New Rules: Privacy on the forefront for Internet companies
By Christopher J. Librandi
Over the past several years, flurries of Internet-based companies have emerged despite little capital, gaining important footholds in the marketplace because of advertising.
The opportunity is seemingly there for the taking: Allow advertisers to publish on your new website or mobile application and earn a small commission based on resulting click-throughs and sales. Simple? Not quite.
For these ads to be effective they need to be adequately “targeted.” An ad for a dollhouse, for example, is more effective when placed within a children”™s app than, say, an automobile website. It will be even more effective if it can target users that previously purchased dolls. To get that information, your advertising partners may collect information from your users, creating a valuable profile: User ID 12345 visited 20 websites related to dolls this week and lives in Westport, Conn.
This targeted advertising is widespread in the Internet marketplace today, but recent changes to the Federal Trade Commission”™s (FTC) Children”™s Online Privacy Protection Act (COPPA) should give you pause if your website or app is attracting children under age 13.
The revised rules are effective July 1, making the developer/operator of a website, mobile app or other online service responsible when collecting or allowing third parties ”“ like advertisers ”“ to collect personal information from users under age 13, even if the primary target is a more general audience.
Under the new rules, “personal information” now includes information that advertising networks crave: IP addresses, device serial numbers, screen names, geo-location information and more.
If a website, app or online service is directed toward children under 13 ”“ or if you know personal information is being collected from children under 13 ”“ you must comply with the new rules. That includes having a compliant privacy policy and obtaining parental consent before collecting personal information from the child.
These obligations are serious, as are the consequences for noncompliance. Operators may be liable for civil penalties of up to $16,000 per violation. The FTC recently obtained an $800,000 settlement from the social networking app “Path,” which had been charged with illegally collecting personal information from children without parental consent.
For any Internet company, therefore, the following immediate actions are necessary:
- Consider whether any users, intentionally or not, will be under age 13.
- Consider what personal information your advertising partners plan to collect from users under age 13.
- Consider asking users to identify their age before using a service. If the intended audience is teenagers but there is a concern that some children under 13 also may use it, set up an age-gate to limit access to teenagers. You are entitled to rely on the ages your users provide.
- If necessary, carefully design a process for obtaining parental consent. Do not rely on your users”™ entering an ID and password (i.e. an iTunes password to download an app) as evidence of parental consent. This may be a common practice, but it is not compliant with the new rules. For example, if a child”™s personal information may be disclosed to a third party, a signed consent from the parent may be appropriate. A toll-free number for the parent to provide consent also may be the right route. If the child”™s personal information will be kept internally, parental consent can be obtained by email.
- Draft a privacy policy for the website that clearly explains what information will be collected from users, how it will be used and by whom, and the process by which parents can review, delete or stop collection of the child”™s personal information. It will almost certainly not be adequate to simply copy and paste another company”™s privacy policy.
No doubt, complying with the new federal rules can be expensive and time consuming. But it is absolutely essential, especially for small businesses that rely on third party partners ”“ and for whom a stiff penalty could be financially devastating.
Christopher J. Librandi is an attorney with the Westport-based law firm Levett Rockwood P.C. He can be reached at (203) 222-0885.