Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy

by on August 9, 2012 · 6 comments

It was my honor today to be a panelist at a Hill event on “Apps, Ads, Kids & COPPA: Implications of the FTC’s Additional Proposed Revisions,” which was co-sponsored by the Family Online Safety Institute and the Association for Competitive Technology. It was a free-wheeling discussion, but I prepared some talking points for the event that I thought I would share here for anyone interested in my views about the Federal Trade Commission’s latest proposed revisions to the Children’s Online Privacy Protection Act (COPPA).

________

The Commission deserves credit for very wisely ignoring calls by some to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.

  • that would have been a constitutional and technical enforcement nightmare. But the FTC realized that long ago and abandoned any thought of doing that. So that is a huge win since we won’t be revisiting the COPA age verification wars.
  • That being said, each tweak or expansion of COPPA, the FTC opens the door a bit wider to a discussion of some sort age verification or age stratification scheme for the Internet.
  • And we know from recent AG activity (recall old MySpace age verification battle) and Hill activity (i.e. Markey-Barton bill) that there remains an appetite for doing something more to age-segment Internet populations

But challenging compliance issues remain with expanded COPPA regulations.

  • How do third parties accurately determine whether a site where they place a cookie or serve an ad is “directed at children” or “likely to attract an audience that included a disproportionately large percentage of children under age 13”
  • Let’s be clear about what is happening here:  = the redefinition of terms we see the agency undertaking here will result in an expansion of liability via regulatory relabeling
  • there certainly is an incremental benefit associated with tweaks to the COPPA rule that strengthen its privacy protections, but it is equally true that there are corresponding incremental costs…

With each tweak or expansion of COPPA, the FTC potentially increased regulatory compliance costs, which could impact market structure, innovation, and consumers options and costs.

  • FTC estimates that approximately 85-90% of operators potentially subject to the COPPA rule qualify as small entities; up from prior estimate of 80%.
  • “Rule may entail some added cost burden to operators, including those that qualify as small entities.” (p. 28) Specifically, “operators will each spend approximately 60 hours” complying with the disclosure requirements of the rule (p. 32), although the agency doesn’t offer much of any explanation for how it came up with that number and, despite hearing from several  commenters that compliance hours were being underestimated by the agency, the FTC says it won’t revise that estimate upward.
  • Regardless, the agency at least acknowledges that a real burden exists and, if it is true that these burdens will expand because of the latest revisions to the rule, then competition and innovation could suffer
  • We should want to foster an online ecosystem where small entrepreneurs can thrive and compete against giants like Disney and Viacom
  • They can comply with these expanded regulatory compliance costs, but not everyone else can, esp. to the little guys
  • Which means fewer options for both parents and kids
  • Or, it could also mean that we start seeing prices go up where none currently exist.

Still not clear to me what the actual harm is here that we are trying to address, nor is it clear to me how these new rules really do much on the ground to make kids safer online.

  • Parental notification is not the end of the online safety story.
  • Indeed, when it comes to online safety, it is not what happens before kids get in the door that counts, it’s what happens after kids get inside that really matters.

The Constructive Alternative: Education, Self-Regulation, Codes of Conduct & Best Practices

