But those assurances failed to win over software developers who said the cost of complying with the new regulations and the risk of violating them will cause many responsible businesses to abandon the children's marketplace.
Information about children that cannot be collected unless a parent first gives permission now includes the location data that a cellphone generates, as well as photos, videos, and audio files containing a human image or voice, according to the rules announced Wednesday. Data known as "persistent identifiers" that allow a person to be tracked over time and across various websites are also considered personal data and covered by the rules, the agency said.
The rules offer several new methods for verifying a parent's consent, including electronically scanned consent forms, video conferencing and email.
The rules issued by the Federal Trade Commission ensure that a 14-year-old law, the Children's Online Privacy Protection Act, keeps pace with evolving technology, including cellphones, tablets, software apps, and social networking sites, the agency's chairman, Jon Leibowitz, said at a Capitol Hill press conference.
The agency tried to achieve a balance between protecting kids and ensuring that a key sector of the U.S. economy keeps growing, Leibowitz said.
Liability for violations of the rules won't extend to Google, Apple and other companies that operate online stores offering public access to kids' apps, the FTC said. Google and Apple had warned that if the rule were written to include their stores, they would exclude many apps specifically intended for kids. That would hurt the nation's classrooms, where new and interactive apps are used by teachers and students, Apple said.
But the Application Developers Alliance, an industry association in Washington, said the rules leave the app industry, which is made up primarily of small businesses, liable for violations. The risk may drive entrepreneurs out of the children's app marketplace, said Jon Potter, the alliance's president.
Companies are not excluded from advertising on websites directed at children, allowing business models that rely on advertising to continue, Leibowitz said. But behavioral marketing techniques that target children are prohibited unless a parent agrees to them. "You may not track children to build massive profiles," he said.
The law was passed more than a decade ago, when no one could have anticipated what the Internet would look like or how adults and children would conduct their affairs online, said Senate Commerce Committee Chairman John Rockefeller, D-W.Va. The changes, which the FTC has been developing for the last two years, are long overdue, he said.
Public interest groups hailed the changes. The rules "will provide a stern reminder to companies and developers that they need to do more to build a trustworthy online space for kids and families," said James Steyer, chief executive officer of Common Sense Media, a nonprofit group in San Francisco that studies children's use of technology.
Release of the rules comes a week after the FTC disclosed that it was investigating an unspecified number of app developers that may have violated the law by gathering information from kids without their parent's consent. The agency examined 400 kids' apps that it purchased from the online stores operated by Google and Apple. It determined that 60 percent of them transmitted the user's unique device identification to the software company or, more frequently, to advertising networks and companies that compile, analyze and sell consumer information for marketing campaigns.
The agency included in the rules new methods for securing verifiable consent after the software industry and Internet companies raised concerns over how to confirm that the permission actually came from a parent. Electronic scans of signed consent forms are acceptable, as is video-teleconferencing between the web site operator or online service and the parent, according to the agency.
The FTC also said it is encouraging technology companies to recommend additional verification methods. Leibowitz said he expects that this will "unleash innovation around consent mechanisms."
Emailed consent is also acceptable as long as the business confirms it by sending an email back to the parent, or calling or sending a letter. In cases of email confirmation, the information collected can only be used for internal use by that company and not shared with third parties, the agency said.