Law in the Internet Society
Children's Online Privacy Protection Act (COPPA): Well Intentioned, Poorly Executed

Parameters of the Law

On December 20th the federal government imposed significant changes to the decade old Children's Online Privacy Protection Act, also known as COPPA. The law, which was initially passed in 1998 in response to growing concerns about the dissemination of children's personal information over the Internet, prohibits websites from collecting personal information from children under the age of 13 without verifiable parental consent. The most recent revisions widen the list of children’s personal information requiring parental consent to include children’s photos, videos, voice recordings, computer IP addresses and mobile phone locations. Parental consent is not required when a website operator collects this data solely to support its internal operations, including advertising, site analysis and network communications; however, behavioral marketing techniques specifically targeting children are prohibited. Under COPPA verified parental consent cannot be obtained ex post, it must be obtained from a parent or guardian prior to information collection after the parent has reviewed the website’s privacy policy. Consent can be granted through digital signatures, a signed form returned by mail or fax, the use of a credit card, email, video teleconferencing, or telephonically.

As revised, COPPA uses an “actual knowledge” standard for websites that collect information about children. Children’s apps and sites have primary responsibility for the ad networks and social networks they incorporate into their services, thus relieving social networks and ad networks that collect information from children without knowing that their software is operating on a children’s site or app from liability. If, however, a third party vendor or site does have the requisite “actual knowledge” that it is being used on a first-party web provider targeted at gathering the personal information of children it will be found liable under the law.

Deficiencies of the Law

In theory, COPPA aims to protect children by giving parents some form of control over their children's personal information on the Internet; however, in practice, these regulations appear to be fundamentally flawed. As a result, I don’t believe the law, as enacted, is sound and should be repealed.

One of the greatest issues I have with COPPA is the ambiguity of the “directed at children” terminology. The newest amendments to the law emphasize the overly broad “look and feel” test over the operator’s own intent to target its site primarily to children. As a result, COPPA stands to encompass a dangerously large number of youth and general audience websites. Because the look-and-feel test is inherently subjective, it will be impossible for operators of sites on the cusp of regulation to know with certainty how their sites will measure up until an enforcement action has been leveled against them, and may be forced to take unnecessary expensive cautionary measures or preempt their operations altogether. Although the FTC states that it does not employ this standard with the intention of expanding the reach of sites covered under COPPA, but rather to “create a new compliance option for a subset of websites and online services already considered directed to children under the law's totality of the circumstances standard” its imposition of COPPA obligations on “sites or services that target children only as a secondary audience or to a lesser degree” only suggests the opposite.

Yet another major issue I have with COPPA is its use of the “actual knowledge” standard as it applies to third-party ad and social networks. This standard, while more reasonable than the earlier proposed “know or reason to know” standard, is not without flaw as it, too, is extremely vague and may not provide the kind of clarity intended. Unless a first-party operator explicitly communicates the fact that it is directing itself at children, it will be difficult for a third party network or platform to ascertain the nature of the service provider as there are no clear guidelines for what level of information will suffice. The ambiguity of this standard is highly problematic, as it will undermine the very foundation on which the relationships between first party sites and third party sites are built on, as third parties will be increasingly hesitant to contract with first party sites out of fear of being held liable. Because the Federal Trade Commission states that “does not rule out that an accumulation of other facts would be sufficient to establish actual knowledge”, the very “actual knowledge” standard requiring the direct obtaining of specific fact on which COPPA rests spears to be little more than a farce.

Another issue I have with COPPA is the arbitrary age at which the line for protection is drawn. COPPA only shields children under the age of 13 from web activity targeted at gathering their personal data, as they viewed as being less conscionable and more susceptible. While this may be true, COPPA fails to recognize that those between the ages of 13 and 17 are still minors under the law and thus unable to grant the consent without a parent or guardian. This coupled with the fact that information regarding teenagers between the ages of 13 to 17 is arguably more valuable to app and web developers than those under the age of 13 because they have greater purchasing power, suggests that the class of persons that most need the protection afforded by COPPA are without defense.

Perhaps my greatest concern with COPPA is that the law will stifle innovation by small web app developers. Because the amended law has very different implications for large Internet titans such as Apple and Google and small app developers, which fall outside regulation, and small web app developers, which fall squarely within the ambit of regulation, small app developers may be prompted to pull out of the children’s app market altogether. Although the parameters of COPPA were tightened in more ways than one, the new restrictions were not to the detriment of all web providers. Because the rules were altered in a manner that favors major Internet titans such as Apple and Google, as their online apps stores, which dominate the marketplace for mobile applications, will not be held liable for violations since they “merely offer the public access to child-directed apps” those providers who arguably need less protection are granted the greatest protection from the law and up and coming app developers are left to fend for themselves against this potentially crippling piece of legislation.

I don't know why we're making such a fuss about this. Web services should not be structured to collect data from children. Nothing prevents me from developing wonderful web services for children, and collecting personal data from them shouldn't happen. All of this hand-wringing results from feeling very deeply the concerns of those who want to data-mine children but don't want to fall within the statute, or who want to data-mine other people and might wind up victimizing children by mistake.

Web services should not be devised to destroy privacy for their users. Then the assumption of the essay doesn't have to concern us much.

If, however, we wanted to worry about the woes of the data-miners, it should occur to them that they could do what the pornographers do, and make every effort to exclude children. Of course, they don't want to exclude children. So back to square one again.

And then there's, for example, the Wikipedia. One of the most important of all web services for children, that doesn't collect data of any kind from or invade the privacy of its users. Hmm.

-- LeliseGobena - 28 Dec 2012



Webs Webs

r3 - 23 Aug 2014 - 19:33:50 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM