Senator Ed Markey (D-Mass.) has introduced a bill to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to the collection, use and disclosure of personal information of children, to establish certain other protections for personal information of children and minors, and for other purposes.” In the Findings included in the Bill, the proponents note that a Wall Street Journal study (2010) found that websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience. The legislation is aimed at prohibiting “operators” (including mobile apps) from collecting personal information, including location data, from children ages fifteen and younger without that person’s permission (guardian permission already required under COPPA for minors 12 and under).
A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections. They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”
http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pd
Meanwhile, California also just passed the online “eraser” law. California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”. The law kicks in on January 1st. It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.
Despite the DNTK proposal, it remains that state legislatures and attorneys general continue to take the lead in privacy legislation and enforcement. See, http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html
See also, State AGs Chuckle at Idea of Federal Breach Law: https://www.privacyassociation.org/publications/amidst_u.s._govt_shutdown_state_ags_chuckle_at_idea_of_federal_breach_law
And, in other California news, California also enacted AB370, its own “Do Not Track” law. The legislation requires owners of commercial websites and online service providers (again, “operators”) to conspicuously post a privacy policy, which policy must disclose the categories of personally identifiable information the operator collects and with whom the operator shares such information. The law also addresses Do-Not-Track (“DNT”) signals sent from browsers, in that it requires operators of websites and online services to notify users about how they handle DNT signals.
“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online. The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures. In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII. It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370
And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.
In a letter to AssertID, the Commission noted that the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.
cyberpeg'd 