• by Wendy Davis  @wendyndavis, September 15, 2011

The Federal Trade Commission on Thursday proposed that companies be prohibited from using behavioral targeting techniques on children under 13 without their parents' permission.

The FTC issued its recommendation as part of its long-awaited proposed update to regulations implementing the Children's Online Privacy Protection Act. That law, which went into effect more than 10 years ago, bans Web site operators from knowingly collecting "personal information" from children, but empowers the FTC to define the term.

Currently, names, email addresses, street addresses and phone numbers are all considered personal information. In its proposal, the FTC said the definition of personal information should be expanded to include any "unique identifier" -- including tracking cookies, device serial numbers and, in some cases, IP addresses.

"Developments in technology in the intervening 12 years since the COPPA Rule was issued, and the resulting implications for consumer privacy, have led to a widespread reexamination of the concept of "personal information" and of the types of information COPPA should cover," the FTC said in its report.

Specifically, the FTC proposes defining personal information as "an identifier that links the activities of a child across different Web sites or online services."

At the same time, the FTC declined to propose some changes that could have dramatically affected a host of services, including social networking sites. The FTC's proposed regulations continue to provide that only operators who actually know that users are under 13 (or operators of sites geared just to young kids) need to obtain parental consent.

The commission specifically rejected a proposal that sites with reason to suspect that users are under 13 should be required to get parents' consent. That means that services like Facebook, which says it requires users to be older than 12, can continue to collect information from young users who have lied about their age.

Jeffrey Greenbaum, an advertising lawyer with Frankfurt Kurnit Klein & Selz, says the FTC's approach shows restraint, despite the new ban on targeting kids. "The FTC took a reasoned approach here," says Greenbaum, who spoke last year at a commission roundtable about COPPA. "I went into the hearing very concerned that the FTC was going to put handcuffs on technology that's evolving at a rapid pace."

But some ad groups indicated they are concerned about the proposals. Interactive Advertising Bureau general counsel Mike Zaneis said through a spokesperson that the group has questions about how to implement a rule applying COPPA to "anonymous" devices.

The Direct Marketing Association also took issue with including device identifiers in the definition of personal information. "The DMA strongly believes that such a definition should include only information that in fact permits the direct communication with a specific, identifiable person -- not a device that could be used by multiple people, including children under 13 or adults," the group stated.

The FTC said in the report that one reason for including device identifiers is because Web users are more likely to access the Internet from handheld devices like tablets or smartphones, rather than shared computers. "With this change in computing use, operators now have a better ability to link a particular individual to a particular computing device," the report states.

Another controversial portion of the report deals with methods for obtaining parental consent. The FTC proposed doing away with "email plus," which allowed sites to send emails to parents and ask them to take one other step, such as providing a ZIP code. The FTC said it had received critical comments pointing out that site operators obtain the email addresses from children and have no way of knowing whether the addresses really belong to their parents.

In its place, the FTC suggested mechanisms like signed consent forms or collection of government-issued identification from parents. That latter proposal drew a rebuke from the digital rights group Center for Democracy & Technology. "This method for verification could create serious chilling effects on parents' willingness to consent to their child's use of a website and raises privacy concerns for parents without securing a greater level of certainty in parental consent," Emma Llansó, CDT Policy Counsel, said in a statement.

Lawmakers, including Sen. Jay Rockefeller (D-W.Va.) and Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas), praised the FTC's report overall, as did consumer advocates. "This is a major victory for a broad coalition of groups concerned about children's privacy," said Jeffrey Chester, executive director of the Center for Digital Democracy.

The FTC will accept comments on the proposals through Nov. 28.