Privacy Rule to Protect the Young

Posted on by

Week of 10/1 On-Call

Author: Divya Anand, Wendy Xue, Sayantan Mukhopadhyay, Charles Wang, Jiun-Tang Huang

It is reported that Federal regulators are about to make big moves to protect children online in the New York Times article “U.S. Is Tightening Web Privacy Rule to Shield Young.” Children’s advocates claim that major corporations, app developers and data miners appear to be collecting information about the online activities of millions of young Internet users without their parents’ awareness. We study this issue by listing and discussing three questions with reference from week-6’s readings of IS205, centering privacy and consumer protection approaches.

Are the companies following deceptive practices?

In considering whether the HappyMeal.com site is being deceptive, there are two main points we need to consider – (i) the perspective of ‘reasonableness’ (ii) ‘materiality’ in terms of whether it affects consumer decision on using the product or service.

We know that McDonald’s is not asking for parental consent when it requests children to fill email IDs. The greatest point of concern here is that children are providing email IDs of their friends, which means many of the email addresses were obtained without any form of consent from the owners. A lack of parental consent is a violation of the COPPA (Children’s Online Privacy Protection Act of 1998) guideline, which requires operators of children’s web sites to obtain parental consent before they collect personal information from children under 13. It is reasonable for children to believe that what they enter on children’s website does not cause implications of their online actions. Children are using the McDonald site to share their friends emails because they believe that this is how they share their online creations with friends. They have no access to privacy statements, nor do they know what will be done with information they provide. If parents know about what McDonald is doing, they definitely do not want their children to access the McDonald website. However, due to lack of information, parents could not prevent their children from visiting the site.  Hence the second condition for deceptive practice is also fulfilled.

Given the two arguments above, it is clear that McDonald’s is being deceptive. In the FTC’s complaints against Google, we saw how FTC determined that Google’s practice was deceptive because the company publicized Gmail user’s private information on Google Buzz without user consents and not disclosing the privacy policy clearly and conspicuously. Similarly, McDonalds did not disclose the fact that they requested children’s email IDs and used that information for other purposes, which included subscribing kids to a mailing list.

When dealing with children who definitely do not understand the implications of their online actions, FTC has to step in to ensure that parental expectations of their children’s online privacy is not ignored.

Are the companies following unfair practices?

We may also argue that the steps taken by McDonald and other some companies to collect the personal information about children under thirteen, without the consent of their parents, is an unfair action. Children are most likely not able to make informed decisions on the products and services they choose.

When Happymeal.com collects children’s email IDs, it is impossible for children to be fully aware, let alone understand the fact that email IDs are used for tracking their online footprint and could expose them to targeted marketing campaigns. They are also unaware of that the information could be accessed publicly, thereby potentially exposing them to pedophiles. For example, the photo uploaded onto Happymeal.com could give away information about where they live, how old they are, or which school do they attend. Publicizing this type of information exposed these children and their families to the possible crime near their geo-locations. Potential for physical harms to the children is rather high.

Apart from asking the children about their own details, Happymeal.com asked the children to give away information about their peers. This is highly unfair because children may not have the ability to comprehend the impact of breaching privacy of their social group. On top of that, again, there was no parental consent requested!

Are consents from children meaningful at all?

When parental permissions are not required for older children, it is questionable to say that their consents given over privacy disclosures are meaningful. In the FTC’s complaint against Sears Holdings Management Corp regarding Sears’ online tracking software, FTC argued that even there is a clear and comprehensive privacy disclosure, like the one Sears had, consumers could still misunderstand the extend of online activities being tracked by Sears. Therefore, FTC deemed Sears’ practice deceptive. As of today, many popular websites for children, such as Disney.go.com, uses tracking technologies to analyze children’s browsing behaviors. In light of the Sears example, if we assume privacy statement from the children’s websites are disclosed to children, we must question how many of them will actually be able to understand the terms and conditions. Also, how many of them will understand the implications of their activities being tracked. Additionally, children are more prone to give consents easily and carelessly if there are incentives, such as money or store credit for signing up a service using their email addresses. It is troubling to think that some companies may exploit this attribute and obtain privacy information from children for deceptive purposes.

Conclusion

In dealing with companies that breached consumer’s privacy, such as in the case where Facebook released user’s private information to third party application, as well as in the case where Google publicized Gmail user’s information on Google Buzz without the user’s consent, FTC often ordered the companies to: (1) designate an employee to oversee the implementation of a privacy protection program; (2) conduct periodic risk assessments for privacy breach; (3) explicitly and conspicuously ask for user’s consent before using covered information for purpose other than the purpose originally stated. In the case where children are the users, FTC should scrutinize companies and ensure that children’s online privacy is protected, likely with even strictly process and procedures.