This is page 2 of:
New Child Protection Rules Create A Retail Catch-22
The FTC offered this clarification, with the intent of making the rules easier for retailers: “No parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.”
That was helpful as a clarification, until the end, when it added “or for any other purpose.” Retail analytics today use IP addresses and other related data for a wide range of functions, and that list is likely to expand in the near future. Again, if the government wants to impose restrictions on traffic associated with a younger person, sites need a way to determine that.
As a practical matter, asking the shopper is the only viable approach, despite the fact that it’s about as reliable an age-verification mechanism as a cocktail waitress asking someone who looks 17 but claims to be 21, “Really? Are you sure?”
How is a site supposed to get parental consent, assuming it opts to find out if anyone will fess up to being under-age? The FTC proposes a wide range of options (“electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification”), but one of the choices is to have retailers leverage existing online payment systems.
This raises more issues. Aside from the fact that PCI assessors (not to mention Visa, MasterCard, American Express and other card brands) won’t be too thrilled about sites asking for full payment-card data for something other than processing a legitimate charge. And to then retain that data? For an agency that is trying to strengthen shopper privacy, the FTC sure has a funny way of going about it.
Beyond the PCI-related issues, how about accidental security issues? Giving full credentials to a retail site is just begging for an accidental charge. It’s unclear why a shopper would want to do that, and it’s even less clear why a retailer would embrace such a practice.
This is unwise even in a more narrow scenario. Let’s say that payment cards are used to authenticate parents or guardians (for the purpose of allowing tracking data to be stored for their child) only when the parent happens to be making a legitimate purchase on the site anyway. (“Hey, parents! Today’s KMart Special: Give us permission to use your kid’s Web activity history and we’ll give you 40 percent off the plush stuffed animal of your choice. Click here to approve both.”)
Even in that situation, it’s still using payment data for something beyond payment, which is a truly bad idea.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
