The Federal Trade Commission on Wednesday expanded children's privacy rules by prohibiting online ad networks from using anonymous cookies to collect data from visitors to sites directed to children younger than 13.
The new rules, which effectively ban the use of behavioral targeting techniques on sites directed to young children, are part of the FTC's long-awaited update to the Childrens' Online Privacy Protection Act.
That law bans Web site operators from knowingly collecting personal data from children under 13 without their parents' consent, but tasks the FTC with defining terms like "personal information" and "web site operator."
The FTC's final regulations broaden the definition of personal information to include data used by ad networks to create behavioral profiles, including persistent cookies and mobile device identifiers. The definition also now includes IP addresses, geolocation data and photos of children.
In another expansion, the FTC also said that "Web site operators" include not only publishers, but also third parties like ad networks and services with social plug-ins.
The parental consent rules only apply at Web sites directed to children under 13, or if ad networks and other third parties know that they're collecting information from children. In that respect, the final rules significantly scaled back from an earlier proposal that would have banned ad networks and other third parties from collecting data when they had "reason to know" that users were under 13.
Some lawyers say that the retreat from the "reason to know" standard is good news for online companies. "The rules are not as broad as they previously pondered," says Greg Boyd, a Frankfurt Kurnit Klein & Selz partner who represents interactive entertainment and new media clients.
At the same time, the rules also appear to impose new policing requirements on publishers of childrens' sites, which now must prevent third parties from dropping cookies or collecting other data without parents' permission. "All of the kids' sites are now going to have to spend more time, energy and money in taking appropriate steps to monitor and oversee and audit and ensure against third-party misbehavior," says attorney John Feldman, a Reed Smith partner who focuses on advertising and consumer protection law at the firm Reed Smith.
FTC Chairman Jon Leibowitz said on Wednesday that the new regulations "close a loophole" that allowed companies to collect data from children through plug-ins. "Advertisers and even advertising networks can continue to advertise on sites directed to children," Leibowitz said. He added that the only limit the FTC has placed on advertisers and networks is that they can't engage in online behavioral advertising. "Unless and until you get parental consent, you may not build massive profiles," he said.
The regulations specify that ad networks and other companies can continue to collect data from child-directed sites, as long as the information is used for matters like contextual advertising, frequency capping, and site analysis.
The FTC also specified that platforms like Google Play and the App Store are not liable if they offer child-directed apps that violate the new rules. Leibowitz said that those app stores aren't covered because they're not aimed at children, but at a general audience.
Commissioner Maureen Ohlhausen dissented from the new rules. She objected to the portion of the regulations that would impose liability on publishers when third parties collect data from the publishers' sites.
Industry groups like the Interactive Advertising Bureau had opposed the changes. They said the FTC wasn't empowered to define personal information as cookies, arguing that cookies identify devices, not individual users.
But a coalition of watchdogs and privacy groups, including the Center for Digital Democracy, urged the FTC to ban behavioral targeting of children. Jeff Chester, executive director of the organization, praised the updates. “We are especially gratified that this decision puts to rest the longstanding and disingenuous claims by the digital marketing industry that cookies and other persistent identifiers are not personally identifiable information," he stated.