On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

Maine has just enacted a law severely restricting marketing to kids: the Act To Prevent Predatory Marketing Practices against Minors, summarized by Covington & Burling. Adam and I released a major paper in June about such laws: COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech. Maine is following the lead of several other states that have tried to expand the Children’s Online Privacy Protection Act (COPPA) of 1998 to cover nost just kids under 13 but adolescents as well and potentially all social networking sites. We discussed at length the problems such laws create, particularly the possibility that large numbers of adults would, for the first time, be subject to age verification mandates before accessing (or participating in) the growing range of sites with social networking capabilities.  This, in turn, would significantly “chill” free speech online by undermining anonymity.

Like COPPA 2.0 proposals in New Jersey (simply extending COPPA to cover adolescents) and Illinois (applying COPPA to most social networking sites), the Maine law tries to build on COPPA’s “verifiable parental consent” requirement for the 13-17 audience as well as those under 13.

On the one hand, the Maine law goes much further than these other COPPA 2.0 proposals. While the original bill was limited to the Internet and wireless communications, the final bill’s scope applies to all communications.  The bill also covers “health-related” information (HRI) as well as “personal information” (PI). On the other hand, the Maine law is thus somewhat narrower than other COPPA 2.0 proposals and COPPA itself in that it applies only to “marketing or advertising products, goods or services.” While COPPA is commonly misunderstood to cover only marketing, it actually covers essentially any “collection” (broadly defined) of personal information from kids for any purpose—including merely giving kids access to communications functionality that might let them share personal information with other users (even if the site itself is not “collecting” that information in the commonly understood sense).

Verifiable parental consent is required for collection of HRI or PI (§ 9552(1)). So far, the Maine law is clearly trying to stick to the basic COPPA model while expanding its application to adolescents, health information and the offline world. (Indeed, the law concludes by authorizing the state AG to bring enforcement actions for violations of COPPA, as COPPA itself allows.) But the Maine law goes much further by banning:

• The transfer of HRI/PI to third parties if it “individually identifies the minor” (§ 9552(2)); and
• The use of HRI/PI “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product” (§ 9553).

It’s unclear what either prohibition will mean in practice. Obviously, if the law imposed a complete ban on the use of HRI/PI, there would be no point to obtaining verifiable parental consent in the first place! Thus, the law seems to contemplate that the prohibition on transferring individually identifying information would leave data-collectors free to transfer de-identified data once they’ve obtained verifiable parental consent for the initial collection. I’m no marketing expert but I imagine that Maine legislators were trying to ban the sale of lists that identify individual kids, while allowing the use of de-identified data for, say, analyzing patterns of interests among kids.

It’s less clear what the use-prohibition (§ 9553) actually means. Would it allow kids-oriented marketing based on aggregated de-identified information? If so, what would that actually mean in the real world? Would that be a distinction without a difference by effectively shutting down legitimate marketing most people would find unobjectionable, harmless, or even very helpful? If the law wouldn’t even allow such use of aggregate data, why, again, would any company ever bother obtaining parental consent?

Indeed, the Association of National Advertisers has interpreted this provision as amounting to an outright ban, regardless of parental permission, and points out that the bill:

would seemingly cut off “minors”‘… from being marketed to about colleges and universities, testing services such as the SAT and ACT, test prep services, class rings, among many other potential categories.

ANA vows to “have the law abrogated or modified so that it will not continue to place such extraordinarily broad restrictions on marketers, when the legislature reconvenes” in January—even though the law goes into effect in mid-September. They could challenge the law on a number of grounds in the courts.

While the First Amendment analysis of commercial free speech rights doubtless be complicated, a simpler argument could be brought on Dormant Commerce Clause grounds: Under the Supreme Court’s 1970 decision in  Pike v. Bruce Church, if “the burden imposed . . . is clearly excessive in relation to the putative local benefit, and if the local interest can be promoted by other regulations that have a lesser impact on interstate activities,” the court may strike down a state law that burdens interstate commerce. Indeed, the courts have struck down a number of Internet-related state laws on such grounds.

Insofar as Maine’s law affects online communications, it could be struck down on Dormant Commerce Clause grounds by forcing out-of-state websites to treat users in Maine differently—or to treat all users as if they were in Maine. To some extent, this will depend on how the statute is actually construed. COPPA applies both to knowing collection and to collection through child-oriented sites like Club Penguin (because the operator should know that they are collecting information from a child), but the Maine law applies only to knowing collection. If the statute is narrowly construed, this would mean that only websites that ask user for their age (say, in setting up a social networking profile) would generally be affected. A broader reading might affect websites that are oriented towards, or simply popular among, minors, in which case sites would essentially be forced to age verify all users (as with other COPPA 2.0 proposals). While this seems unlikely given the meaning generally attached to the word “knowing” in American law, even the narrow reading would affect many social networking sites.

The other major unanswered question lies in how broadly the term “individually identifiable information” would be construed. Like COPPA, the Maine law covers all such information, but rather than define this term exhaustively, the laws simply provide a few more specific categories of examples. Maine’s list differs from COPPA’s in that it does not include e-mail addresses, telephone numbers, screen names, or other contact information. But the list does include names, and this is enough to implicate profile-basedsocial networks like Facebook. If construed more broadly, the Maine law could affect other website operators.

In any event, if websites have to try to accomodate Maine’s law, they might have to track user location to ensure that they comply with Maine law.  As we noted in our paper:

If a site relied only on location information provided by the user, adolescents would quickly learn to lie about what state they live in just as children have learned to lie about how old they are to avoid triggering COPPA’s “actual knowledge” requirement.  Alternatively, websites could attempt to determine a user’s location automatically based on their IP address, but such “IP geocoding” is not always accurate and can be subverted by use of a proxy.

Finally, in case you were wondering where this bill came from, here’s the purpose statement for the original bill:

This bill addresses the current practices of persons using the Internet and other wireless communications devices, with or without promotional incentives, to acquire health-related information about minors and then using that information unscrupulously. Under this bill, it is unlawful to solicit or collect health-related information about a minor who is not emancipated without the express written consent of the minor’s parent or guardian, to transfer any health-related information that identifies a minor or to use any of that information to market a product or service to a minor regardless of whether or not the information was lawfully obtained. Unlawful marketing includes promoting a course of action relating to a product.

If a challenge is brought in court, the state will have to be a lot more specific about defining the harm at issue than merely asserting that information is being collected and might be unsed “unscrupulously.” As the Supreme Court declared in the 1993 case of Edenfield v. Fane, the government’s burden in justifying a restrictions on even commercial speech (which is accorded less protection than non-commercial speech):

is not satisfied by mere speculation or conjecture; rather a governmental body seeking to sustain a restriction on commercial speech must demonstrate that the harms it recites are real and that its restriction will in fact alleviate them to a material degree.

In short, this new law raises many legal and practical questions. I’ll be watching closely to see how any effort have the law amended or challenged in court plays out.  I suspect we’ll see more states following Maine’s lead if this law stands in its current form.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.