Editor's note: This article appeared in the October 22, 2012, edition of Quirk's e-newsletter.  

 

Recent estimates have placed children's buying power and purchase influence in the tens of billions of dollars. Given that number, it's no surprise that many marketers and advertisers are clamoring for their piece of the pie. However, with rapid technological advancements in online marketing via targeted advertising and behavioral profiling, watchdog groups have voiced concerns about protecting children from invasive marketing practices and shielding them from the data-gathering techniques that allow marketers to profile and target users on the Web.

 

Leading the charge in defense of a child's right to privacy online is the U.S. government, as the Federal Trade Commission (FTC) has proposed changes to its Children's Online Privacy Protection Act that "could greatly increase the need for children's sites to obtain parental permission for some practices that are now popular - like using cookies to track users' activities around the Web over time," according to Natasha Singer's September 27th article, "U.S. Is Tightening Web Privacy Rule to Shield Young," in The New York Times.

 

These new developments have the potential to be game-changers for marketers trying to reach the 13-and-under crowd. To better understand the implications of the FTC's proposed action, we spoke with Ray Everett, director of privacy services, at Keynote, a San Mateo, Calif., online monitoring software company.

 

What do you foresee the rule changes being? How big of a change will they be?

 

To start, the Federal Trade Commission issued the rules that they're talking about now originally back in 2000. They issued these rules implementing the Children's Online Privacy Protection Act and it marked a big change for how Web sites dealt with online interactions with children. It really changed the way that the industry approached information-gathering from children and created requirements around building outreach and communication to parents to get verifiable consent from parents for the gathering of information from children. This proposed change, while it's still in a proposal stage, has been highlighted by the FTC as being something that they're quite seriously considering and it would essentially extend the permission requirements beyond just the Web site publishers to the ad networks that display targeted advertising on kid-oriented Web sites.

 

This would be a dramatic and potentially devastating change for those behavioral targeting networks that have built up profiles of children. These advertising networks typically place their ads on multiple Web sites and then, using cookies, can track the interactions of Web site visitors across those and within those sites. So for example, you can begin to build a database of information about what types of interactions certain users have with the site - things that they're interested in, games that they've played, people they've communicated with, et cetera. And while Web site operators have, for more than a decade, been required to get parental consent to collect and utilize that information for marketing purposes, the advertisers appearing on those Web sites or using similar tracking and targeting techniques to target advertisements to children across the Web have not previously had to consider getting consent or consider limiting their tracking in the absence of consent.

 

So by firing this shot across the bow of the industry, the FTC has made it quite clear that they are concerned that advertising networks are building detailed knowledge about users in ways that previously only Web site publishers had been. And the FTC is looking at treating those ad networks just the same as publishers because their impact on children's privacy is very similar.

 

How should companies that market to kids react to or prepare for the changes?

 

For Web site publishers, they operated over the last decade with different permission levels required for different types of data-gathering. For example, many children's Web sites gather no personally-identifiable information from children and that creates the least regulatory burden for them. Essentially, if you're not collecting any personally-identifiable information from children you're not required to obtain consent. For those Web sites that have more complex interactions, say more social networking-type capabilities, as children get deeper into the site they have increased requirements around notifying parents and obtaining consent before accessing certain features.

 

That kind of approach is probably how a lot of behavioral ad targeting is going to have to operate. For example, for ads appearing on pages of a site that are available to a general audience without any more information being gathered - that is, very anonymous levels of data - the requirements for consent would be likely reduced and therefore advertisers would not be required to obtain consent. As you push deeper into a site, you might have heightened levels of tracking and data-gathering and cross-matching of the data with other data sources to build a more detailed behavioral profile for a particular visitor. In those cases, you would expect to have some sort of heightened permission requirements and consent mechanism for that to occur.

 

In many cases, Web sites have taken various approaches to getting this consent and have developed layers of interaction that are triggered by the consent requirements and the amount of consent that they can get. The advertisers appearing on those pages could essentially piggyback on those capabilities for obtaining consent. It's just adding a layer of complexity that, previously, advertisers have not had to deal with. But it's already something that publishers are familiar with so piggybacking on it may not be as onerous as it could be.

 

How can the consent obtained be verified beyond the typical method of "Please enter your birthdate," which has no safeguard in place?

 

This has been an ongoing problem since the beginning of the Children's Online Privacy Protection Act back in the late '90s. How do you obtain consent? How do you verify that consent is actually a parent or guardian? And how do you deal with the problem of precocious children who will quickly learn how to put in a fake age or set up a separate e-mail account that they can pretend to be their own parent through? These sorts of challenges have faced the industry since the outset and every site has approached these questions differently. In many cases, they will have systems in place where they require some sort of credit card that must be entered - not to pay for something but to verify that you indeed have a credit card. The assumption is that a 10-year-old child might not have access to a credit card so a parent providing a credit card number that can be checked as accurate would be a good test. Although, the credit card companies really hate being the keeper of age verification. They don't like the idea of that and have said, essentially, don't pin that responsibility on their industry.

 

There have been other approaches and efforts. For example, there are some companies that allow parents to create profiles and then to give children codes and things like that that they can plug into the Web sites to confirm that they've given some sort of consent. Or they'll have a system whereby e-mail addresses get registered as belonging to children and correlated with the parent's address. Different systems have been developed - some more successful than others, some more convoluted than others. But at the end of the day, it's very difficult for a Web site publisher to have 100-percent certainty that the person visiting their site is not under the age of 13 and that they aren't engaged in some sort of deception around their age or level of consent from a parent.

