Take the question of what, under the children's privacy law, amounts to personal information. The FTC's updated rule would include "persistent identifiers" such as data in cookies - the small digital records websites store on users' computers - if they are employed "to recognize a user over time, or across different websites or online services." Also included would be locational data of the kind collected by mobile phones.
Jeffrey Chester, a privacy advocate and early champion of the 1998 law, says broadening that single definition could dramatically shift the landscape facing online behavioral marketers, who rely on cookies, geolocation data, and similar identifiers to track consumers' habits and deliver targeted advertising and personalized offers.
COPPA itself bars websites from collecting personal information about preteens without their parents' consent. But the law and the FTC's original rules focused on traditional conceptions of the term - names, addresses, and the like. No one fully anticipated the rich but supposedly anonymous profiles of individuals - child or adult - that behavioral marketers would learn to amass.
Chester, who expects the final rules later this month, says marketers and data miners consistently downplay the significance of the data they collect and use.
"What they've been saying is this, 'Look, it's just a number in a file. We know you go to website X and like to buy Y,' " he says. "That facade will officially crumble in two weeks if the FTC has the courage to declare cookies and other identifiers as personal information."
Not surprisingly, the behavioral marketing industry and its allies have been fighting back hard, with arguments that already hint at court challenges if the FTC doesn't back down.
"COPPA does not provide the statutory authority to expand the definition of 'personal information' to include clickstream data," the Interactive Advertising Bureau says. The group argues that such identifiers "permit the delivery of content and advertising to a device, not to an identified individual." Since a device can be used by more than one person, it says, the data can't be "personal information."
Anyone who has noticed online behavioral marketing knows why this is such a major point of friction. As the Internet has evolved, marketers have developed a dramatically different model for advertising - one that largely replaces mass marketing with individual offers.
It's also, to be sure, a moving target. Though most consumers may be content with ads that seem to follow them from site to site based on their searches and Web habits, there has been enough pushback from privacy advocates that browser makers have made it easier to bar some kinds of tracking.
For instance, though critics question their effectiveness, all the major browsers now include a "do not track" option, which the FTC first urged in 2010. To the chagrin of online marketers, Microsoft set "do not track" as the default option on the latest version of its Internet Explorer browser.
But tracking and data mining - including of the vast stores of information that give rise to the term "big data" - aren't going away. In the last year, the number of data collections on the average Web page increased from 10 per page to 50, according to Krux, a company that helps websites manage and monetize data.
Do children deserve special protection? Given their cognitive limitations, that's a no-brainer to COPPA supporters such as Kathryn Montgomery, an American University media researcher who pushed for the law with Chester, her husband.
But like him, she says the fight over COPPA is "arguing around the edges."
"I'm an adult, and I don't want some of this stuff," she says. "We ought to have a system in place that gives privacy protections for everybody."
Contact Jeff Gelles at 215-854-2776 or email@example.com.