The Center for Financial Privacy and Human Rights signed on to a coalition letter to the Federal Trade Commission on privacy safeguards in the Children’s Online Privacy Protection Act (COPPA) rule by expanding the definition of personal information, limiting the duration information is retained, and improving the mechanisms for protecting this personal information.
December 22, 2011
Federal Trade Commission
Office of the Secretary
Room H-113 (Annex E)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Re: COPPA Rule Review, 16 CFR Part 312, Project No. P-104503
The undersigned privacy and consumer organizations write today to applaud the Federal TradeCommission (FTC) for updating the privacy safeguards in the Children’s Online PrivacyProtection Act (COPPA) rule by expanding the definition of personal information, limiting the duration information is retained, and improving the mechanisms for protecting this personal information. We urge the Commission not only to implement these safeguards as part of any final rulemaking but also to seek opportunities to go beyond young people and push, through Commission reports and use of the Commission’s authority under section 5, to apply these privacy protections to internet users of all ages.
Information collection online has become a robust ecosystem where marketers and others gather,link, and store information on consumers, both children and adults, for a variety of purposes. A detailed picture of consumer habits and behaviors emerges from these efforts. A third partycreates and holds a detailed dossier of an individual consumer’s interests, reading habits, friendsand family, financial status, health information, religious and political affiliation. Such a dossierexists largely outside a consumers control and knowledge.
As the FTC rightly recognizes, two identifiers play a key role in the information collectionprocess. Internet Protocol (IP) information (derived from internet addressing and routinginformation) and persistent cookies (a unique identifier assigned by the website) create a directlink between individuals and their online activities. IP addresses and cookies have the sameutility as a name, postal address or social security number in identifying users. These internet identifiers assist in ascertaining the websites consumers visit, in tracking consumer movementsacross the internet, and in collecting private and often sensitive information such as personalinterests, banks, and online accounts. By recognizing the role that these two identifiers play inidentifying consumers online, the Commission is taking the first step toward allowing consumers to regain control over their online information.
We approve also of the provision in the proposed rule including geo-location information withinthe definition of personal information to be protected. The FTC’s inclusion of geo-location information is an important recognition of the growing breadth and scope of consumer data. Location enabled devices, including cell phones and laptops, and data derived from them, suchas geo-tagged photos and logs of individual movements from location based services, arebecoming ubiquitous. Such devices and data provide not only the ability to identify individualsbut also a wealth of new information about them.
The proposed rule correctly identifies a third area, a data retention standard, which requires broader protections. For the first time the Commission has proposed a COPPA requirement tohold personal information no longer than reasonably necessary to fulfill the purpose for which itwas collected. Deleted information cannot be lost, misused or otherwise harm an individual. This axiomatic fact is why data retention limits are a core privacy value and why it is soimportant that they be part of not only COPPA but any privacy protection regime.
The proposed rule also updates the controls and protections governing consumer personalinformation. The new COPPA safe harbor process would now require any party seeking to use asafe harbor to provide evidence of its ability to enforce compliance, a full text of all compliancerequirements, and the provision of independent compliance audits. Website operators would alsohave to assure consumers that if the operators share information with third parties, the third parties would take reasonable measures to protect the confidentially and security of consumerinformation. Such requirements help assure that any safe harbor provides not just theoreticalprotection for consumers but actual, enforced safeguards for their personal information.
We applaud the Commission for these proposed improvements to COPPA and urge the FTC toinclude them in the final rule and, to the greatest extent possible, expand these protections toevery American.
American Civil Liberties Union
Center For Digital Democracy
Center for Financial Privacy and Human Rights
Common Sense Media
Consumer Federation of America
Electronic Privacy Information Center
Privacy Journal, Robert Ellis Smith, Publisher
Privacy Rights Clearinghouse
Privacy Rights Now Coalition, Remar Sutton, Founder
the FoolProof Initiative
U.S. Public Policy Council of the Association for Computing Machinery (USACM)
World Privacy Forum