Beep! Beep! Make way for a caravan of “COPPA Cassandras.”
The Federal Trade Commission approved a new Children’s Online Privacy Protection Act (COPPA) verification process. And you know what that means: children’s advocacy groups are sounding alarms. What’s the latest COPPA complaint? In short: “Tricky kids are tricky – tricky enough to weasel their way around this photo verification process!”
A 30-Second COPPA Summary
First, let’s quickly review COPPA. Here are the main points:
- At the time of this writing, COPPA is one of the few federal online privacy laws in the United States.
- Its goal is to protect kids aged 12 and under from the evils of the Internet.
- The crux of COPPA is the verification requirement. Parents and guardians must consent before a digital platform or app is allowed to collect information from minors or let them participate on certain websites.
The New COPPA Verification Method: Facial Recognition
Previously, guardians could satisfy the COPPA verification requirement via:
- Credit card authorization;
- Mail in consent;
- Fax in consent;
- Calling an 800 number; or
- Sending an electronic scan.
Now, parents have the option of using the Face Match Verified Photo Identification (FMVPI) method – or in the colloquial parlance of our time, “selfie verification.”
How does it work?
- First, the parent or guardian submits a government issued identification picture (i.e., driver’s license or passport pic).
- Second, the parent or guardian takes a selfie with either a smartphone or webcam and submits it.
- If the two images match, then verification is complete and the biometric data is erased within five minutes.
Naysayers: “COPPA Facial Recognition Method Unsafe Because Today’s Tots Are Tricky.”
COPPA is frequently amended. And every time officials update it, someone voices concern about the change. The Facial recognition verification amendment is no exception; concerned parties have taken to the Internet, flash mobbing a cacophony of caution.
So, what’s the main gripe about the new COPPA verification method? In a phrase: high trickery potential. The anti-FMVPI camp insists that sneaky kids will cajole “willing adults” (i.e., sketchy adults) into posing as their parents or guardians. Other folks opposed to imaging technology verification also argue that today’s wee-ones are more than savvy enough to:
- lift mom’s or dad’s license without mom or dad noticing;
- take a picture of mom or dad with a smartphone or webcam; and
- submit both with neither mom or dad the wiser.
After considering the potential for deceit, regulators felt the concerns were overblown because the system incorporates appropriate safeguards. A proponent of the imaging technology explained that measures are in place to “reasonably [calculate], in light of available technology, to ensure that the person providing consent is the child’s parent.”
Who Needs To Follow COPPA Rules?
Since COPPA’s ascendance into U.S. federal law books, there’s been confusion as to who must follow the rules and who is exempt. And, to be fair, the confusion was understandable; language in the early iterations of the bill was, shall we say, vague.
But these days, edits have been made, and clarifications added. Here’s the COPPA bottom line:
- If your website or app, in any way whatsoever, caters to children aged 12 and under, adhere to COPPA rules – even if you don’t target kids; even if you buried a clause, in the terms, forbidding minors from using the site. If a website or app could be attractive to the kidlings – due to animations or color schemes or topic matter – follow COPPA.
- If you operate or develop an advertising distribution app – or any other type of plugin – you, too, are responsible for following COPPA protocol.
Want to make sure you’re on the right side of the legal COPPA fence? Chat with an attorney who focuses on Internet law. It’ll only cost you a couple of hundred dollars, give you peace of mind, and maybe save you millions of dollars in sanctions.
Consult With A COPPA Lawyer
Are you ready to speak with an experienced COPPA law attorney? If so, get in touch with Aaron Kelly. A top-rated lawyer, Aaron maintains high ratings on AVVO, in addition to a preeminent AV rating. Want to know more about the guy? Click here for his bio.
COPPA violations are expensive. Avoid them. Partner with an experienced COPPA lawyer – one who will work to keep you on FTC’s good side.
UC Berkley researcher, Ashkan Soltani, published findings that ETag – the technology incorporated into KISSmetrics analytics – tracked users regardless of their privacy settings. The report raised eyebrows and caused a minor panic in online business circles — and now there’s an Etag lawsuit.
