New Do-Not-Track Bills Target Online Behavioral Marketing and Mobile Apps
Two new “do-not-track” privacy bills would impose new restraints on online tracking, behavioral marketing, and the use of mobile application and geolocation data. Rep. Markey introduced his discussion draft with his co-chairman of the House privacy caucus, Rep. Barton. Their “Do Not Track Kids Online” bill would build on the current Child Online Privacy Protection Act (COPPA), which requires parental consent for collecting and using personal information online from children under 13.
Using the political hook of protecting children, the bill proposes to convert COPPA into a framework extending to online and mobile apps, and to tracking and marketing to all those under 18—in the process imposing age verification requirements and other processes that may redefine the apps and mobile experience for all users. Sen. Rockefeller’s version, the “Do Not Track Online Act of 2011,” would simply grant the Federal Trade Commission (FTC) the power to define and adopt the comprehensive do-not-track regime the FTC recommended in December 2010 (which we discussed in detail earlier).
Markey/Barton “Do Not Track Kids Act of 2011”
Since 1998, COPPA has required commercial websites and online services to obtain parental consent when collecting personal information online from children under 13 if the sites or services are “directed at” children or the operators have “actual knowledge” that the user is under 13. Rep. Markey’s bill uses this as the hook for dramatically expanding the reach and effect of COPPA.
- COPPA’s basic parental consent requirements remain for sites and services directed at children under 13, but would be expanded to cover commercial online apps and mobile apps directed to children, and would increase requirements for notice and security. It is left to the FTC to define what makes services or apps “directed to” children.
- COPPA’s current reach to include email addresses as personal information would be further expanded to cover any identifier (such as an IP address) that can reach a device. This lays the groundwork for other privacy requirements applicable to behavioral marketing.
- The bill would prohibit websites, online services, online apps and mobile apps from compiling, using or sharing personal information on users under 18 for targeted marketing if the site, service or app is “directed at” those under 18 or the operator has “actual knowledge” that the user is under 18. As drafted, there is no exception of opt-in consent. Details are left to the FTC. It is likely that as more age-verification constraints increasingly are placed on what would otherwise be anonymous browsing by teens and adults, the more such rules will face the kinds of free speech attacks that caused the earlier Communications Decency Act to fail in the courts.
- The bill would require websites, online services, online apps and mobile apps to obtain opt-in for the collection, use and disclosure of “geolocation” information on users under 18. Prior verifiable parental consent would be required on behalf of a child. Exceptions and safe harbors from federal and state claims are provided for the needs of law enforcement.
- With respect to minors, the bill requires operators to adopt and implement a “Digital Marketing Bill of Rights for Teens” that incorporates the Commerce Department’s “Fair Information Practices Principles,” of transparency, individual consent, rights of access and correction, purpose specification and use limitations, data minimization with retention limits, accuracy and security, accountability, training, and auditing. We previously detailed the Commerce Report here.
- Going beyond the Commerce Report, the bill would require operators to implement (to the extent “technologically feasible”) an erase “button” that wipes out all content about a child or minor that is publicly available on an operator’s website, service or application.
Rockefeller’s “Do-Not-Track Online Act of 2011”
Sen. Rockefeller’s bill (S.913) only provides a general framework for a “do-not-track” mechanism for commercial and noncommercial online and mobile services, directing the FTC to promulgate rules in a year and report back to Congress after a year of operation. The bill anticipates that a provider may collect and use personal information as necessary to provide a service requested by the individual if the information is anonymized or deleted after the service is rendered. Additionally, a provider may collect and use personal information if the individual is given “clear, conspicuous, and accurate notice” and provides his or her affirmative consent to such collection and use. The FTC is constrained only by directives to take into consideration factors such as the technical feasibility and costs of implementing such a mechanism, what mechanisms exist today, and “whether and how” anonymous information may be used.
Enforcement
Both bills look to the FTC as the primary enforcement agency, with the Markey bill explicitly removing the FTC’s current exception for telecommunications carriers. State Attorneys General may also prosecute unless the FTC is pursuing relief. No private right of action is provided under the bills, but they are largely silent on preempting any other causes of action, with small exceptions for disclosures to law enforcement and some minor reiteration in the Markey bill that current CPNI and cable privacy rules will be trumped by do not track rules. Both bills permit recovery of damages, restitution and other compensation by the state Attorneys General. The Rockefeller bill also includes civil penalties capped at $16,000 per day and $15 million in total, whereas the Markey bill includes no such caps. Under the Markey bill, other federal agencies would still be entitled to enforce COPPA with respect to their regulated companies, such as federal banking agencies with respect to depository institutions.