the Internet have significantly changed. Consumers of all ages can, at any time, interact online with companies and one another with portable devices like smartphones and tablets. As individuals conduct more of their lives online, companies are increasingly able to collect robust and detailed information. When compiled, this information becomes both valuable and subject to many uses and potential abuses.
The PRC believes that the Commission has taken an important step towards enabling parents to exercise choice over their children’s online interactions with its proposed changes to the COPPA Rule. We encourage the FTC to adopt the proposed changes in the final rule to promote transparency and responsible information handling practices. In particular, the PRC supports the Commission’s proposal expanding the definition of “personal information”; including passive tracking in the definition of “collects or collecting”; enhancing the confidentiality, security, and integrity of personal information disclosed to third parties; and limiting data retention.
I. “Personal Information”
The COPPA Rule requires covered operators to obtain parental consent prior to collecting a child’s personal information. The Commission proposes expanding the definition of “personal information” to include screen/user names, persistent identifiers, photographs, videos, audio files, and geolocation information. These additions address many significant changes in the online landscape that have taken place since the COPPA Rule’s implementation.
Screen names and user names can often reveal the identity of a person independent of any outside information. Persistent identifiers can be used to track and compile information on individual devices that are often used by one person or a few individuals. As facial recognition advances, photos and videos have the potential to be analyzed and used to target and potentially identify individuals. Photos and videos may also reveal an individual’s location through geotagging. Finally, if collected and compiled, geolocation information can reveal information as detailed as someone’s daily routine and place of residence.
As the Commission notes, data may easily be combined to create very detailed profiles on individuals and their online habits. As devices become increasingly personal and specific to one user (as is the case with smartphones and tablets), accurate tracking and targeting become easier. This is true for children, teens, and adults alike. While the PRC considers such information to be “personal information” regardless of a consumer’s age, the PRC is confident that expanding the current definition will allow parents more meaningful control and choice surrounding the collection and use of their children’s information.
II. Definition of “Collects or Collection”
The Commission should adopt its proposed change to the definition of “collects or collection” to include all passive tracking regardless of the technology used. In general, consumers are not given sufficient notice and choice regarding how and for what purposes personal data is collected and used by sites and third parties. This is especially true for online tracking and behavioral advertising, and is further complicated on mobile devices that have small screens. The PRC believes that by including passive tracking in the definition of “collects or collection” a site or service will have added incentive to provide parents with adequate notice of data collection practices.
III. Confidentiality, Security and Integrity of Personal Information Collected from Children
The current COPPA Rule requires operators to disclose in their privacy policies whether third parties have agreed to maintain confidentiality, security, and integrity of personal information the operator discloses. Under the proposed changes, operators would be required to take reasonable measures to ensure the confidentiality, security, and integrity of disclosed personal information disclosed to third parties. The PRC supports the proposed revision as it would enhance consumer trust and reduce the likelihood that data will be mishandled when disclosed to an outside party.
IV. Data Retention and Deletion Requirements
Data minimization is integral to responsible information handling. It is important to collect only the minimum amount of information necessary, use the information only for stated purposes, and retain information only as long as needed. The PRC therefore fully supports the Commission’s proposal to require operators to retain children’s information no longer than is reasonably necessary to fulfill the stated purpose and take reasonable precautions when deleting the information.
We encourage the Commission to include the proposed changes in the final rule and believe that doing so will help ensure that children’s personal information is not saved and used retroactively for initially unstated purposes. Deleting unnecessary data also minimizes the impact of data breaches. The PRC has been tracking data breaches since 2005, and we have observed a noticeable difference in the effects of data breaches. The results vary from the risk of data subjects being vulnerable to phishing attacks to identity theft or the release of sensitive medical information. Data breaches are not only harmful to those whose information is breached, but they are also exceedingly expensive for the companies maintaining the data. Accordingly, we suggest that the Commission lay out appropriate time frames for data retention and deletion.
V. Conclusion
The PRC is pleased with the Commission’s initiative to update the COPPA Rule. We believe that all individuals deserve as much control as is feasible over the collection and use of their personal information. The Commission’s proposed changes offer a mechanism for parents to exercise such control over their children’s information. The PRC therefore urges the Commission to incorporate the changes, especially those mentioned above, into the final rule.
When implemented, we encourage the FTC to continue to consistently enforce COPPA and offer guidance on how covered operators may comply while simultaneously providing consumers with clear, conspicuous, and readable policies.
Respectfully submitted,
Beth Givens, Director
Meghan Bohn, Staff Attorney
Privacy Rights Clearinghouse