New Child Protection Rules Create A Retail Catch-22
Written by Evan SchumanA few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can’t be recorded from a site visitor who is younger than 13 years old.
The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of Walmart.com such a site? What about games at McDonalds.com? Then there’s the Catch-22 of asking ages online. If you ask, you’ll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don’t ask, you have the perfect defense that you didn’t knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?
The changes would also make photos, video and audio related to children younger than 13 no longer collectable without parental consent, according to the Children’s Online Privacy Protection Act (COPPA). Indeed, all COPPA restrictions speak to parental consent. If the site gets that consent (and how it gets that consent is even more complicated), then it has carte blanche to store that information for under-age shoppers and use it as it sees fit. The changes also, in the words of the FTC, “closed a loophole” that permitted third parties to collect that child’s information on retailers’ behalf.
Concerns about how COPPA impacts retailers that are not primarily focused on children younger than 13 is nothing new. And updating rules to acknowledge 21st Century technology is a move to be applauded. But the restrictions on mobile tracking, and especially IP addresses, is potentially problematic.
FTC Chairman Jon Leibowitz’s comments about the rule changes make it clear that the FTC is envisioning CRM profiles, in addition to standard Web analysis tools that aggregate all information about site visitors and can often identify many of them.
“We also extend the rule to cover persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers,” Leibowitz said. “The only limit we place is on behavioral advertising and, in this regard, our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.”
The term “behavioral advertising purposes” is interesting. Is it strictly limited to a traditional ad on a site for something else, such as an ad for a toy truck on a comedy TV show’s Web site? Or would it include Target.com’s description of a product it’s selling right there on the site?
As a practical matter, how is a site to differentiate a young person’s IP address?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
