Posted on May 9th, 2011 at 1:55 pm by Cari Birkner
A new bi-partisan bill was released in the U.S. House that expands well beyond the 1998 Children’s Online Privacy Protection Act. Aiming to protect the information of those under eighteen, the draft bill seeks to prevent marketers from gathering and storing info on minors without parental consent, in addition to providing parents with a method of removing personal info that’s ‘already out there’. It’s been described as a giant eraser button to get rid of data ‘when technologically feasible’.
The bill specifies that personal information collected on minors cannot be used or shared with third parties for “targeted marketing purposes”. In addition, it requires companies that collect the info to disclose to consumers what type of personal info is being collected and how it’s being used and shared.
Another part of the bill proposes a “Digital Marketing Bill of Rights for Teens” which would limit data collection including geolocation targeting. While there are few who would argue against protecting the privacy of minors, one might respectfully question the potential effectiveness or enforceability of this legislation. Here are a few questions that come to mind:
How will marketers prove the age of online users?
It seems simple enough on the surface. Most lead forms include a ‘Date of Birth’ field already. In this scenario, advertisers could segment the data out based on birth date. However, I’d venture to guess the average teen/child can get around a check box or a DOB field if they truly want to register or view content. The only way to prevent this is at the user level or browser level on a PC or mobile device. The onus of responsibility is ultimately with parents and how heavily they monitor and restrict their child’s online behavior.
What happens to the data once it is collected?
When a minor appears to register or sign up for an offer, marketers should theoretically refrain from targeting that data or tracking the end user behavior. However, the bill doesn’t state specifics on how to implement this across partnerships. Email marketers are required to maintain and share suppression files with partners. Data that comes from minors could be automatically suppressed in a similar way.
Of course, storing and sharing PII and user email addresses leaves room for abuse, unless the data is properly hashed or encrypted. Marketers may be able to securely maintain a universal opt-out file containing the encrypted information of minors and scrub their own lists against it. In addition, LashBack suggests seeding partner lists with underage user profiles to ensure compliance.
Arguably, this is the easiest portion of the legislation from an implementation level, as well as an enforcement perspective. It’s also the least effective in terms of real protection. There have been movements to write privacy policies and terms of service in plain, simple language that end users will understand.
These movements have yet to work because simplifying language leaves room for legal liability. Case in point: the terms of service for Apple iTunes are 56 pages long in an era where few have the attention span to read past Twitter’s 140 characters. Lawyers might read privacy policies. Users don’t.
Can the data be used for targeting on the prospect’s eighteenth birthday?
If marketers maintain do-not-track lists based on age, theoretically, information gathered would no longer be protected from targeting once the user is eighteen. At least with email, addresses don’t expire or change based on age. Records would have to expire from a do-not-track list based on DOB.
Does this thing stand any chance of passing?
The bill is still in the discussion phase, as Congress holds hearings on mobile privacy in the coming weeks. Like many legislative attempts to regulate online activity, ‘Do Not Track’ provokes questions, leaves gray areas when it comes to enforcement, and inspires creativity on the part of marketers.