Comments Before the Federal Trade Commission Regarding the Children's Online Privacy Protection Rule
Contents
Evaluating Proposed Changes to the COPPA Rule. 2
Audience Composition Analysis 3
Introduction and Summary
The Information Technology and Innovation Foundation (ITIF) is pleased to submit these comments in response to the Federal Trade Commission’s (FTC) request for public comment concerning the Children’s Online Privacy Protection (COPPA) Rule.[1] ITIF is a nonprofit, non-partisan public policy think tank based in Washington, D.C., committed to articulating and advancing pro-productivity, pro-innovation, and pro-technology public policy agendas around the world that spur growth, prosperity, and progress.
Some of the FTC’s proposed changes would go beyond COPPA’s scope of protecting children’s individually identifying information, such as limiting the collection of persistent identifiers for contextual advertising and adding all forms of biometric identifiers to the definition of personal information. These proposed changes would come with high costs, in the form of direct compliance costs and “hidden” costs such as lower productivity and less innovation, for little benefit.[2] Additionally, the FTC’s proposal to require operators to obtain separate verifiable parental consent for disclosure of a child’s personal information to third parties may also impose an unnecessary burden on both parents and businesses.
Despite these flaws, aspects of the FTC’s proposed rulemaking would be beneficial for the U.S. digital economy. Above all, the FTC’s affirmation of COPPA’s actual knowledge standard is crucial to ensure operators can continue to comply in good faith with COPPA’s requirements and protect children without significantly increasing compliance costs and potentially resorting to measures that could undermine the privacy or security of their users.[3] Meanwhile, allowing operators to conduct an analysis of their audience composition to avoid classification as a child-directed online service would not only benefit those operators, but incentivize more online services to analyze their audience and provide the FTC with this information, which could inform future rulemaking.
Evaluating Proposed Changes to the COPPA Rule
Biometric Identifiers
5. The Commission proposes adding biometric identifiers such as fingerprints, retina and iris patterns, a DNA sequence, and data derived from voice data, gait data, or facial data to the definition of “personal information.” Should the Commission consider including any additional biometric identifier examples to this definition? Are there exceptions to the Rule's requirements that the Commission should consider applying to biometric data, such as exceptions for biometric data that has been promptly deleted?
The FTC’s definition of biometric identifiers is overly broad, including information that is not individually identifying. Multiple states have passed privacy legislation that protect biometric data, but limit their definitions to biometric data that identifies a specific individual. Unlike the FTC’s definition, these definitions do not include photographs or video or audio recordings of an individual or health information already covered under the Health Insurance Portability and Accountability Act (HIPAA).[4] Creating a materially different definition of biometric identifiers for the COPPA Rule would needlessly complicate the United States’ already complex regulatory environment. This would create confusion for consumers and impose multiple, duplicative compliance costs on businesses, to the detriment of the digital economy.[5]
Additionally, by including information that is not individually identifying, the FTC’s definition of biometric identifiers goes beyond COPPA’s definition of personal information as “individually identifiable information about an individual collected online.”[6] The FTC should instead limit its definition to the well-established, industry-supported definition most state privacy laws use to define biometric information, which would protect children’s individually identifiable biometric data.
Contextual Advertising
10. Operators can collect persistent identifiers for contextual advertising purposes without parental consent so long as they do not also collect other personal information. Given the sophistication of contextual advertising today, including that personal information collected from users may be used to enable companies to target even contextual advertising to some extent, should the Commission consider changes to the Rule's treatment of contextual advertising?
Contextual advertising is very different from targeted advertising, though both are key aspects of the digital economy. Targeted or personalized advertising target users based on individual characteristics, such as showing an advertisement for a university to local young adults, or past online behaviors, such as showing ads for a university to users who visited a fan site for one of the school’s sports teams. In contrast, contextual advertising place ads alongside content or search results related to the product or service being advertised.[7] For example, the same university might advertise on college prep websites or in search results about student loans.
These different forms of advertising carry different privacy implications. Targeted advertising relies on the collection of users’ personal information, whereas contextual advertising only requires information about the webpages on which ads appear. While it is possible to infer certain information about users based on the webpages they visit, this information alone could not individually identify each user. As operators would need to obtain parental consent to collect additional personal information, collecting persistent identifiers for contextual advertising purposes does not violate children’s privacy.
