Web sites and mobile apps will have to get parental permission to collect photos, videos and a wide array of other information that children expose online under federal guidelines released Wednesday.
The Federal Trade Commission’s update to child online privacy laws comes after a two-year debate over how far the government should go to protect the privacy of children 12 and younger without curbing the practices of a thriving Web economy that relies on data for advertising.
Media and Silicon Valley giants such as Facebook and Disney have fought plans that they say would be difficult to implement and would stifle innovation. The FTC’s chairman and public interest groups have said an explosion of tracking tools and the swift adoption of smartphones and tablets in homes and schools have rendered the 1998 Children’s Online Privacy Protection Act too weak.
The revisions, the FTC said, seek to clarify that much of today’s most popular uses of the Web should be more closely guarded when done by children.
“The commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” FTC Chairman Jon Leibowitz said. “We think these rules are balanced and very, very strong.”
The amendments require companies to get permission from parents to collect a child’s photographs, videos and geolocational information — all content that social media, online games and mobile devices have made easy to share.
Companies such as Google and Viacom must also have a parent’s consent before using tracking tools, such as cookies, that use IP addresses and mobile device IDs to follow a child’s Web activity across multiple apps and sites. Amassing that data could help a marketing company stitch together detailed profiles of children to be used to deliver tailored advertisements, a practice that should be spared on children, some privacy groups say.
Sorting out the layers of responsibility for companies that share information with each other proved especially difficult. Originally, the FTC proposed that apps such as Facebook, Twitter and Google be broadly liable for the practices of their thousands of partner sites across the Web.
With the “like” function, blue Twitter bird and Google Plus social networking button plastered all over the online world, those companies argued, they often are unaware when their partner sites collect and share data about children.
“We struggled with this at the commission,” Leibowitz said in a news conference Wednesday.
In the end, the FTC decided that those companies would be liable only when they have “actual knowledge” that their partner sites are collecting information about children.
App stores such as Apple’s iTunes and Google Play won’t be liable for the child privacy practices of its hundreds of thousands of apps, the FTC said.
Leibowitz said violators of the rules will be subject to fines as high as $16,000 per incident.
“Parents, not social networks or marketers, will remain the gatekeepers when it comes to their children’s privacy not only online but also on phones,” said Jim Steyer, chief executive of the child media advocacy group Common Sense Media.
Others said the updates were too heavy-handed and might define a kid-oriented site too broadly. Angry Birds, for example, is a game that is largely popular among adults but is animated and may appear to be aimed at children.
Lynette Mattke, the developer of Rockville-based PicPocket Books, fears heavy legal costs from the rules. Mattke estimates she would have to spend as much as $10,000 to draw up privacy policies and put in place a system to verify the age of users and gain a parent’s permission. She would like to collect information about children to personalize her app so users can create logs and reading goals. But she has decided against that in light of the rules.
“Ironically, the public library is able to get more data about children than I can at this point,” she said.
Federal officials say the mobile apps space in particular has been a Wild West, where hundreds of apps aimed at children collected personal information and shared it with ad networks without informing parents, according to a study released last week by the FTC.
“We applaud the FTC for its rigorous and comprehensive review of the [Children’s Online Privacy Protection Act] rules and for bringing them up to date with industry changes,” said Kathryn Montgomery, a communications professor at American University and a leading advocate of the updates. “However, the commission will need to engage in ongoing monitoring efforts, as well as strong enforcement actions, if the implementation of these rules is to be effective in the long run.”
Sign up today to receive #thecircuit, a daily roundup of the latest tech policy news from Washington and how it is shaping business, entertainment and science.