US boosts child online privacy law, but Facebook gets off the hook

US federal regulators have tightened legislation designed to safeguard children’s online privacy. The new laws are designed to give parents more control over what types of data is collected online, and reflect the growing importance and spread of smartphone technology. However, Facebook, one of the biggest online advertisers around, appears to have lobbied its way out of responsibility.

The new regulations cover a number of innovations such as voice recognition technology, GPS and targeted online advertising. The 1998 Children’s Online Privacy Protection Act remains in place, requiring companies to obtain parental permission before sharing or collecting any personal data from under 13 year olds.

The new rules basically expand the types of data to include location, photos and video and expand the list of service types that the act covers. They also dictate a new and “streamlined” approval process for getting parental consent and close a loophole that allowed child-focused apps and sites to permit third parties to collect personal information without consent. Third party ad companies must also comply with the new rules.

“The Commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” said FTC Chairman Jon Leibowitz. “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”

Third party consent

However the FTC’s own opinion on its new child protection rules doesn’t quite match up to the reality of the new laws. Due to heavy lobbying from the likes of Facebook, Disney and other companies with a vested interest in preventing data protection controls, the FTCs regulations have been watered down.

The FTC originally wanted to pin the responsibility of seeking this consent with the services themselves, rather than third parties, such as ad networks and tracking companies. However, after successful lobbying by Facebook and Verizon among others, such services will only be liable if it can be proved they have “actual knowledge” of third party sites collecting information on children. Furthermore, app stores, such as Google Play and the iOS App Store will not be liable for the child protection practices of any apps sold.

Facebook’s escape

While the above amendments are somewhat understandable, Facebook in particular appears to have been given a convenient loophole by the FTC to continue marketing at children without any parental consent. As The Atlantic points out, the new rules plainly state that no parental permission is needed “for the sole purpose of supporting the website or online service’s internal operations, such as contextual advertising, frequency capping, legal compliance, site analysis and network communications.”

For Facebook “contextual advertising” is basically ads that are tailored to users based on what shows-up in your News Feed. So if you post a status update about Rhianna or Lady Gaga, you may get an ad for the relevant pop star’s Facebook page. This is essentially giving the Facebook the ability to create ad profiles on children through the backdoor. Of course, Facebook knows exactly what it’s doing here, as back in September it specifically requested the FTC omit so called “internal advertising” from its new rules.

“The Commission should make that understanding explicit in the COPPA Rule by expressly including first-party advertising under the “internal operations” rubric,” said Facebook. This clarification further supports the balance created between the Significant demand for free, advertising-supported services, and the expected tailoring of those services.”

So all it takes is a bit of lobbying power to escape FTC regulations. Facebook is one of the biggest and fastest growing advertising networks out there and is becoming increasingly embedded in the very mobile technology the FTC wants better regulated - so it seems hamfisted to create a bunch of new laws that largely ignores it. If parents want to opt their kids out of Facebook ads, they’ll probably need to opt out of Facebook altogether.

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.