The legislation used to protect children's privacy online: is it effective?

So how effective is the law and how does it impact business?

The FTC has handed out millions of dollars in COPPA fines to companies such as Yelp and Path for collecting personal information without parent’s consent, but according to internet lawyer Richard Chapo, there is more it could do.

“The FTC has been criticised repeatedly for not enforcing law,” says Chapo. “It creates an unfair landscape for businesses. Those that comply end up spending a lot of money on the compliance process as well as forgoing quite a few revenue channels compared to those that do not,” he said.

“The FTC averages at about two cases a year where it enforces the law, which is a mockery compared to the hundreds and thousands of websites and apps that have no COPPA compliance.”

FTC expands data protection

However, the FTC recently ruffled some industry feathers by targeting mobile app developers LAI Systems LLC and Retro Dreamer for allegedly collecting unique data linked to children for the purpose of advertising. The allegations, which the app developers agreed to pay a combined $360,000 (£252,000) to resolve, mark the first time that the commission has based an enforcement action solely on a company’s collection and use of “persistent identifiers”, a category of data that was added to the COPPA rule’s definition of personal information in 2013. Persistent identifiers are bits of code such as cookies that can be used to identify a person over time across different websites and apps.

Overall, the prosecutions that have occurred mostly focus on domestic companies but because COPPA extends to foreign websites and online services that collect information from children in the US, it has also sent warnings overseas.

In 2014 the FTC issued a public warning letter to Chinese app developer BabyBus regarding potential violations of COPPA. It made a clear case that BabyBus needed to comply with COPPA because it sells apps through the iTunes and Android app stores which target US consumers. Subsequently all BabyBus apps were pulled by Google from the Android store. The company responded to the FTC’s letter with a statement on its website saying it intended to bring its apps into compliance with US law.

Devastating results

“In these cases the FTC will seek judicial injunctions barring foreign offending companies from accessing consumer markets in the US. It will also likely seek a “till tap” order requiring all companies based in the US that are handling any part of the monetary transaction to transfer the revenues to the FTC instead of the international entity in question. Both are devastating results for the corporate entity,” said Chapo.

Traditionally, most companies focus on COPPA compliance over any laws in the EU member states because enforcement actions in the EU have been considered a remote risk. However, this may soon change. Article 8 of the new General Data Protection Regulation, drafted in January, describes a COPPA-like compliance process but the triggering age for compliance will be “under 16” instead of 13. This higher age limit could radically alter the children’s privacy landscape online as there are millions of teens between the ages of 13 and 16 on social networking sites.

The new law could further complicate business as it allows EU member states to designate an age between 13 and 16 for their specific jurisdictions.

“For compliance for businesses this is a nightmare,” said Chapo. “Within the 28 member states you will have a variety of ages. Unless there is a technology solution that will be able to handle the verifiable process for each stage, small companies will have to go for a higher age.”

Another reason companies struggle with compliance is due to the process of notifying parents and obtaining Verifiable Parental Consent (VPC) - known as “safe harbor” - before the child or parent loses interest, as well as the limited technologies approved by the FTC that help firms to secure this permission.

Dylan Collins, CEO of UK company SuperAwesome, a kid-safe ad platform, believes it’s unrealistic that VPC can be obtained in every scenario and has found a way round it.

“When we set up SuperAwesome one of the big problems was how to do COPPA compliant kid-safe advertising,” said Collins. “The COPPA compliance sector is not just about how you do VPC; it’s not practical to do that for everything, the advertising market wouldn’t work if it was. We built an FTC safe harbor-certified marketing platform that delivers advertising on a content basis rather than a profile basis . Our technology gives advertisers compliance because they are not capturing data from children.”

While children’s privacy laws are being rolled out or tightened around the world, there is a huge area around child online protection that is still not being addressed. To fill the gap, UNICEF, together with the UN’s International Telecommunication Union (ITU), wrote a set of guidelines for industry that integrate child rights, policies on child sexual abuse material and education on children’s safety and their responsible use of the internet (the Child Online Protection Guidelines for Industry).

“COPPA is strictly for commercial sites,” said Marsali Hancock, CEO of iKeepSafe, a safe harbor-approved certifier that tracks internet-connected devices’ effects on children. “They don’t deal with anything outside of how you gather and share data with advertisers and if you have permission or not. They don’t assess whether content is age appropriate either and there is nothing about educating teachers, parents and children about their responsible use of ICT.”

Hancock recommends the Child Online Protection Guidelines for Industry work in parallel with COPPA so child protection and privacy are addressed equally.

Content on this page is paid for and produced to a brief agreed with UNICEF, sponsor of the child rights and business hub