Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy

by on August 9, 2012 · 6 comments

It was my honor today to be a panelist at a Hill event on “Apps, Ads, Kids & COPPA: Implications of the FTC’s Additional Proposed Revisions,” which was co-sponsored by the Family Online Safety Institute and the Association for Competitive Technology. It was a free-wheeling discussion, but I prepared some talking points for the event that I thought I would share here for anyone interested in my views about the Federal Trade Commission’s latest proposed revisions to the Children’s Online Privacy Protection Act (COPPA).


The Commission deserves credit for very wisely ignoring calls by some to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.

  • that would have been a constitutional and technical enforcement nightmare. But the FTC realized that long ago and abandoned any thought of doing that. So that is a huge win since we won’t be revisiting the COPA age verification wars.
  • That being said, each tweak or expansion of COPPA, the FTC opens the door a bit wider to a discussion of some sort age verification or age stratification scheme for the Internet.
  • And we know from recent AG activity (recall old MySpace age verification battle) and Hill activity (i.e. Markey-Barton bill) that there remains an appetite for doing something more to age-segment Internet populations

But challenging compliance issues remain with expanded COPPA regulations.

  • How do third parties accurately determine whether a site where they place a cookie or serve an ad is “directed at children” or “likely to attract an audience that included a disproportionately large percentage of children under age 13”
  • Let’s be clear about what is happening here:  = the redefinition of terms we see the agency undertaking here will result in an expansion of liability via regulatory relabeling
  • there certainly is an incremental benefit associated with tweaks to the COPPA rule that strengthen its privacy protections, but it is equally true that there are corresponding incremental costs…

With each tweak or expansion of COPPA, the FTC potentially increased regulatory compliance costs, which could impact market structure, innovation, and consumers options and costs.

  • FTC estimates that approximately 85-90% of operators potentially subject to the COPPA rule qualify as small entities; up from prior estimate of 80%.
  • “Rule may entail some added cost burden to operators, including those that qualify as small entities.” (p. 28) Specifically, “operators will each spend approximately 60 hours” complying with the disclosure requirements of the rule (p. 32), although the agency doesn’t offer much of any explanation for how it came up with that number and, despite hearing from several  commenters that compliance hours were being underestimated by the agency, the FTC says it won’t revise that estimate upward.
  • Regardless, the agency at least acknowledges that a real burden exists and, if it is true that these burdens will expand because of the latest revisions to the rule, then competition and innovation could suffer
  • We should want to foster an online ecosystem where small entrepreneurs can thrive and compete against giants like Disney and Viacom
  • They can comply with these expanded regulatory compliance costs, but not everyone else can, esp. to the little guys
  • Which means fewer options for both parents and kids
  • Or, it could also mean that we start seeing prices go up where none currently exist.

Still not clear to me what the actual harm is here that we are trying to address, nor is it clear to me how these new rules really do much on the ground to make kids safer online.

  • Parental notification is not the end of the online safety story.
  • Indeed, when it comes to online safety, it is not what happens before kids get in the door that counts, it’s what happens after kids get inside that really matters.

The Constructive Alternative: Education, Self-Regulation, Codes of Conduct & Best Practices

  • When sites create digital communities and invite kids in, I think we can all agree that we want them to be well-lit online neighborhoods where they can interact safely
  • A major recent report on parental attitudes about COPPA revealed that what the vast majority of parents want—and this certainly includes me—is helpful tips and advice about what sort of sites and services are appropriate for their kids at a particular age.
  • And parents also want some assurances that those online communities take some simple, common sensical steps to keep their digital worlds and applications safe.
  • This is why the ongoing dialog about best practices for these sites is so important. Specifically, what is most needed are:
    • Smart ground rules for acceptable behavior;
    • Clear standards for what will not be tolerated; and,
    • Limitations on certain types of functionality and data collection.
  • Ex: Everloop’s “3 Cs of Conduct”
    • “BE COOL: Everloop is a safe, fun place for everyone…so no swearing, cheating, bullying or general bad behavior allowed. If you do any of that, we might have to boot you from the loop.”
    • “BE CLEAN: Everloop is not about drugs, alcohol, sex, race or any inappropriate stuff like that. We will block offensive posts.”
    • “BE CONFIDENTIAL: Play safe on Everloop — don’t share your real name, address, phone number, email or passwords with anybody.”
  • Ex: Club Penguin = limits functionality within a well-protected walled garden; with outstanding moderation
  • But let’s be clear: Even with those sorts of sensible ground rules and best practices in place, a lot of kid-oriented sites and apps are still going collect some data and serve up some ads.
  • I know many of you have heard me say it a million times before and are probably getting a little tired of it, but I am going to go ahead and say it again (and with passion): There really is no free lunch! Trade-offs are inescapable in these matters.
  • Perhaps in a perfect world we’d have:
    • An infinite number of highly innovative sites
    • That never collected any data or served any ads
    • But yet were still free of charge to parents and kids
  • But that is pure fantasy-land talk.
  • Yet, what I fear most about the constant expansion of the COPPA regulatory regime is that some people get caught up in that sort of a fairytale and ask us to pretend that no such trade-offs exist.  In other words, some seem to believe that we can have something for nothing.
  • Before we go further with more extensive Internet regulation, therefore, I hope we think hard about those trade-offs and about the more constructive steps we might take to encourage education, self-regulation, and best practices for sites that cater to kids and not get caught up in a technopanic about the supposed threat of kids seeing a few ads and having a little data collected about them.
  • Because, in most cases, those fears are being greatly overblown while the wondrous benefits we currently enjoy thanks to advertising are being greatly discounted or ignored.

Previous post:

Next post: