2fyY1Py

Methods used to track users online and beyond
Cookies: Small files placed on a user’s computer system that track and record users’ activities. Some cookies are used
only for internal analytics or functionality (e.g. language preference, payment options), but many sites and platforms
allow third parties such as advertising networks to place tracking cookies to collect information on users, to facilitate
targeted marketing.
Flash cookies: These files are more durable and persist after a browser has been cleared, thus allowing tracking after
users believe they have been deleted.
Zombie cookies: These files are even more durable than flash cookies, as they are re-created after a user has deleted
them, allowing continued tracking.
Device fingerprinting: Users are tracked across the devices they use (e.g. smartphone, tablet, laptop) to integrate
marketing appeals and offers. “Canvas”-based fingerprinting operates with no indication that a user’s system is being
fingerprinted.
Device graphs or social graphs: Individuals’ (and families’) linked devices are identified, or a user’s personal digital
connections are identified.
Geo-location: Users’ exact location is mapped to deliver location-specific ads and promotions.
On-boarding: Combines online with offline data to generate even richer consumer profiles
Collated from references 76, 78–82
The Children’s Online Privacy Protection Act (COPPA) in the USA (78) stipulates that personally identifiable information
may not be collected from children under 13 years without verifiable parental consent and (since 2013) does not allow
tracking across platforms with persistent identifiers, geo-location or behavioural advertising. COPPA applies to companies
operating in the USA or collecting any data within the USA. As many companies internationally have applied this rule, it
appears to have become the de facto international cut-off for online privacy protection. Its aim is to protect children and
empower parents, and it is reported to have halted “some egregious predatory data practices” (95). Nevertheless, COPPA
has substantial gaps, as it leaves children over the age of 13 years vulnerable. The FTC concedes that identifying and
tracking children aged 13 years and over is a concern but continues to permit this. If children under 13 years lie about their
age to access services for older children, which parents frequently assist them in doing (96, 97), or if parents give verifiable
consent for their children’s data to be processed and thus to allow them to receive behavioural advertising, marketers and
digital platforms are permitted to treat children under 13 years online as adults (78). This is a substantial concern: as one
of COPPA’s original authors noted, the parental safeguard it provides is “increasingly ineffective”, as the parents of younger
children “cannot be expected to understand the sophisticated and often opaque operations employed in today’s state-ofthe-art
digital marketplace, or the risks posed by them” (44, p. 780).
Furthermore, even when parents do not agree to the collection of personally identifiable information about their children,
many sites and apps do so all the same. A survey of 1494 websites and apps “targeted at, or popular with children” across
the world in 2015 by the Global Privacy Enforcement Network (98), conducted by 29 data protection authorities, found
that many were not adhering to the COPPA regulations. Two thirds were collecting personal information without offering
children or their parents adequate protective control to limit the use and disclosure of such information or a simple
means of deleting an account permanently. For 40% of sites, the survey raised concern about the nature of the data
being collected. Overall, therefore, COPPA appears to be largely ineffective: parents may agree to the collection of data on
their young children, when giving them permission to play games or join certain sites, without realizing the implications;
adolescents have no protection of any kind, and many sites and apps do not comply with COPPA in any case. Thus, children
10