Thursday, July 12, 2012

Proposed Amendments to the Protection of Privacy Law (1981)

Amendments to the Protection of Privacy Law (1981) have been proposed in the Knesset.

The new amendments will provide that:

  • acts done by parents or guardians that would otherwise be a breach of the privacy of a child will not be considered a breach if done for the benefit of the child;
  • "child" shall be defined as one up to and including 13 years of age;
  • someone who purposely breaches the privacy of a minor can be punished by up to 7 years in jail;
  • a person requesting information  from a child for inclusion in a database must first receive the consent of the child's parent or guardian;
  • direct mail may not be sent to a child without prior permission from a parent or guardian;
  • requesting information from a child or sending him direct mail without prior consent from a parent or guardian is punishable by up to 3 years in jail.
And an amendment to the Consumer Protection Law (1981) would prevent anyone from exploiting the age of a counterparty to a transaction.

I must say, I think the proposed jail terms seem a bit excessive especially when according to the notes to the proposed amendment convictions under the law do not require a showing of intent or negligence.


It is interesting that "child" is defined as up to and including 13 years old. First, that is the age of adulthood for boys in Jewish law. Second, Facebook does not allow anyone under the age of 13 to create an account but 13-year-olds are permitted. So under this law, Israeli teens will have a one year waiting period until they are Facebook legal.

The notes to the proposed amendment say that it is meant to be similar to the American Children's Online Privacy Protection Act (COPPA) which applies to the online collection of personal information from children under 13. The FTC is responsible for enforcing COPPA and has issued guidelines to help website operators understand their duties.


Verifying ages is a difficult problem for internet sites, see the recent NY Times article here:
The consensus is that the most effective solution for now is not the technologies, but good old-fashioned education and parental vigilance.“Sequestering age levels will never be the solution online — it’s hard enough to do it in the so-called real world — and there will always be a work-around,” said Anne Collier, who served on the 2008 task force and runs NetFamilyNews. “Really, the single most important thing we can do is to educate parents and young people about what is happening online.”
Another sticky problem seems to be how to obtain parental consent. The older (but still current) version of the FTC Rules (16 CFR 312.5) says: 
(b) Mechanisms for verifiable parental consent. (1) An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.

(2) Methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include: providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the verification methods listed in this paragraph. Provided that: Until the Commission otherwise determines, methods to obtain verifiable parental consent for uses of information other than the “disclosures” defined by §312.2 may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail.

The 2011 suggested amendments to the rules include the following major changes:

Definitions

The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.

Parental Notice

The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy.

Parental Consent Mechanisms

The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule.

The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.
To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.

There is some debate as to the efficacy of such age restriction laws (see article here) and as one article points out there are some unintended consequences:
First, because children lie about their age, these sites still collect data about children under 13 that COPPA would otherwise prohibit without explicit parental consent. Second, rather than providing parents with additional mechanisms to engage with sites honestly and negotiate the proper bounds of data collection about their children, parents are often actively helping their children deceive the sites in order to achieve access to the opportunities they desire. Were parents and their children able to gain access honestly, the site providers might well present them with child–appropriate experiences and information designed to enhance safety, provide for better privacy protections, and encourage parent–child discussions of online safety. With deception being the only means of access, these possibilities for discussion, collaboration and learning are hindered. Finally, such a high incidence of parent–supported ToS circumvention results in a normalization of the practice of violating online rules. This results in a worst–case scenario where none of COPPA’s public policy goals for mediating children’s interactions with these Web sites are met.


There are a couple of articles related to US cases involving children and terms of service agreements on Eric Goldman's Technology and Marketing Blog, see here and here.



Note: This is a law proposed by two Knesset members, Zev Bilski and Yariv Levine. My sources tell me that private bills have a very poor chance of being passed.



No comments:

Post a Comment

Disclaimer

This blog is for information purposes only; it is not a source for legal advice. We do not accept any liability to any person who does rely on the content of this website.