With Fed Child Rules Moving In-Store Via Mobile, How Will You Know Who's A Child?

As federal authorities are preparing in 2013 to significantly update the the Children’s Online Privacy Protection Act (COPPA), one likely area will involve taking jurisdiction over all mobile interactions, including those in-store. This will finally address what had been a retail marketing loophole, where tracking nine-year-olds online is prohibited but the identical conduct in a store's aisles is permitted.

This puts retailers in an awkward position. As malls and stores track mobile device activity, retailers will likely have no idea the age of the shoppers associated with phones and tablets unless they ask—which is exactly what COPPA is intended to prevent.

The prospect of such an in-store child CRM program was raised last month at a financial analyst meeting by the CEO of JCPenney, whose people quickly backpedaled from the idea. Although mobile restrictions would certainly not close this loophole, much of the youth CRM and related marketing efforts do involve quite a bit of mobile.

This came up as the U.S. Federal Trade Commission (FTC) released a report on Monday (Dec. 10) that found many child-focused applications that said they had no ads, interactive features and pledged to not share the child's information with third-parties without parental consent, you guessed it, often did all three.

"Many of the apps shared certain information—such as device ID, geolocation, or phone number—with third parties without disclosing that fact to parents," the report said.

One of the problems that laws have had with technology restrictions is that lawmakers—and sometimes even regulators—are often behind the curve. How would it be classified, for example, when a mobile phone is not using the Internet? Perhaps it's communicating solely through a retailer's Wi-Fi, restricted to that store's LAN. Would that change matters?

Let's take it one step further. What if the phone is in airplane mode and has Wi-Fi disconnected? And what if the phone is being used as a beacon, as a customer identifier, in some other way? Perhaps an app is listening for an audio signal sent from store music speakers, as Macy's has done. Or what if the app uses store-and-forward to capture information without connecting to any wireless source, as ShopKick has done?

One of the impressive things about federal consumer protections—especially for children—is that enforcement is rarely based directly on what was done, but a side issue. A site that steals shoppers' money wouldn't be charged with theft, but instead with deceptive trade practices because the site's operators didn't inform shoppers that they were thieves.The rules allowing FTC prosecutions for unfair or deceptive trade practices allow for a wide range of infractions, not dissimilar to how the FBI will use postal fraud, racketeering or tax evasion to pursue organized crime assassins.

Deceptive trade practices rules "always provide that baseline level of protection," said Manas Mohapatra, the FTC's director of mobile policy within its mobile technology unit. It's necessary because the United States doesn't have many direct privacy laws. "The fact is that there is no general baseline privacy legislation" that Congress has ever approved, Mohapatra said.

COPPA's protections are for children younger then 13. Some vendors have made a habit of tracking purchases and online activities of children much younger than that, but they're not supposed to record the data. Many still do, though, although it's typically done in aggregate for distribution to clients and third-parties. Some have even raised the possibility of selling that information individually once the children "age out" to 13 because they are no longer protected. That way, retailers and manufacturers could have full preference histories of these new teen-age shoppers.

The changes to the law will likely include a blanket declaration that any "geolocation data constitutes personal information" along with a phone's unique identifiers, Mohapatra said. As marketers are unlikely to come out and say that a shopper's movements are being tracked, that's how the feds plan on making their civil charges, based less on the tracking and more on the fact that the tracking wasn't disclosed.

"It will really all depend on the promises made to the consumers," he said.

These changes will put retailers in an awkward position. Clearly, the advice would be to not track children and especially those younger than 13, but that may be a lot more difficult to do in practice. As malls and stores track mobile device activity, it will be common to have no idea the age of the shoppers associated with those devices.

To make matters more complicated, younger and younger kids are being given smartphones and other mobile devices. The days when a seven-year-old walking around a mall with his own iPad would be absurd are gone. (As a parent, I can still consider it absurd, but absurd is not a synonym for rare.)

In effect, retailers may be tracking children without any awareness that they are tracking children. In federal civil cases, mens rea—the so-called criminal intent—is often not needed. If a retailer engages in a prohibited act, it will be of little defense help that the retailer didn't know it at the time.

Ironically, one way to deal with this is to ask shoppers how old they are, which is precisely the kind of personal data collection that these programs are designed to discourage. If no information about age is gathered, the only safe route is to halt any mobile tracking—which is clearly not going to happen.