This week, the Federal Trade Commission awarded itself a holiday gift: more regulation of the Internet.
Under the Children’s Online Privacy Protection Act, a 1998 law designed to insulate children from marketing, It Takes a Village-style, the FTC found that it gets to regulate more intensively and confusingly.
The regulation is a mostly unremarkable expansion of authority. Like any political actor would do, the FTC followed the path of least resistance, avoiding raising the hackles of any major player in the marketplace. (Regulation tends to advance the way spilled paint spreads on cobblestone.) Of course, there are few major players in the marketplace because COPPA has increased the cost of serving entertaining and educational content to children since the Internet’s earliest days. The Association for Competitive Technology got it right in a release calling COPPA “improved for big companies, not for education startups.”
One interesting point about the new regulation is not political, though. It’s legal. The agency arguably overstepped the authority Congress gave it.
FTC Commissioner Maureen Ohlhausen explains:
The statute provides, “It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed [by the FTC].” … [T]he amendments add a new proviso to the definition of operator in the COPPA Rule: “Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service.” The proposed amendments construe the term “on whose behalf such information is collected and maintained” to reach child-directed websites or services that merely derive from a third-party plug-in some kind of benefit, which may well be unrelated to the collection and use of children’s information (e.g., content, functionality, or advertising revenue).
In other words, if a Web site directed at children uses third-party plug-ins to enhance its functionality, analytical capability, and such, and if the plug-in collects information, then the Web site operator is responsible as if it were collecting the information. The result? Web sites aimed at children will avoid using third-party technology to enhance the experience of kids.
Commissioner Ohlhausen: “I find that this proviso—which would extend COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party—does not comport with the plain meaning of the statutory definition of an operator in COPPA.”