The FTC has release another wave of regulations that aim to stymie online advertisers’ ability to create a compelling experience for children. By expanding COPPA (Children’s Online Privacy Protection Act) to include limitations driven by persistent cookies, mobile device identifiers, IP addresses and geolocation data, the FTC has added a thick layer of ambiguity to an already poorly defined regulatory framework.
The first problem is that the regulatory parameters they’ve chosen such as cookies, device identifiers, etc. don’t identify a person, they identify a device. You can claim the device is tied to the person; sometimes yes, but more often no. Simplest example? We have multiple iPhones, iPad, Macs and PCs at our home, and everyone uses whichever one happens to be closest. Any device identifier or cookie data is going to reflect device use across a very diverse set of demographics (me, my wife, and my son), so claiming that device specific technology will tell the network exactly what I’m up to is an inherently flawed approach.
The second problem, which the FTC and the Privatistas over at the Center for Digital Democracy still don’t seem to understand, is that Behavioral Targeting is a science done at an aggregated level. Most of this technology is not about going after a very specific person (child or otherwise), its about targeting cohorts of common interest in order to minimize spam and create a compelling experience.
The notion of greedy advertisers drooling over kids as they traverse a network is the core driving element of what the CDD harps on, and is completely off point. Aggregate data in terms of how apps are being used is critical to developing a product roadmap that maps to market requirements, and anonymized cookies are designed to do exactly that.
The third issue is defining the scope of what is gathered and what is done with it. The idea of capturing my child’s name and location does make me feel incredibly uncomfortable, but that is an extreme of what this technology can deliver, and it is up to industry groups such as the IAB to self-police to the point that this sort of thing doesn’t happen. Or they can continue to play the defensive role (which they seem to be good at) and watch the scope of their capabilities continue to shrink.