Online companies can’t collect photos, videos or location data from children without a parent’s permission, under expanded privacy rules adopted by the U.S. Federal Trade Commission.
The new regulations, the result of a two-year review process, revise the FTC’s standards for enforcing a 1998 child- privacy law and create new boundaries for the activities of websites and online services operated by companies such as Walt Disney Co. and Facebook Inc.
“The commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” FTC Chairman Jon Leibowitz said yesterday in a news release. The changes “strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”
The 1998 Children’s Online Privacy Protection Act requires operators of websites directed at children under 13 to give notice to parents and obtain their consent before collecting, using or disclosing children’s personal information. Changing technologies, such as the use of mobile devices and social networking, prompted the revisions, the FTC said.
“The new rules should help ensure that companies targeting children throughout the rapidly expanding digital media landscape will be required to engage in fair marketing and data collection practices,” Kathryn Montgomery, a communication professor at American University, said in an e-mail. The FTC will have to monitor companies and take action against violators for the rules to be effective, she said.
The new rules require parental consent for collecting Internet Protocol addresses and mobile-device IDs that recognize users over time and across multiple websites. They also close a loophole through which websites and applications directed at children could let outside services gather information without parental notice and consent, the FTC said.
Those outside services include so-called plug-ins, such as Facebook “Like” buttons on other companies’ websites, or advertising networks. The agency said that the new rules apply to services that have “actual knowledge” they are collecting information through a children’s website or app.
“While we’re still reviewing the FTC’s final rule, we are pleased the commission clarified the limited circumstances under which providers of social plug-ins would be subject to COPPA when those plug-ins are displayed on other websites,” Erin Egan, Facebook’s chief privacy officer, said in an e-mail.
Disney looks “forward to working with the FTC as we implement the new rules and continue to offer innovative and entertaining services for kids and families,” according to an e-mailed statement from Zenia Mucha, a company spokeswoman.
The new rules don’t extend to “platforms” such as Apple Inc.’s Apple App Store and Google Inc.’s Google Play, which offer access to children’s apps.
The rules are written in a way that could expand child- privacy obligations to websites aimed at general audiences of all ages and may “confuse website owners as to whether these new rules apply to them,” the Washington-based Center for Democracy & Technology said in a statement e-mailed by spokesman Brock Meeks.
Uncertainty could prompt more websites to demand a user’s age, a practice that “runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally,” according the group, which received funding last year from technology companies including Facebook and Google.
Senator Jay Rockefeller, a West Virginia Democrat who is chairman of the Senate Commerce Committee, said in an e-mailed statement that the FTC action reflects “common-sense updates” to the child-privacy rules “that better reflect the realities of the current online world.”
The new rules take effect July 1.