Today the FTC released their proposed changes to the Children’s Online Privacy Protection Act.
- “updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.”
- “modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.”
- “adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done….and eliminating the less-reliable method of parental consent, known as “e-mail plus.” (side note – this does not affect using email plus as a safety best practice, which is what most sites do.)
- “establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism.”
- “proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.” (what to do with those pesky support tickets!)
We at Metaverse are in the process of reviewing the 122 page document and will be submitting comments prior to the November 28, 2011 deadline. Please drop me a line if you have any thoughts.