Furthermore, creating additional barriers to contextual advertising on top of COPPA’s existing restrictions on targeted advertising would have a chilling effect on innovation in the digital economy, particularly for child-friendly online services. Limiting the use of persistent identifiers would make it hard for businesses using contextual advertising to limit how many times they show an ad to the same user, thereby reducing ad effectiveness and their willingness to pay for contextual ads. Advertising is an important source of revenue for many online services, particularly those that offer their services to users for free. Alternative revenue streams require online services to charge their users either a flat fee or subscription to use the service. This would have the greatest impact on low-income households, potentially depriving children in these households from access to educational and entertaining online resources.[8]
Audience Composition Analysis
11. With regard to the definition of “website or online service directed to children,” the Commission would like to obtain additional comment on whether it should provide an exemption for operators from being deemed a child-directed website or online service if such operators undertake an analysis of their audience composition and determine no more than a specific percentage of its users are likely to be children under 13.
Allowing operators to avoid identification as a child-directed online service would provide a net benefit for operators, users, and the FTC. The benefit to operators is self-evident, as these operators of online services with a small percentage of users under 13 would not have to adhere to unnecessary requirements and thus lower their compliance costs. These savings could instead go toward innovative new features and services that users would benefit from. Adult users would also benefit if operators of online services with a small percentage of users under 13 had the freedom to further tailor their services to the users that make up the vast majority of their audience. Finally, as operators who choose to conduct audience composition analyses and submit their results to the FTC, the FTC would gain greater insight into those online services’ audiences that may inform future rulemaking.
Separate Parental Consent
14. To effectuate §312.5(a)(2), which requires operators to give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of the child's personal information to third parties, the Commission proposes requiring operators to obtain separate verifiable parental consent prior to disclosing a child's personal information, unless such disclosure is integral to the nature of the website or online service. Should the Commission implement such a requirement? Should the consent mechanism for disclosure be offered at a different time and/or place than the mechanism for the underlying collection and use? Is the exception for disclosures that are integral to the nature of the website or online service clear, or should the Commission clarify which disclosures are integral? Should the Rule require operators to state which disclosures are integral to the nature of website or online service?
The FTC’s proposal to require operators to obtain separate verifiable parental consent for the collection and use of children’s personal information and the disclosure of that information to third parties lacks enough detail to determine whether such a requirement would increase or decrease the burden of compliance on operators of online services. On the one hand, such a provision may lead to increased opportunities for data collection with consent, as some parents may agree to allow online services to collect their children’s personal information so long as it is not shared with third parties. However, if the process of obtaining separate consent is overly burdensome on either operators or parents, this provision would create more unnecessary friction for both parties. The FTC should further elaborate on this proposed change and seek additional comment.
Conclusion
Protecting children’s privacy online is an important goal, especially given the continued lack of comprehensive federal privacy regulation in the United States. With a few minor changes to proposed provisions related to biometric identifiers, contextual advertising, and separate parental consent, the FTC’s updates to the COPPA rule would improve protections for children while ensuring operators of online services do not face overly burdensome requirements that would also affect their users.
Thank you for your consideration.
Endnotes
[1]. “Children’s Online Privacy Protection Rule,” Federal Trade Commission, January 11, 2024, https://www.federalregister.gov/documents/2024/01/11/2023-28569/childrens-online-privacy-protection-rule.
[2]. Ashley Johnson and Daniel Castro, “Maintaining a Light-Touch Approach to Data Protection in the United States” (ITIF, August 2022), https://itif.org/publications/2022/08/08/maintaining-a-light-touch-approach-to-data-protection-in-the-united-states/.
[3]. Ashley Johnson, “Updated Children’s Safety Bills Still Contain Serious Flaws,” ITIF, March 6, 2024, https://itif.org/publications/2024/03/06/updated-childrens-safety-bills-still-contain-serious-flaws/.
[4]. See, for example, the Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, New Jersey Data Protection Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act.
[5]. Ashley Johnson, “How Congress Can Foster a Digital Single Market in America” (ITIF, February 2024), https://itif.org/publications/2024/02/20/how-congress-can-foster-a-digital-single-market-in-america/.
[6]. 15 U.S.C. § 6501.
[7]. “ITIF Technology Explainer: How Do Online Ads Work?” (ITIF, November 2021), https://itif.org/publications/2021/11/02/itif-technology-explainer-how-do-online-ads-work/.
[8]. Ashley Johnson, “Comments to the NTIA Regarding Privacy, Equity, and Civil Rights” (ITIF, March 2023), https://itif.org/publications/2023/03/06/comments-to-the-ntia-regarding-privacy-equity-and-civil-rights/.
