New Child Protection Rules Create A Retail Catch-22

Written by Evan Schuman
January 2nd, 2013

A few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can’t be recorded from a site visitor who is younger than 13 years old.

The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of such a site? What about games at Then there’s the Catch-22 of asking ages online. If you ask, you’ll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don’t ask, you have the perfect defense that you didn’t knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?

The changes would also make photos, video and audio related to children younger than 13 no longer collectable without parental consent, according to the Children’s Online Privacy Protection Act (COPPA). Indeed, all COPPA restrictions speak to parental consent. If the site gets that consent (and how it gets that consent is even more complicated), then it has carte blanche to store that information for under-age shoppers and use it as it sees fit. The changes also, in the words of the FTC, “closed a loophole” that permitted third parties to collect that child’s information on retailers’ behalf.

Concerns about how COPPA impacts retailers that are not primarily focused on children younger than 13 is nothing new. And updating rules to acknowledge 21st Century technology is a move to be applauded. But the restrictions on mobile tracking, and especially IP addresses, is potentially problematic.

FTC Chairman Jon Leibowitz’s comments about the rule changes make it clear that the FTC is envisioning CRM profiles, in addition to standard Web analysis tools that aggregate all information about site visitors and can often identify many of them.

“We also extend the rule to cover persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers,” Leibowitz said. “The only limit we place is on behavioral advertising and, in this regard, our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.”

The term “behavioral advertising purposes” is interesting. Is it strictly limited to a traditional ad on a site for something else, such as an ad for a toy truck on a comedy TV show’s Web site? Or would it include’s description of a product it’s selling right there on the site?

As a practical matter, how is a site to differentiate a young person’s IP address?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.