What’s Different About ETag Tracking
Online tracking has been around for a long time. What’s changed is how it’s done. ETag technology is a new, powerful Internet tracking alternative. What makes them different than past techniques is their ability to trail people without the use of HTTP cookies.
Moreover, ETags have unique regenerative properties. Info is stored in a user’s browser cache, so even if cookies are deleted, the data can be recreated using ETag information. The ultimate annoyance for privacy stalwarts, the only way to escape the watchful “eye” of an ETag is to clear your cache between each website visit.
The Online Privacy Implications of ETags
Cross-site user identification is possible with ETag technology. When using ETags, user123 is identified in the system as user123, no matter the site. So, a KISSmetric-enabled website could, theoretically, share information about user123 with other KISSmetric-enabled websites. This type of cross-company information exchange is expressly prohibited by Internet standards, which state that two unrelated websites cannot share common identifiers.
That being said, when dealing with technology, the answers aren’t always cut and dry. Moreover, just because a certain technology has certain capabilities doesn’t mean they’re always used.
For example, KISSmetric uses the same URL for all clients; this is to mitigate bandwidth resources and speed-up user performance; as a result, their system returned “the same anonymous identifier” across multiple websites. But, said identifiers were instantly “translated into unique identifiers for each customer.” Moreover, KISSmetric took the extra step of segregating customers’ data into separate databases.
Technologically savvy? Yes. Illegal? No.
The ETag Lawsuit Violations
Suspiciously, the day Ashkan Soltani published his paper was the same day a class action lawsuit against KISSmetrics was filed in California. Scott Kamber – a lawyer who relied on another Soltani paper in 2010 while trying to prosecute sites that used “Flash cookies” – is representing Joseph Garvey and Stacey Tsan, the two consumers claiming injury as a result of KISSmetric’s use of ETag technology.
The lawsuit claims KISSmetric violated the Video Protection Privacy Act in addition to several California online privacy laws. The plaintiffs also claim to have proof that data was shared with third parties. Yet, they refuse to produce said evidence.
Since news hit of the ETag lawsuit, KISSmetric has been an open book and sternly denies the allegations. They’ve also pledged to cooperate with any and all authorities on the matter.
In response to the lawsuit, KISSmetric immediately addressed the issues at hand and worked overtime to remove any processes which could be misinterpreted. They also installed rigorous “do not track” provisions.
Technology is a good thing. Advancements in the field help our economy and overall quality of life. Before filing a tech-related lawsuit, it’s important to thoroughly assess the technology in question. because many times — like in this Etag lawsuit — the claims are wildly far-reaching and only serve to impede progress; not protect the citizenry.
The Internet had us at hello; we haven’t been able to quit it. Yes, we know that potential danger lurks behind every click; yet, the pull of online sales, anonymous gossip, and easy money keeps us digitally tethered. Some might argue that we’ve collectively swallowed the proverbial “blue pill.”
But at what cost, now that the average consumer doesn’t leave home without 2 or 3 wired devices?
We’re Paranoid about Protecting Our Online Privacy, But Not Enough to Give-Up Google
A recent poll conducted by USA TODAY and Gallup showed that 70% of Facebook and 52% of Google users are concerned about Internet privacy. Consumer Watchdog’s 2010 survey was even more convincing. When asked: “Is it important to have more online privacy laws that protect your personal information?” 90% of respondents answered “Yes!” Out of the Watchdog respondents, 86% said they favored a single-click “make me anonymous button” on browsers like Google, Safari, and Chrome.
Are We Paranoid Enough? Recent Privacy Breaches Raise Cause for Great Online Privacy Concerns
“Consumers generally do not understand who has access to their data and for what purpose,” cautioned Ryan Calo, director of Stanford University’s Consumer Privacy Project. And he’s right. Chances are you’d be shocked to learn how many data-workers have had access to your name, e-mail, address, and even credit card information. Even more ominous is the amount of hackers who now have access to that information illegally.
