Beep! Beep! Make way for a caravan of “COPPA Cassandras.”
The Federal Trade Commission approved a new Children’s Online Privacy Protection Act (COPPA) verification process. And you know what that means: children’s advocacy groups are sounding alarms. What’s the latest COPPA complaint? In short: “Tricky kids are tricky – tricky enough to weasel their way around this photo verification process!”
A 30-Second COPPA Summary
First, let’s quickly review COPPA. Here are the main points:
- At the time of this writing, COPPA is one of the few federal online privacy laws in the United States.
- Its goal is to protect kids aged 12 and under from the evils of the Internet.
- The crux of COPPA is the verification requirement. Parents and guardians must consent before a digital platform or app is allowed to collect information from minors or let them participate on certain websites.
The New COPPA Verification Method: Facial Recognition
Previously, guardians could satisfy the COPPA verification requirement via:
- Credit card authorization;
- Mail in consent;
- Fax in consent;
- Calling an 800 number; or
- Sending an electronic scan.
Now, parents have the option of using the Face Match Verified Photo Identification (FMVPI) method – or in the colloquial parlance of our time, “selfie verification.”
How does it work?
- First, the parent or guardian submits a government issued identification picture (i.e., driver’s license or passport pic).
- Second, the parent or guardian takes a selfie with either a smartphone or webcam and submits it.
- If the two images match, then verification is complete and the biometric data is erased within five minutes.
Naysayers: “COPPA Facial Recognition Method Unsafe Because Today’s Tots Are Tricky.”
COPPA is frequently amended. And every time officials update it, someone voices concern about the change. The Facial recognition verification amendment is no exception; concerned parties have taken to the Internet, flash mobbing a cacophony of caution.
So, what’s the main gripe about the new COPPA verification method? In a phrase: high trickery potential. The anti-FMVPI camp insists that sneaky kids will cajole “willing adults” (i.e., sketchy adults) into posing as their parents or guardians. Other folks opposed to imaging technology verification also argue that today’s wee-ones are more than savvy enough to:
- lift mom’s or dad’s license without mom or dad noticing;
- take a picture of mom or dad with a smartphone or webcam; and
- submit both with neither mom or dad the wiser.
After considering the potential for deceit, regulators felt the concerns were overblown because the system incorporates appropriate safeguards. A proponent of the imaging technology explained that measures are in place to “reasonably [calculate], in light of available technology, to ensure that the person providing consent is the child’s parent.”
Who Needs To Follow COPPA Rules?
Since COPPA’s ascendance into U.S. federal law books, there’s been confusion as to who must follow the rules and who is exempt. And, to be fair, the confusion was understandable; language in the early iterations of the bill was, shall we say, vague.
But these days, edits have been made, and clarifications added. Here’s the COPPA bottom line:
- If your website or app, in any way whatsoever, caters to children aged 12 and under, adhere to COPPA rules – even if you don’t target kids; even if you buried a clause, in the terms, forbidding minors from using the site. If a website or app could be attractive to the kidlings – due to animations or color schemes or topic matter – follow COPPA.
- If you operate or develop an advertising distribution app – or any other type of plugin – you, too, are responsible for following COPPA protocol.
Want to make sure you’re on the right side of the legal COPPA fence? Chat with an attorney who focuses on Internet law. It’ll only cost you a couple of hundred dollars, give you peace of mind, and maybe save you millions of dollars in sanctions.
Consult With A COPPA Lawyer
Are you ready to speak with an experienced COPPA law attorney? If so, get in touch with Aaron Kelly. A top-rated lawyer, Aaron maintains high ratings on AVVO, in addition to a preeminent AV rating. Want to know more about the guy? Click here for his bio.
COPPA violations are expensive. Avoid them. Partner with an experienced COPPA lawyer – one who will work to keep you on FTC’s good side.
UC Berkley researcher, Ashkan Soltani, published findings that ETag – the technology incorporated into KISSmetrics analytics – tracked users regardless of their privacy settings. The report raised eyebrows and caused a minor panic in online business circles — and now there’s an Etag lawsuit.
What’s Different About ETag Tracking
Online tracking has been around for a long time. What’s changed is how it’s done. ETag technology is a new, powerful Internet tracking alternative. What makes them different than past techniques is their ability to trail people without the use of HTTP cookies.
