...we are concerned that the updated definition of when a website is “directed to children” could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them. This uncertainty will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children

To start, by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.

Further, as Commissioner Ohlhausen's dissent notes, the COPPA statute does not allow the FTC to impose liability on sites that do not collect children's information merely because the operator may somehow benefit from an ad network or plug-in operator collecting information—provided the third party neither targets children nor shares information with the site operator.

If a third party becomes liable once a single employee "recognizes the child-directed nature" of a website—whatever that means—COPPA will become the worst kind of notice-and-takedown system: Would a single complaint—or tweet—from a parent or activist group create "knowledge?" Faced with the impossible task of predicting how the FTC might characterize each of the millions of sites on which ads or plug-ins might appear, operators will have to try to block advertising or plug-ins on sites that appears to be child-oriented. If they can't do that effectively, this potential liability may effectively kill behavioral advertising on any site that can't prove it isn't child-oriented—in other words, on small sites.

Thus, COPPA will now impact adult sites, denying publishers revenue and adult users the functionality that is increasingly provided by embeds. Thus, the FTC invites not only a statutory challenge but also a constitutional challenge similar to that which led the Child Online Protection Act (COPA) to be struck down.

Yesterday, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children’s Online Privacy Protection Act (COPPA), and the new rules are a real mess. They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way.