Take, for example, two recent corporate privacy breaches: Google’s Wi-Spy Scandal and Sony’s PlayStation Network debacle.
Google’s Online Privacy Problem
In 2010, Stephen Conroy, Australian Minister for Communications, declared that Google’s Street View project constituted the “largest privacy breach in the history across western democracies”.
What did Google do that raised the ire of overseas governments?
In some people’s eyes, Google spied on millions of people using unsecured wireless networks — and then saved all the illegally collected data. Like a child getting caught with their hand in the cookie jar, when first confronted, Google feigned ignorance, but eventually had to admit wrongdoing. Google swears, though, that any personal data was “inadvertently” captured and never analyzed.
The FTC opened an investigation into the matter, but mysteriously dropped the charges in the fall of 2010 with little fanfare or media coverage.
Sony’s Privacy Problems
Sony was the latest mega-corp to drop the privacy ball. Another security breach of portentous proportions, hackers compromised the emails, addresses, login names and, possibly, credit card numbers of over 70 million PlayStation Network users . PSN has been up-and-down in the weeks following the cyber attack, and the only politician that seems to be genuinely worried is Saturday Night Live alumnus, Al Franken.
Computer viruses are more than just annoying pranks; they’re privacy attacks that could render you impecunious.
UPDATE June 2014: We published this article in 2011. As of 2014, a universal online privacy law has yet to be passed.
Election season is once again upon us. Politicians are perfecting their stump speeches; focus groups are forming; pollsters are plotting; and staffers are polishing platforms which appeal to the greatest common denominator. So, it’s no surprise that privacy — a long-held ideal touted by the left, right, and middle — is taking center, talking-point stage.
Since February, no less than 7 elected representatives have submitted Internet privacy bills for review. Will one of them finally pass? After all, federal representatives has been trying to pass a universal privacy bill for nearly 15 years. They have yet to succeed.
Congressional Legislation Proposals
Reps. Ed Markey (D – MA) and Joe Barton (R – TX) are the latest congressional, bi-partisan duo to introduce an Internet privacy bill. Specific to issues surrounding the online collection of children’s data, Markey’s and Barton’s “Do Not Track Kids Act of 2011” goes much further than the extant “Children’s Online Privacy Protection Act of 1998” (COPPA).
In February, Reps. Jackie Speier (D – CA.) and Bobby Rush (D-IL.) each introduced digital privacy proposals. Speier’s “Do Not Track Me Online Act of 2011” exempted government agencies and companies with less than 15,000 customers. Rush’s bill re-introduced his 2009 online privacy act. Unlike Speier’s proposal, Rush’s doesn’t include specific language about a do-not-track mechanism (largely because that terminology didn’t exist when he drafted the bill in 2009), but it does require companies to get consent from users if collected data is shared with third parties.
Senatorial Online Privacy Legislation Proposals
Sens. John Kerry (D – MA.) and John McCain (R – AZ.) are co-sponsors of the popular “Commercial Privacy Bill of Rights”. Their proposal doesn’t specifically mention a do not track option, but it does address issues of data collection and pushes for stricter online security regulations. Sen. John D. Rockefeller’s (D – WV) “Do Not Track Online Act of 2011” is the most popular among privacy and consumer advocacy groups. “[The bill provides] crucial civil liberties protection for the 21st century,” explained Chris Calabrese, legislative counsel for the ACLU, when commenting on Rockefeller’s implicit do not track provision.
If Republicans and Democrats see Eye to Eye, Who’s in the Anti-Privacy Camp?
Evidenced by the number of bi-partisan online privacy proposals, Republicans and Democrats have obviously reached a workable consensus when it comes to protecting personally identifiable information. So the question remains: who is against passing stricter, universal online privacy laws? The answer lies in who benefits from collecting data about your lifestyle – marketing executives and online advertisers.
Companies that have goods and services to sell are actively lobbying for an end to the Government’s online privacy debate. Due to the ubiquitous nature of the Internet, behavioral targeting has become big business and online advertisers don’t want anybody messing with their revenue stream. Annually, billions of dollars are spent on targeted marketing campaigns – nearly all of which make use of personally identifiable data collected online.
