New Child Protection Rules Create A Retail Catch-22
Written by Evan SchumanA few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can’t be recorded from a site visitor who is younger than 13 years old.
The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of Walmart.com such a site? What about games at McDonalds.com? Then there’s the Catch-22 of asking ages online. If you ask, you’ll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don’t ask, you have the perfect defense that you didn’t knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?
The changes would also make photos, video and audio related to children younger than 13 no longer collectable without parental consent, according to the Children’s Online Privacy Protection Act (COPPA). Indeed, all COPPA restrictions speak to parental consent. If the site gets that consent (and how it gets that consent is even more complicated), then it has carte blanche to store that information for under-age shoppers and use it as it sees fit. The changes also, in the words of the FTC, “closed a loophole” that permitted third parties to collect that child’s information on retailers’ behalf.
Concerns about how COPPA impacts retailers that are not primarily focused on children younger than 13 is nothing new. And updating rules to acknowledge 21st Century technology is a move to be applauded. But the restrictions on mobile tracking, and especially IP addresses, is potentially problematic.
FTC Chairman Jon Leibowitz’s comments about the rule changes make it clear that the FTC is envisioning CRM profiles, in addition to standard Web analysis tools that aggregate all information about site visitors and can often identify many of them.
“We also extend the rule to cover persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers,” Leibowitz said. “The only limit we place is on behavioral advertising and, in this regard, our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.”
The term “behavioral advertising purposes” is interesting. Is it strictly limited to a traditional ad on a site for something else, such as an ad for a toy truck on a comedy TV show’s Web site? Or would it include Target.com’s description of a product it’s selling right there on the site?
As a practical matter, how is a site to differentiate a young person’s IP address?
Pages: 1 2
Leave a Reply
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Starbucks isn't going to replace their existing enterprise POS system with apps that have 1 percent of the functionality, control and reporting that they need to run their business. Likewise, I'm not going to replace my BMW with a free skateboard, just because both technically enable me to get from A to B.
-Gavin Phillips