  • When sites create digital communities and invite kids in, I think we can all agree that we want them to be well-lit online neighborhoods where they can interact safely
  • A major recent report on parental attitudes about COPPA revealed that what the vast majority of parents want—and this certainly includes me—is helpful tips and advice about what sort of sites and services are appropriate for their kids at a particular age.
  • And parents also want some assurances that those online communities take some simple, common sensical steps to keep their digital worlds and applications safe.
  • This is why the ongoing dialog about best practices for these sites is so important. Specifically, what is most needed are:
    • Smart ground rules for acceptable behavior;
    • Clear standards for what will not be tolerated; and,
    • Limitations on certain types of functionality and data collection.
  • Ex: Everloop’s “3 Cs of Conduct”
    • “BE COOL: Everloop is a safe, fun place for everyone…so no swearing, cheating, bullying or general bad behavior allowed. If you do any of that, we might have to boot you from the loop.”
    • “BE CLEAN: Everloop is not about drugs, alcohol, sex, race or any inappropriate stuff like that. We will block offensive posts.”
    • “BE CONFIDENTIAL: Play safe on Everloop — don’t share your real name, address, phone number, email or passwords with anybody.”
  • Ex: Club Penguin = limits functionality within a well-protected walled garden; with outstanding moderation
  • But let’s be clear: Even with those sorts of sensible ground rules and best practices in place, a lot of kid-oriented sites and apps are still going collect some data and serve up some ads.
  • I know many of you have heard me say it a million times before and are probably getting a little tired of it, but I am going to go ahead and say it again (and with passion): There really is no free lunch! Trade-offs are inescapable in these matters.
  • Perhaps in a perfect world we’d have:
    • An infinite number of highly innovative sites
    • That never collected any data or served any ads
    • But yet were still free of charge to parents and kids
  • But that is pure fantasy-land talk.
  • Yet, what I fear most about the constant expansion of the COPPA regulatory regime is that some people get caught up in that sort of a fairytale and ask us to pretend that no such trade-offs exist.  In other words, some seem to believe that we can have something for nothing.
  • Before we go further with more extensive Internet regulation, therefore, I hope we think hard about those trade-offs and about the more constructive steps we might take to encourage education, self-regulation, and best practices for sites that cater to kids and not get caught up in a technopanic about the supposed threat of kids seeing a few ads and having a little data collected about them.
  • Because, in most cases, those fears are being greatly overblown while the wondrous benefits we currently enjoy thanks to advertising are being greatly discounted or ignored.

  • jdunstan

    Adam: I thought your best (and mouth contorting) point today had to do with “creeping intermediary deputation” — the FTC’s proposal to hold website operators liable for ad networks or plug ins that collect PII (which is propose to be expanded to include cookies). How are website operators supposed to ensure compliance by third parties? Is the FTC going to order all existing contracts void so that the lawyers (myself included) can negotiate new warranty and indemnification provisions in ad network contracts? How is a small operator who can make a kids-directed website (or app) work only through ad support supposed to force large ad networks to comply with COPPA?

  • http://www.techliberation.com Adam Thierer

    These are excellent questions, Jim. I wish I had good answers, but it really is anyone’s guess. But the creeping intermediary deputization problem is obviously quite real and growing. Like I said today, even though none of this would technically violate 47 USC 230 (at least as I read it), the thrust of the effort certainly runs counter to the spirit of that important law, which made sure intermediaries were not held liable for every bone-headed move made by third parties using their sites or services.

    At some point, creeping deputization could have a substantial economic impact and affect the types of services provided, how many services exist, how much they costs, or all of the above.

  • Pingback: Hack Education Weekly News: Curiosity on Mars | Gilfus Education Group

  • http://www.facebook.com/curtis.neeley Curtis Neeley

    Stand by folks. The future of the holy “Free Speech” and decency regulation will be paired with the identity requirement for petition signors. If you are and adult and want to see porn you must identify yourself as an adult in a way that can be verified. POOF
    The FCC cable division will soon regulate pervasive internet wire communications and forbid display of indecent content to the anonymous as demanded in Neeley v [FCC] et al, (5:12-cv-05074).

  • http://www.facebook.com/curtis.neeley Curtis Neeley

    47v USC §230 (c)(1) is sought to be found unconstitutional in Neeley v [FCC] et al, (5:12-cv-05074).

  • http://www.curtisneeley.com/FCC/booklet-complaint.htm curtisneeley

    The FCC has until January 8-15 and the DOJ has until then to intervene. There is an EXTREMELY simple rational for regulating or tagging ALL content placed on wire communications as was encouraged by the Supreme Court but was ignored from ACLU v Reno. Google Inc and Microsoft Corporation have till November 29, 2012 to explain why they traffic pornography to minors or the anonymous. There is a VERY simple method for ACCURATELY segmenting age groups but this is not done because Google Inc and Microsoft Corporation desire to remain Earth’s most profitable pornography websites. Simply put, the open “WEB” is illegal and ENDS very soon.
    http://www.curtisneeley.com/FCC/Neeley-Jr_v_FCC-et-al.htm
    http://www.curtisneeley.com/FCC/booklet-complaint.htm

Previous post:

Next post: