This week, the Federal Trade Commission awarded itself a holiday gift: more regulation of the Internet.
Under the Children's Online Privacy Protection Act, a 1998 law designed to insulate children from marketing, It Takes a Village-style, the FTC found that it gets to regulate more intensively and confusingly.
The regulation is a mostly unremarkable expansion of authority. Like any political actor would do, the FTC followed the path of least resistance, avoiding raising the hackles of any major player in the marketplace. (Regulation tends to advance the way spilled paint spreads on cobblestone.) Of course, there are few major players in the marketplace because COPPA has increased the cost of serving entertaining and educational content to children since the Internet's earliest days. The Association for Competitive Technology got it right in a release calling COPPA "improved for big companies, not for education startups."
One interesting point about the new regulation is not political, though. It's legal. The agency arguably overstepped the authority Congress gave it.
FTC Commissioner Maureen Ohlhausen explains:
The statute provides, "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed [by the FTC]." ... [T]he amendments add a new proviso to the definition of operator in the COPPA Rule: "Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such website or online service." The proposed amendments construe the term "on whose behalf such information is collected and maintained" to reach child-directed websites or services that merely derive from a third-party plug-in some kind of benefit, which may well be unrelated to the collection and use of children's information (e.g., content, functionality, or advertising revenue).
In other words, if a Web site directed at children uses third-party plug-ins to enhance its functionality, analytical capability, and such, and if the plug-in collects information, then the Web site operator is responsible as if it were collecting the information. The result? Web sites aimed at children will avoid using third-party technology to enhance the experience of kids.
Commissioner Ohlhausen: "I find that this proviso—which would extend COPPA obligations to entities that do not collect personal information from children or have access to or control of such information collected by a third-party—does not comport with the plain meaning of the statutory definition of an operator in COPPA."
In a case called Chevron v. NRDC, the Supreme Court said that administrative agencies are entitled to a certain amount of deference when they interpret the statutes they are charged with enforcing. The FTC would certainly argue that the language is ambiguous and that it should get to decide the meaning. But what ambiguity in the definition of web site "operator" allows operators to be liable under COPPA for the data collection of others?
For the record, here's the entire definition:
The term "operator"--
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce--
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and--
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
(B) does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45).
Congress wrote a law about Web sites. The workings of the Web/Internet ecosystem have changed, and the FTC now wants to stretch the law so as to continue hampering children's access to entertaining and educational content, in the name of "privacy."
Sterling Internet law professor Eric Goldman calls the new rules "a big mess." Part of the reason is because of Chevron, which undercuts the rule of law by letting agencies adopt strained interpretations of their statutes. Maybe a challenge to the new COPPA rules will rein in the FTC and Chevron. A Cato brief to the Supreme Court in City of Arlington v. FCC, filed last month, argues for limits on deference to administrative agencies.