New federal legislation aims to stop the digital exploitation of children

The Forbidding Advertisement Through Child Exploitation Act (FACE Act) of 2013 was introduced in Congress on July 10, 2013 by U.S. Congressman John J. Duncan, Jr. (R-Tenn.) to help protect the  personal privacy of children and teens.  The official title as introduced states, "[t]o prohibit providers of social media services from using self-images uploaded by minors for commercial purposes."

The FACE Act states, "(a) provider of a social media service may not intentionally or knowingly use for a commercial purpose a self image uploaded to such a service by a minor." The Act empowers the FTC to promulgate regulations under section 553 of title 5 of the United States Code to implement the Act.  This aspect of the legislation is extremely important because it appears to provide the FTC the flexibility to create regulations that will enable it to account for changes in technology.    

To be effective, legislation should have adequate enforcement mechanisms.  This bill appears to enable not only the FTC, but also state attorney generals and/or state officials and/or state agencies to enforce the Act.  According to the bill, a "state may enforce the act by bringing a civil action to: enjoin such act or practice; enforce compliance with such section or such regulation; obtain damages, restitution, or other such compensation on behalf of residents of the State; or obtain such other legal and equitable relief as the court may consider to be appropriate."

The Act specifically states that it would not preempt states or political subdivisions of a state from enacting a law that provides minors greater personal privacy protection.  At first glance, this appears to provide the potential to create burdensome regulations on cloud providers and their clients; however, cloud computing vendors have been able to flourish despite being required to adhere to different privacy laws in each state.  For example, at least 46 states, including the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification statutes. 

According to a GigaOM's article about Gartner's Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update that was released earlier this year, "the U.S. is predicted to remain number one in overall cloud services deployment-by a wide margin-into 2016."  Therefore, despite almost every state in the U.S. enacting their own data breach notification statutes (whose provisions may vary widely state by state) cloud computing providers have still been able to offer to clients compliant cost effective solutions.

While the FTC's recent updates to the Children's Online Privacy Protection Act provide our children more privacy protections, state attorney generals along with state officials or agencies may be in a better position to protect the digital privacy of our children.  For example, while multiple EU data protection authorities are pursuing enforcement actions against Google because of its March 1, 2012 privacy policy change; so far the FTC has declined to do so. 

In contrast, the National Association of Attorney Generals sent a letter (signed by 36 state attorney generals) in 2012 expressing their concern about Google's privacy policy change. Last month, 23 state attorney generals signed onto a follow up letter that stated, "[w]e are still greatly concerned about the way Google collects consumer information" and "[w]e also think more needs to be done to enable consumers to review and delete data that has been collected about them from specific Google products."    

In addition to the actions spearheaded by the National Association of Attorney Generals, California's Attorney General Kamala Harris has been active regarding protecting those who utilize mobile apps.  Her office's recent report on mobile apps "provides guidance on developing strong privacy practices."  Attorney General Harris also created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws.  Other states, such as Massachusetts, have introduced legislation (H 331) that would ban cloud computing service providers who contract with K-12 schools from processing student data for commercial purposes.

Even though some state attorney generals and state lawmakers around the country are working to protect the digital privacy of our children, more tools are needed to ensure that our children are not exploited.  The FACE Act's introduction is important because it demonstrates that legislators realize that enacting stronger digital privacy laws is not only best for society, but that it will resonate with voters on election day.  

While it may take several legislative sessions for the FACE Act to move forward due to the acrimony on Capitol Hill, it demonstrates that lawmakers still believe we have an expectation of privacy in the Digital Age.  It would not surprise me if the FACE Act's introduction encourages state lawmakers to introduce similar bills in their respective legislatures around the country.  Therefore, it is imperative that the cloud computing industry work with stakeholders to ensure that our children's personal digital data is not utilized for commercial purposes. 

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.