Time will tell if we see a universal online privacy bill passed in the upcoming months; but if not, it certainly can’t be blamed on a lack of options!
Sharing Individual Electronic Data Isn’t Always Bad
Sharing statistical data is a legitimate activity. It allows health care professionals to track contagious diseases and research medicinal effectiveness. Public planners and developers use shared statistical data to track population trends and predict future infrastructure needs. Marketing and design professionals use it to determine product demographics and production schedules.
Do We Need An Electronic Data Privacy Law?
Statistical data frequently contains identifying information — raising data privacy concerns. In some cases, digital personalization is desired. For example, shopping or dining preferences allow specific offers or coupons to be directed at consumers likely to value and act on them. But other times, too much data in the hands of the wrong party can be dangerous.
Potential Data Privacy Threat: Insurance Companies
Often, digital data carries information that insurers are not supposed to know prior to making policy decisions. That means it’s possible for insurance companies to inappropriately use healthcare records to deny coverage for individuals with certain genetic profiles. A slippery slope indeed.
Potential Data Privacy Threat: Job Interviews
These days, employers scour job candidates’ social media. Postings made years ago or under unusual circumstances may knock an applicant out of the running. Plus, clues about ethnicity, age, or sexual preference — garnered from profile data — may also be used to discriminate.
Get In Touch With A Lawyer Who Understands Data Privacy Law
If you’re a business in need of a data privacy legal audit, or you’re a person who’s been unfairly treated due to potential inappropriate access to your personal data, get in touch today. Our law firm handles all manners of Internet law issues, including information security cases.
For more information about electronic data privacy, contact an experienced Internet law attorney.
Online privacy is the U.S. Government’s issue du jour. In recent months, several legislators have submitted bi-partisan proposals endeavoring to establish a federal online privacy law. But while politicians are exhibiting a united front, technology corporations are lobbying to squash universal privacy initiatives, citing unnecessary costs and bureaucratic red-tape.
The latest elected official to tackle online privacy is West Virginia Senator Jay Rockefeller. On May 9th, to the praise of privacy and consumer advocate groups, Rockefeller released his Do Not Track Act of 2011. Earnest in his pursuit, the senator also sent a stern letter to Google and Apple questioning the respective companies’ mobile application security and privacy procedures. Last week, at a Senate hearing, the mega-tech corporations presented their answers.
Apple’s Response to Senate’s Mobile Privacy Concerns: We Remove Apps Quickly & Don’t Collect Information From Kids
Representing Apple was vice president Catherine Novelli. Resolute in her defense of approved iPhone and iPad applications, Novelli indicated that any information Apple collects through mobile applications is anonymous and in no way tied to an individual.
Additionally, she explained that if a breach is discovered, developers have 24 hours to correct the mistake; if a solution isn’t found, the buggy application is removed from Apple’s online and offline stores.
In response to specific questions about the security of children’s information, Novelli testified that Apple does not knowingly collect data on those 13 and younger.
Google’s Response to Senate’s Mobile Privacy Concerns: Expunged Data & Effective Parental Controls
Director of public policy, Alan Davidson, represented Google on the panel. In response to inquiries, Davidson testified that his company obtains consent from phone and tablet users before any Android data tracking applications are activated. Similar to Novelli, the Google executive also insisted that identity tags are expunged from collected data and therefore “not tied or traceable to a specific user.”
Davidson went on to address Rockefeller’s concern about children’s privacy by explaining that developers are required to give their applications maturity ratings, which can then be monitored using built-in parental controls.
As our communication devices become more portable and powerful, the potential for application development is limitless. As Sen. Rockefeller opined in the May 19th hearing, “The devices are not really phones-they’re miniature computers.” We’d be remiss to demur from using technology breakthroughs; but, we must exercise caution when deciding which platforms and programs to use. And it’s in each of our interests to educate ourselves on the most effective personal security measures available.