Moreover, ETags have unique regenerative properties. Info is stored in a user’s browser cache, so even if cookies are deleted, the data can be recreated using ETag information. The ultimate annoyance for privacy stalwarts, the only way to escape the watchful “eye” of an ETag is to clear your cache between each website visit.
The Online Privacy Implications of ETags
Cross-site user identification is possible with ETag technology. When using ETags, user123 is identified in the system as user123, no matter the site. So, a KISSmetric-enabled website could, theoretically, share information about user123 with other KISSmetric-enabled websites. This type of cross-company information exchange is expressly prohibited by Internet standards, which state that two unrelated websites cannot share common identifiers.
That being said, when dealing with technology, the answers aren’t always cut and dry. Moreover, just because a certain technology has certain capabilities doesn’t mean they’re always used.
For example, KISSmetric uses the same URL for all clients; this is to mitigate bandwidth resources and speed-up user performance; as a result, their system returned “the same anonymous identifier” across multiple websites. But, said identifiers were instantly “translated into unique identifiers for each customer.” Moreover, KISSmetric took the extra step of segregating customers’ data into separate databases.
Technologically savvy? Yes. Illegal? No.
The ETag Lawsuit Violations
Suspiciously, the day Ashkan Soltani published his paper was the same day a class action lawsuit against KISSmetrics was filed in California. Scott Kamber – a lawyer who relied on another Soltani paper in 2010 while trying to prosecute sites that used “Flash cookies” – is representing Joseph Garvey and Stacey Tsan, the two consumers claiming injury as a result of KISSmetric’s use of ETag technology.
The lawsuit claims KISSmetric violated the Video Protection Privacy Act in addition to several California online privacy laws. The plaintiffs also claim to have proof that data was shared with third parties. Yet, they refuse to produce said evidence.
Since news hit of the ETag lawsuit, KISSmetric has been an open book and sternly denies the allegations. They’ve also pledged to cooperate with any and all authorities on the matter.
In response to the lawsuit, KISSmetric immediately addressed the issues at hand and worked overtime to remove any processes which could be misinterpreted. They also installed rigorous “do not track” provisions.
Technology is a good thing. Advancements in the field help our economy and overall quality of life. Before filing a tech-related lawsuit, it’s important to thoroughly assess the technology in question. because many times — like in this Etag lawsuit — the claims are wildly far-reaching and only serve to impede progress; not protect the citizenry.
Yes, we know there is potential danger lurking behind every click of the mouse; yet, the pull of online sales, anonymous gossiping, and easy money keeps us coming back. We’re plugged in to the Internet like Neo to the Matrix.
But at what cost?
Remember back when “Blackberry-addict” first entered our lexicon? It almost seems quaint, since now the average consumer has between 2 to 3 electronic devices on their person at any given time. Today, we’ve got our tablet PCs, smartphones and e-readers…oh my!
We’re Paranoid about Protecting Our Online Privacy, But Not Enough to Give-Up Google
A recent poll conducted by USA TODAY and Gallup showed that 70% of Facebook and 52% of Google users are concerned about Internet privacy. Even more convincing was Consumer Watchdog’s 2010 survey. When asked the question, “Is it important to have more online privacy laws that protect your personal information?” 90% of respondents answered, “Yes!” Out of the Watchdog respondents, 86% said they favored a single-click “make me anonymous button” on browsers like Google, Safari and Chrome.
That being said, Google and Facebook have grown exponentially over the last several years. So while we’re collectively skeptical, there’s just something about search engines and social networking that has us hooked.
Are We Not Paranoid Enough? Recent Privacy Breaches Raise Cause for Great Online Privacy Concerns
“Consumers generally do not understand who has access to their data and for what purpose,” cautioned Ryan Calo, director of Stanford University’s Consumer Privacy Project. And he’s right. Chances are you’d be shocked to learn how many data-workers have had access to your name, e-mail, address and even credit card information. Even more ominous is the amount of hackers who now have access to that information illegally.
Take, for example, two recent corporate privacy breaches: Google’s latest foot-bullet dubbed the Wi-Spy Scandal and Sony’s PlayStation Network debacle.
Google’s Online Privacy Problem
In 2010, Stephen Conroy, Australian Minister for Communications, declared that Google’s Street View project constituted the “largest privacy breach in the history across western democracies”.
What did Google do that raised the ire of governments across the globe?
