Revisiting the Children’s Online Privacy Protection Act
March 25, 2013
Last December, the Federal Trade Commission (FTC) announced the results of its two-year review of the Children’s Online Privacy Protections Act (COPPA), including a series of amendments and rule changes aimed at updating the Act in light of recent technological and social developments. This was the first time COPPA had been revised since it was first introduced in 1998, and given all the new devices, industry practices and trends in children’s online behaviour (including social networking) that have emerged over the past fourteen years, an update was, in many ways, long overdue. After two years of gathering input from industry members, hosting a review roundtable in June 2010, and soliciting public comments (70 of which were ultimately filed, many by members of the media and web industries), the changes were not introduced without their share of controversy and a fair amount of debate. A key example of the former was Commissioner Ohlhausen’s well documented vote against the amendment, and the inclusion of a published statement of dissent that appears alongside the updates on the FTC website. Nonetheless, FTC Chairman Jon Leibowitz has stated that, “I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”
To give a bit of background for anyone unfamiliar with the act, the COPPA Rule came into effect in 1998 when Congress first passed the Children’s Online Privacy Protection Act. The Rule requires that operators of websites or online services directed to or knowingly used by children under the age of 13 years follow a number of special steps aimed at protecting children’s privacy, specifically around how children’s “personal information” (name, address, email, etc.) is handled. For instance, a child’s personal information must never be made publically available, which means that their name, address and such can’t appear anywhere on the site. The operator must notify the parents of the child’s use of the site and secure the parent’s verifiable consent before collecting, using, or disclosing any of the child’s personal information. They also have to keep that information secure once collecting, provide details to parents about the type of information collected upon request, and refrain from making disclosure of excessive amounts of personal information a condition for participation. The FTC is also in charge of enforcing compliance, and failure to follow the COPPA rule can result in law enforcement actions and fines of up to $11,000 per violation.
While COPPA was originally envisioned as a way to prevent direct marketers from soliciting and exploiting children’s personal information, it has since evolved into a much more complex piece of legislation (see Montgomery, 2007). Some scholars argue, for instance, that the Rule has had a number of unintended consequences, including closing off vast swaths of the Internet from younger children, as banning users under the age of 13 can be perceived as easier and more cost effective than attempting to tackle COPPA compliance. For instance, social networking forums that allow younger children have to take a number of additional steps to make sure the users themselves follow COPPA rules. Since COPPA prohibits the public display of children’s personal information, any chat functions or user postings have to be heavily monitored or designed to filter out any information that could potentially be linked back to the child’s location or identity. This in turn raises important questions about the extent to which kids’ freedom of speech is being curbed in the process.
Other scholars and critics have argued that the Rules’ definition of what counts as “personal” information is too narrow, while others have argued that the requirements for parental consent are problematic (either too stringent or not adequately enforced). Debates around how information is shared with third parties also erupted over the years, as information flows and embedded apps became increasingly prevalent. And, as time wore on, critics from both sides of these debates began to question whether a Rule written in the late 1990s—the early years of the Internet, before smart phones and Facebook—could remain relevant in the face of so many new technologies, trends and social norms.
While the new amendments don’t address all of these criticisms, they do address quite a few. They include:
- Expanding the list of protected personal information to include geolocation information, photos and videos;
- Offering operators a streamlined, voluntary and transparent approval process for securing parental consent;
- Closing one of the previous loopholes that had emerged that allowed child-directed apps and websites to permit third parties to collect personal information from children (e.g. through plug-ins) without parental notice and consent (in some cases requiring that the third parties also comply with COPPA);
- Extending protection to cover “persistent identifiers” which can be used to recognize a specific user over time and across different websites (e.g. IP addresses, mobile device IDs);
- Strengthening the protection of data once it’s been collected, how it’s shared and with whom;
- Requiring that operators adopt reasonable procedures for both retaining and deleting data;
- Strengthening the FTC’s oversight of self-regulatory safe harbor programs.
Arguably, the most significant changes are those aimed at bringing the Act up to date. In particular, expanding the Rule’s purview to include pictures and check-ins fills an important gap—one that was only becoming more noticeable as using smart phones and posting pictures to social networking forums become increasingly popular online activities among users in general (even though there is currently little research on how prevalent such activities actually are among kids under the age of 13). Another key innovation is the inclusion of persistent identifiers, which are becoming increasingly prevalent and significance with the emergence of apps and how mainstream advanced data analysis software has become.
On the other hand, the amendments don’t (and perhaps can’t) address issues of access. It is quite possible that sites and operators will continue banning kids instead of attempting COPPA compliance, while sites that do allow kids will opt to place heavy restrictions on their interactions to prevent them from divulging personal info. Related to this is the growing awareness of parents and operators that kids don’t always follow the rules when it comes to age restrictions and bans. For example, we’ve all seen the many news stories about younger kids using Facebook. Simon Milner, director of policy for Facebook UK and Ireland, was recently quoted in The Guardian saying:
“I am very well aware of the research that a lot of 11 and 12-year-olds and younger have Facebook accounts and lie about their age [during the online signup process] … and that in some cases parents actively help.”
While it is still too soon to see what affect the COPPA amendments will have on the children’s digital landscape, there is much to suggest that there are new debates and tensions ahead, as norms continue to shift (e.g. with some parents actively helping their children to bypass age restrictions) and kids participating in more and more aspects of online life. A key thing to remember as we move forward, however, is that despite its critics and limitations, COPPA continues to serve as a rare, globally significant, and widely respected prototype in children’s privacy protection.
Sara M. Grimes is Assistant Professor at the Faculty of Information, and Associate Director of the Semaphore Lab, both at the University of Toronto. She teaches and researches in children’s media and literature, digital games, social media and play. Sara’s current research explores the legal and cultural dimensions of children’s user-generated content within networked games. She recently co-authored Kids Online with Dr. Deborah Fields, a report produced for the Joan Ganz Cooney Center examining the current literature on kids and social networking forums that identifies key areas for future research and dialogue.