New Child Protection Rules Create A Retail Catch-22

A few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can't be recorded from a site visitor who is younger than 13 years old.

The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of such a site? What about games at Then there's the Catch-22 of asking ages online. If you ask, you'll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don't ask, you have the perfect defense that you didn't knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?

The changes would also make photos, video and audio related to children younger than 13 no longer collectable without parental consent, according to the Children’s Online Privacy Protection Act (COPPA). Indeed, all COPPA restrictions speak to parental consent. If the site gets that consent (and how it gets that consent is even more complicated), then it has carte blanche to store that information for under-age shoppers and use it as it sees fit. The changes also, in the words of the FTC, "closed a loophole" that permitted third parties to collect that child's information on retailers' behalf.

Concerns about how COPPA impacts retailers that are not primarily focused on children younger than 13 is nothing new. And updating rules to acknowledge 21st Century technology is a move to be applauded. But the restrictions on mobile tracking, and especially IP addresses, is potentially problematic.

FTC Chairman Jon Leibowitz's comments about the rule changes make it clear that the FTC is envisioning CRM profiles, in addition to standard Web analysis tools that aggregate all information about site visitors and can often identify many of them.

"We also extend the rule to cover persistent identifiers like IP addresses and mobile device IDs, which could be used to build massive profiles of children by behavioral marketers," Leibowitz said. "The only limit we place is on behavioral advertising and, in this regard, our rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period."

The term "behavioral advertising purposes" is interesting. Is it strictly limited to a traditional ad on a site for something else, such as an ad for a toy truck on a comedy TV show's Web site? Or would it include's description of a product it's selling right there on the site?

As a practical matter, how is a site to differentiate a young person's IP address?The FTC offered this clarification, with the intent of making the rules easier for retailers: "No parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis, and network communications. Without parental consent, such information may never be used or disclosed to contact a specific individual, including through behavioral advertising, to amass a profile on a specific individual, or for any other purpose."

That was helpful as a clarification, until the end, when it added "or for any other purpose." Retail analytics today use IP addresses and other related data for a wide range of functions, and that list is likely to expand in the near future. Again, if the government wants to impose restrictions on traffic associated with a younger person, sites need a way to determine that.

As a practical matter, asking the shopper is the only viable approach, despite the fact that it's about as reliable an age-verification mechanism as a cocktail waitress asking someone who looks 17 but claims to be 21, "Really? Are you sure?"

How is a site supposed to get parental consent, assuming it opts to find out if anyone will fess up to being under-age? The FTC proposes a wide range of options ("electronic scans of signed parental consent forms, video-conferencing, use of government-issued identification"), but one of the choices is to have retailers leverage existing online payment systems.

This raises more issues. Aside from the fact that PCI assessors (not to mention Visa, MasterCard, American Express and other card brands) won't be too thrilled about sites asking for full payment-card data for something other than processing a legitimate charge. And to then retain that data? For an agency that is trying to strengthen shopper privacy, the FTC sure has a funny way of going about it.

Beyond the PCI-related issues, how about accidental security issues? Giving full credentials to a retail site is just begging for an accidental charge. It's unclear why a shopper would want to do that, and it's even less clear why a retailer would embrace such a practice.

This is unwise even in a more narrow scenario. Let's say that payment cards are used to authenticate parents or guardians (for the purpose of allowing tracking data to be stored for their child) only when the parent happens to be making a legitimate purchase on the site anyway. ("Hey, parents! Today's KMart Special: Give us permission to use your kid's Web activity history and we'll give you 40 percent off the plush stuffed animal of your choice. Click here to approve both.")

Even in that situation, it's still using payment data for something beyond payment, which is a truly bad idea.