Today the Federal Trade Commission Chairman Jon Leibowitz announced final amendments to the Children’s Online Privacy Protection Rule. The following statement can be attributed to TechFreedom President Berin Szoka:
The FTC deserves credit for heeding concerns raised about those proposed changes that were removed from the final rule. But serious concerns remain. To start, by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.
Further, as Commissioner Ohlhausen's dissent notes, the COPPA statute does not allow the FTC to impose liability on sites that do not collect children's information merely because the operator may somehow benefit from an ad network or plug-in operator collecting information—provided the third party neither targets children nor shares information with the site operator.
If a third party becomes liable once a single employee "recognizes the child-directed nature" of a website—whatever that means—COPPA will become the worst kind of notice-and-takedown system: Would a single complaint—or tweet—from a parent or activist group create "knowledge?" Faced with the impossible task of predicting how the FTC might characterize each of the millions of sites on which ads or plug-ins might appear, operators will have to try to block advertising or plug-ins on sites that appears to be child-oriented. If they can't do that effectively, this potential liability may effectively kill behavioral advertising on any site that can't prove it isn't child-oriented—in other words, on small sites.
Thus, COPPA will now impact adult sites, denying publishers revenue and adult users the functionality that is increasingly provided by embeds. Thus, the FTC invites not only a statutory challenge but also a constitutional challenge similar to that which led the Child Online Protection Act (COPA) to be struck down.
Finally, if operators of kids' sites are liable for data collection by third parties they "allow" on their sites, some will simply block their users from embedding third-party content when they post on the site—say, embedding a YouTube video in an online forum. The problem is that such videos may collect an IP address to show a behaviorally targeted ad, but site operators have no way of controlling what embedded content does—except to block embeds altogether. Crippling the functionality of kids' sites in this way will drive more kids to lie about their age to use more functional general-audience sites. This will harm kids' media and frustrate COPPA's core goal: parental empowerment.