In some people’s eyes, Google spied on millions of people using unsecured wireless networks – and then saved all the illegal data that was collected. Like a child getting caught with their hand in the cookie jar, when first confronted, Google feigned ignorance, but eventually had to admit wrongdoing. Google, though, swears that any personal data was collected “inadvertently” and never looked at.
The FTC opened an investigation into the matter, but mysteriously dropped the charges in the fall of 2010. There was little fanfare or coverage of the event.
Sony’s Privacy Problems
The latest mega-corp to drop the privacy ball was Sony. Another security breach of portentous proportions, the emails, addresses, login names and, possibly, credit card numbers of over 70 million PlayStation Network users was compromised. An ingenious hacker lurking in the ether of the Internet got their hands on all of it. PSN has been up-and-down in the weeks following the cyber attack, and the only politician that seems to be genuinely worried is Saturday Night Live alumnus, Al Franken.
Computer viruses are more than just annoying pranks; they’re privacy attacks that could render you impecunious. Only time will tell what direction the government decides to take.
Election season is once again upon us and politicians are in the process of perfecting their talking-points. Focus groups are being formed, polls are being plotted, and staffers are polishing platforms which appeal to the greatest common denominator.
Therefore, it’s no surprise that privacy — a long-held national ideal touted by the left, right and middle — is shaping up to be a hot issue this election cycle.
Since February, no less than 7 elected representatives have submitted Internet privacy bills for review. Which makes you kinda wonder: is anyone on Capitol Hill working on anything else!? Slightly more alarming: the Federal Government has been trying to pass a universal privacy bill for nearly 15 years and has yet to succeed. At this rate, by the time an act is passed, technology advancements will render the regulations useless.
Congressional Legislation Proposals
Reps. Ed Markey (D – MA.) and Joe Barton (R – TX.) are the latest congressional, bi-partisan duo to introduce an Internet privacy bill. Specific to issues surrounding the online collection of children’s data, Markey’s and Barton’s “Do Not Track Kids Act of 2011” goes much further than the already existent “Children’s Online Privacy Protection Act of 1998” (COPPA).
In February, Reps. Jackie Speier (D – CA.) and Bobby Rush (D-IL.) each introduced digital privacy proposals. Speier’s “Do Not Track Me Online Act of 2011” exempted government agencies and companies with less than 15,000 customers. Rush’s bill was a re-introduction of his 2009 online privacy act. Unlike Speier’s proposal, Rush’s does not include specific language about a do-not-track mechanism (largely because that terminology didn’t exist when he drafted the bill in 2009), but it does require companies to get consent from users if collected data is shared with a 3rd party.
Senatorial Online Privacy Legislation Proposals
Sens. John Kerry (D – MA.) and John McCain (R – AZ.) are co-sponsors of the popular “Commercial Privacy Bill of Rights”. Their proposal doesn’t specifically mention a do not track option, but it does address issues of data collection and pushes for stricter online security regulations. Sen. John D. Rockefeller’s (D – WV) “Do Not Track Online Act of 2011” is the most popular among privacy and consumer advocacy groups. “[The bill provides] crucial civil liberties protection for the 21st century,” explained Chris Calabrese, legislative counsel for the ACLU, when commenting on Rockefeller’s implicit do not track provision.
If Republicans and Democrats see Eye to Eye, Who’s in the Anti-Privacy Camp?
Evidenced by the number of bi-partisan online privacy proposals, Republicans and Democrats have obviously reached a workable consensus when it comes to protecting personally identifiable information. So the question remains: who is against passing stricter, universal online privacy laws? The answer lies in who benefits from collecting data about your lifestyle – marketing executives and online advertisers.
Companies that have goods and services to sell are actively lobbying for an end to the Government’s online privacy debate. Due to the ubiquitous nature of the Internet, behavioral targeting has become big business and online advertisers don’t want anybody messing with their revenue stream. Annually, billions of dollars are spent on targeted marketing campaigns – nearly all of which make use of personally identifiable data collected online.
Time will tell if we see a universal online privacy bill passed in the upcoming months; but if not, it certainly can’t be blamed on a lack of options!
Sharing Individual Electronic Data Isn’t Always Bad
The sharing of statistical data is a legitimate activity. It allows health care professionals to track the spread of contagious diseases and research the effectiveness of medical treatments. Public planners and developers use shared statistical data to track population trends and predict future infrastructure needs. Marketing and design professionals use shared statistical data to determine product demographics and predict which products require increased production.
