New online child protection rules issued by the FTC just before Christmas left many retailers scratching their heads. According to the FTC, retailers can no longer record geolocation data, IP address and mobile device IDs from site visitors under the age of 13--without parental consent. But how does one get parental consent? And how do you define a site aimed at children?
Obviously, the devil's in the details, but the details can be a devil to unscramble. Retailers know that for many sites, it’s difficult to delineate age groups. There’s also the problem of asking for the age of site visitors. Retailers who don’t ask can say they didn’t knowingly collect data from under-age shoppers without parental consent.
Then there’s the Children’s Online Privacy Protection Act (COPPA), which prohibits the collection of photos, video and audio related to children younger than 13 without parental consent. But if the site secures parental consent (a complex procedure), it can store and use this sensitive data anyway it wants to.
FTC Chairman Jon Leibowitz recently expressed concerns over retailers building CRM profiles using Web analysis tools. “We also extend the rule to cover persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers,” said Leibowitz. “The only limit we place is on behavioral advertising and, in this regard, our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.”
The term “behavioral advertising purposes” leaves room for various interpretations. And can a site really determine a child’s age based on their IP address? In attempting to clarify its stance, the FTC sought to simplify things by saying, “No parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose.”
The parental consent issue still looms large and unresolved. FTC proposals vary widely—everything from electronic scans of signed parental consent forms to video-conferencing and even government-issued identification. Another option is to have retailers use existing online payment systems to secure this data. But Visa, MasterCard, American Express and others will be reluctant to go this route in an era of increased shopper privacy.
Retailers who still have questions about the Children's Online Privacy Protection Rule can get some answers by visiting the FTC FAQ site. Clearly, the new rules beg for specifics and clarification. Until then, retailers will have to tread carefully when marketing to younger online customers.
Image courtesy of Stuart Miles/FreeDigitalPhotos.net
Become a member to take advantage of more features, like commenting and voting.
Register or sign in today!