 

Ultimately, it's the responsibility of a Web site publisher to take reasonable steps to implement a consent-management program and to be aware of the risks and potential shortcuts or tricks that their system might be susceptible to. They will need to have in place some method of verifying or auditing their own compliance activities so they have a reasonable basis on which to tell regulators, "We've made our best efforts." Part of those efforts are audits, monitoring their systems and being aware of the kinds of relationships they have with their data vendors and advertisers so they know that all parts of their ecosystem are moving in lockstep with their stated privacy promises.

 

Do you suspect that violations occur by accident or is it another example of technology racing ahead of government's ability to regulate?

 

I've seen very few Web sites that really actively go out looking to violate the law. I think it's really that opportunities arise, business models appear and organizations move quickly to take advantage of market opportunities without fully realizing the legal consequences of some of the approaches they take. There is also, in some cases, maybe not the greatest appreciation for how vigorous the Federal Trade Commission can be in enforcing these rules.

 

The assumption is that Web sites will fix these problems as they go and as they grow. And as these sites enjoy explosive growth in their particular market segments, sometimes their efforts at crossing the Ts and dotting the Is don't always keep pace with the growth that they see. I feel like, in many respects, the Web sites get ahead of themselves and get into trouble more quickly and more deeply than they realize. Having worked with a lot of startups over the last decade or so, I've seen many situations where people are just trying to create sites or develop services that are taking advantage of a market opportunity and they move very quickly and figure that they will clean up the mess as they go. Quite often, they can't do that before they're held accountable.

 

I think the FTC has undertaken this process of rule-making in a very deliberate and open fashion, in which they have given ample opportunity for the industry to provide feedback and to point out pitfalls and downsides to certain regulatory approaches. They have tried to craft solutions that reasonable Web site publishers can comply with. There are some times when technology outpaces the word or the letter of the regulation but in my experience, the Federal Trade Commission has always built enough wiggle room into the regulations that they can adapt to new situations and interpret them in new ways. The FTC does have a history of expanding its reach slowly so we tend to see more violations or problems before it adjusts its rules to adapt, rather than overshooting the mark and in some way artificially constraining the market. I think in this case it's not so much regulation can't keep up, it's that the FTC has done a pretty good job over the years of creating rules that don't overreach. But when they do reach, it's on the basis of a lot of thought, input and feedback from the industry.

 

How will the FTC continue to define a "Web site or online service directed to children?" Will the targeting data still be collected on children surfing adult sites?

 

The regulations are pretty broadly written, such that there's room for the Federal Trade Commission to make individual judgments on organizations as to whether they would be deemed to be targeted to children. There are certain audience percentages but also components that are factored into an assessment of whether it's a child-oriented site based upon the content, the language and what a reasonable person would feel as to whether it was targeted toward children.

 

There's very much a you-know-it-when-you-see-it component but the FTC has given a number of guidelines and there are some great resources on the FTC Web site that help determine if you are likely to be deemed a child-oriented site. Ultimately, it comes down to whether you have knowledge, or should have knowledge, that the folks coming to your site are falling into that category of 13 and under.

 

How can advertisers still reach children and provide them with relevant content without violating the laws?

 

That's going to be the major question that the industry's going to have to answer if these rules are put in place. There are a number of different approaches that behavioral targeters have taken over the years to be able to identify and reach out to certain audiences and those techniques can be adapted, essentially, to scenarios where you're restricted in the amount of information you can gather. The ad industry has been able to target based upon incomplete information and sometimes that incomplete information has been because it wasn't available. In this case, you might see a situation in which the information is available but you're specifically choosing not to use it because you lack permission.

 

While you may have access to certain targeting information, Web sites may be required not to utilize the information because they don't have the appropriate levels of consent so they'll fall back on the tried-and-true approaches of data interpretation and interpolation of interests or target audiences based upon what information is available. They will focus their behavioral targeting on what information they can actually use and will have to make choices about what they want to use to maintain compliance.

 

What is a good mind-set to have as a brand manager or marketer working with children going forward?

 

The best mind-set is how to engage both children and their parents in a way that encourages parents to participate in the process of their children's interactions online and thereby be available to give consent. A lot of these problems go away when you have marketing efforts that make consent a moot issue because the parents are deeply involved and engaged and excited about their children's participation. You think of circumstances in which the parent is engaged, it's not going to be difficult to get consent if the parents is enthused about their child's interaction with something.

 

As a whole, do you feel like we are becoming more or less private as a society? On the one hand, we want data security. On the other, people are sharing more and more personal information via social media than ever before. How are marketers - and the FTC - supposed to reconcile that?

 

That's been the paradox of consumer privacy since the earliest days in which Internet privacy became a concern. People have seen the benefits and opportunities created by better ad targeting and better personalization. If you think to how people react offline as well, people want the benefits of personalization and processes that are more frictionless because information is shared freely. For example, people may be creeped out by the idea of someone following them around but are equally as incensed if they don't get their bonus points or frequent flier miles automatically, without lifting a finger.

 

So the paradox here has been recognized and continues to frustrate, in that the opportunities to share more information are constantly increasing and the benefits from sharing that information are real and tangible and create incredible market opportunities. At the same time, the moment someone oversteps those bounds, the backlash and the complaints about invasion of privacy can be equally devastating to a brand or marketing effort. It's a constant push and pull that requires marketers and brand managers to be extremely vigilant about what they're doing and how consumers might perceive those efforts. Key to that is to keep a very watchful eye on one's own marketing activities and the activities of marketing partners and advertising partners so that those expectations of consumers can be properly set and measured against the real experiences of those consumers.