PII Concerns Have People Wondering If We Need An Electronic Data Privacy Law
Sometimes statistical data also contains personal identifiable information — which has raised electronic data privacy law questions and concerns. In some cases, digital personal identification is valid and even desired. For example, shopping or dining preferences allow specific offers or coupons to be directed to consumers likely to value and act on them. Such advertisements are especially effective when sent to a phone when the individual is at or near the establishment.
Personal Electronic Data Use & Collection Can Be Very Concerning (Think: Insurance Companies With Too Much Information, Employers Judging You On Your “College Years”)
Insurance Companies Can Do Damage With Too Much Info
Insurance companies might use healthcare records to avoid issuing policies to individuals with potentially costly conditions or certain genetic profiles. Many times this data consists of information the insurers are not otherwise permitted to obtain prior to making policy decisions.
Finance Records and Personal Responsibility
Financial records, credit scores and court records are already used to screen potential employees; companies evaluate individuals based upon that information and decide whether or not to extend employment offers. Individuals know this, and are expected to take responsibility.
Employers Access to Social Media Profiles
These days, a growing trend is for employers to search social media forums such as Facebook or Twitter and to obtain information that has not traditionally been associated with employment concerns. Postings made years ago or under unusual circumstances may suddenly be taken out of context and used as a basis for denying employment opportunities. Postings hinting at ethnicity or sexual preference may be covertly used as a basis for illegal discrimination or preferential treatment by employers.
Get In Touch With A Lawyer Who Understands Data Privacy Law
It is tempting to say that individuals are responsible for their own actions and subsequent ramifications. However, situations are not always clear cut. Individuals mature and change as they grow-up, and postings made as a twenty-something may not reflect the character of the person at thirty-something.
If you’re a business in need of an electronic data privacy legal audit, or you’re a person who has been unfairly treated due to potential unfair access to your personal data, get in touch today. Our law firm handles all manners of Internet law issues, including information security cases.
For more information about electronic data privacy, contact an experienced Internet law attorney.
Online privacy is the U.S. Government’s issue du jour. In recent months, several legislators have submitted bi-partisan proposals — each endeavoring to establish a federal online privacy law. But while politicians are exhibiting a united front, technology corporations are lobbying hard to squash universal privacy initiatives, citing unnecessary costs and bureaucratic red-tape.
The latest elected official to tackle online privacy is West Virginia Senator Jay Rockefeller. On May 9th, to the praise of privacy and consumer advocate groups, Rockefeller released his Do Not Track Act of 2011. Earnest in his pursuit, the senator also sent a stern letter to Google and Apple questioning the respective companies’ mobile application security and privacy procedures. Last week, at a Senate hearing, the mega-tech corporations presented their answers.
Apple’s Response to Senate’s Mobile Privacy Concerns: We Remove Apps Quickly & Don’t Collect Information From Kids
Representing Apple was vice president Catherine Novelli. Resolute in her defense of approved iPhone and iPad applications, Novelli indicated that any information Apple collects through mobile applications is anonymous and in no way tied to an individual. In addition, she explained that if a breach is discovered, developers have 24 hours to correct the mistake; if a solution is not found, the buggy application is removed from Apple’s online and offline stores. In response to specific questions about the security of children’s information, Novelli testified that Apple does not knowingly collect data on those 13 and younger.
Google’s Response to Senate’s Mobile Privacy Concerns: Expunged Data & Effective Parental Controls
Director of public policy, Alan Davidson, represented Google on the panel. In response to inquiries, Davidson testified that his company obtains user consent from phone and tablet users before any Android data tracking applications are activated. Similar to Novelli, the Google executive also insisted that identity tags are expunged from collected data and therefore “not tied or traceable to a specific user.” Davidson went on to address Rockefeller’s concern about children’s privacy by explaining that developers are required to give their applications maturity ratings, which can then be monitored using built-in parental controls.
As our communication devices become more portable and powerful, the potential for application development is limitless. As Sen. Rockefeller opined in the May 19th hearing, “The devices are not really phones-they’re miniature computers.” We’d be remiss, out of fear, to demur from using many of these technology breakthroughs; but, we must exercise caution when deciding which platforms and programs to use. And it’s in each of our interests to educate ourselves on the most effective personal security measures available.