App developers and other companies that have knowingly collected geolocation data from children under 13 without obtaining parental consent must do so “immediately,” the Federal Trade Commission said on Thursday.
That mandate was included in the FTC's long-awaited answers to frequently asked questions about new children's privacy rules, slated to take effect on July 1.
The updated Children's Online Privacy Protection Act regulations, announced late last year, impose a host of new restrictions on ad networks, app developers and other Web services companies. Among others, those companies can no longer knowingly collect IP addresses, screen names, geolocation data or photos of children under 13 without their parents' permission. Ad networks and other companies also can no longer draw on data stored in persistent cookies or mobile device identifiers for online behavioral advertising -- broadly defined as delivering ads to people based on activity across sites or apps -- directed at children under 13, without parental permission.
The frequently asked-questions posted on Thursday are not new rules in themselves, but the document provides critical insight into how the agency thinks the regulations should be interpreted, says attorney Gregory Boyd, chairman of the interactive entertainment group at Frankfurt Kurnit Klein & Selz. “The FTC is putting meat on the bones of the rules,” he says. He adds that the guidance is “one of the first lines of interpretation for people who have to work with this day to day.”
In its frequently asked questions, the agency addressed how companies should handle data that was collected from children before the new rules take effect. The FTC says companies need not destroy photos of children collected previously, but also recommends that companies either stop using the photos or obtain parental consent.
The FTC also says that companies can retain children's screen names that were collected in the past, but must obtain parental consent before associating new information with the name. As for information stored in cookies, ad networks and other companies can retain data collected in the past, but can't associate any new data with the cookies absent parental consent.
Geolocation data appears to be the only category of information for which app developers and other companies must obtain retroactive consent. The agency now says that companies always needed parental consent to collect geolocation data, because the prior regulations required consent for any information precise enough to identify names of a street and city or town. “Therefore, operators are required to obtain parental consent prior to collecting such geolocation information, regardless of when such data is collected,” the FTC says in the FAQs.
Some app developers probably will be surprised to learn that the FTC considered geolocation data “personal information” in the past. It wasn't immediately clear on Thursday how app developers should proceed if they're unable to obtain retroactive parental consent.
The frequently asked questions come several days after the Direct Marketing Association, Interactive Advertising Bureau, Application Developers Alliance and other groups asked the FTC to delay the start date of the new rules until next year. Among other reasons, the organizations said that the FTC hadn't yet posted the frequently asked questions.
But privacy advocates say there's no reason for an extension, especially now that the FTC has released the question-and-answer guide. “Parents should soon feel assured that their child will be better protected whether they are using a computer, mobile phone or gaming device. The FTC should apply the new guidelines this July as planned, and reject calls from marketers that they be allowed to continue their data practices which threaten children's privacy,” says Jeff Chester, executive director of the Center for Digital Democracy.
Thursday's guidance reiterates that the new rules prohibit ad networks from engaging in online behavioral advertising on sites or services aimed at children under 13. Among the questions addressed on Thursday was whether ad networks could use persistent identifiers, like cookies, to knowingly send behaviorally targeted ads to children under 13.
The FTC said the answer was no. The agency added that the new rules allow companies to use persistent cookies in order to personalize content -- such as by remembering users' “game scores, or character choices in virtual worlds” -- but not for purposes of personalizing ads based on users' activity across sites or apps.
The frequently asked questions also suggest that online services aimed at children reexamine their privacy policies, says attorney Linda Goldstein, chair of the advertising, marketing and media division at Manatt, Phelps & Phillips. “The message here is that privacy policies should be streamlined, need to have all the information, and can't have promotional material mixed in,” she says. “That's a call to action to the industry to go back and revisit privacy policies.”
The FTC specifies that links to privacy policies must be “clear and prominent,” meaning that the link can't be “in small print at the bottom of the home page,” or “indistinguishable from a number of other, adjacent links.”