Yesterday, the Federal Trade Commission (FTC) released its long-awaited proposed revisions to the Children’s Online Privacy Protection rule (the “COPPA Rule”). Below I offer a few brief thoughts on the draft document. My remarks assume a basic level of knowledge about COPPA so that I don’t have to spend pages explaining the intricacies of this complex law and regulatory regime. If you need background on the COPPA law and rule, please check out this paper by Berin Szoka and me: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.”

Dodging the COPA / Mandatory Age Verification Bullet

The most important takeaway from yesterday’s proposal involves something the FTC chose not to do: They agency very wisely decided to ignore some requests to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.  An effort to expand COPPA’s “verifiable parental consent” requirements to all teens would have raised thorny First Amendment issues as well as a host of practical enforcement concerns.  In essence, it would have required Internet-wide age verification of children and adults in order to ensure that everyone was exactly who they claimed to be online. We already had an epic decade-long legal battle over that issue when the constitutionality of the Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA, was tested many times over and always found to be in violation of the First Amendment.

Regardless, the FTC didn’t go there yesterday, so this concern is off the table for now. The agency deserves credit for avoiding this constitutional thicket.

Why Eliminate “Email Plus” Verification?

The FTC proposes the elimination of the current “e-mail plus” method of obtaining veritable parental consent. Under the COPPA rule’s so-called sliding scale approach, sites:

may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step.  Such additional steps have included: obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent.  The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent.  This consent method is often called “email plus.”

The FTC says that “email plus has outlived its usefulness and should no longer be a recognized approach to parental consent.” That’s crazy. A great number of sites and service that live under COPPA use this method to stay in compliance with the law. This pulls the rug out from under them and creates major short-term marketplace uncertainty.

So, why has the agency done this? It’s not really because email plus has “has outlived its usefulness,” rather, it’s because the agency believes that “continued reliance on email plus has inhibited the development of more reliable methods of obtaining verifiable parental consent.  In fact, the Commission notes that few, if any, new methods for obtaining parental consent have emerged since the sliding scale was last extended in 2006.” [p. 68]

That’s a very interesting observation. But while I agree that few new parental consent methods have been introduced over the past five years, the FTC has not offered any conclusive evidence here that the existence of “email plus” is to blame. The fact of the matter is that online verification is hard, even the parental consent variety. In a different context, banks are still just having people pump in 4-digit PINs at ATMs after a few decades of debit cards being on the market. That doesn’t necessarily mean that the PIN# approach has stifled other forms of authentication, rather, it’s still just the most simple and efficient way of doing things. The same is true of “email plus” in the COPPA context. Yet, the FTC is upending the process in the name of kickstarting innovation in the authentication space. It’s an interesting gamble, but has the agency thought through the consequences of failure?

Importantly, sites and services that cater to children have also been focusing on putting other safety procedures and practices into place during this period. It’s not like parental notification is the end of the online safety story. As I have always noted in all my work on COPPA, it is not what happens before getting in the door that counts. It is what happens after kids get inside that really counts. The FTC ignores that distinction here and just keeps insisting that we can find better ways to perfect “verifiable parental consent” mechanisms.

All this begs the question: Just what is it that the FTC is looking for that would be superior to “email plus”? For the reasons noted above, they obviously cannot force full-blown online age verification on the Internet. But does the agency want a more rigid, second-best verification system perhaps with a possible government role in the formal authentication process? They might. Read on..

So, What’s This about Bringing Government IDs Into the Process?

The FTC makes another interesting proposal on the bottom of pg. 63 when it is discussing other mechanisms for obtaining verifiable parental consent. After rejecting SMS text messages and electronic “sign and send” methods for various reasons, the agency continues on to propose the following:

The Commission also proposes allowing operators to collect a form of government issued identification – such as a driver’s license, or a segment of the parent’s social security number – from the parent, and to verify the parent’s identity by checking this identification against databases of such information, provided that the parent’s identification is deleted by the operator from its records promptly after such verification is complete.

In one sense, this isn’t at all surprising. Our government already engages in some official credentialing activities, so why not use the ones that we’ve already required to get to help out with COPPA enforcement?  How one answers that question depends on your disposition toward large government databases and the purposes to which they might be put. If you are inherently distrustful of government aggregating and cross-referencing massive amounts of data about the citizenry, the idea of using driver’s licenses and Social Security numbers for yet another thing in this world will make you a bit nervous. It certainly makes me a bit paranoid, but mostly because of what I think might come next. If the FTC gets people accustomed to the idea of using “official” forms of identification to authorize online activities, that could be a slippery slope to something far more troubling. It may just start with just driver’s licenses and the last four digits of your Social Security numbers, but that might not be where it ends. Why not throw some biometric identifiers in the mix? Let’s have kids get retinal scans as the schoolhouse door at the beginning of each school year and then make mom and dad get one too so that we can match the whole gang up next time junior wants to visit Club Penguin! [By the way, who in government collects all this info and gets to use it?]

Moreover, if the FTC is now getting rid of the “email plus” verification process and dismissing text messages and electronic “sign and send” methods as alternative, then one could argue that–at least indirectly, if not intentionally–the FTC is starting to tip the market in favor of government solutions to online credentialing.

Perhaps I’m being a bit paranoid here. But when I was serving on the Harvard Berkman Center online child safety task force a few years ago, I saw all sorts of online verification schemes pitched to us, some of which would have government requiring biometric identifiers or other types of digital tokens be utilized in an effort satisfy some amorphous online authentication requirements. I’m not saying that’s where this particular FTC is taking us, but they’re at least opening the door to more “official” government credentialing efforts in the future with this proposal.

Video Conferencing as a Verification Method? Really?

Just as an aside, I must say that I find one of the few new verification methods the FTC endorses–“having a parent connect to trained personnel via video-conference”–to be a bit surprising. (Seriously, did the lobbyists at Skype sneak this proposal in there?!)  The agency states:

The Commission agrees that now commonly-available technologies such as electronic scans and video conferencing are functionally equivalent to the written and oral methods of parental consent originally recognized by the Commission in 1999.  Therefore, the Commission proposes to recognize these two methods in the proposed Rule.

A couple of people on Twitter yesterday pointed out how unlikely it is that video conferencing could be a scalable, workable solution to obtaining verifiable parental consent. Of course, to be fair, this is not the only consent mechanism the agency is suggesting, so I suppose FTC officials would say it’s just an additional verification method from which sites can choose.

But what I have a hard time imagining is that any parent would want to sit down in front of a webcam, fire up Skype (or whatever other video conferencing service they prefer), and start a video chat with some random bloke who works for an online site or service. A lot of parents will find that annoying; potentially even a bit creepy!

More practically, smaller sites probably just don’t have the manpower or resources to make this solution work. Making people available at all hours to get on a video chat with a parent so that their kid can get on the site is just not going to be a workable verification solution for anyone except the largest online sites and services.

Do Data Deletion Requirements Foreshadow a Push for “Eraser Button” / “Right to be Forgotten”?

On pg. 78, the FTC proposes adding a new data retention and deletion provision to the COPPA regulatory regime:

The proposed provision states that operators shall retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.  In addition, it states that an operator must delete such information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

In one sense this is commendable. It really would be wise for more online sites and services–especially those who handle kids info–to consider purging unneeded data more frequently. It helps minimize the potential for data security breaches and other problems.

That being said, I have to wonder how this proposal plays into the emerging debate over mandatory online “eraser buttons” and what the Europeans call “the right to be forgotten.” I recently released a Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”), which examined these notions in greater detail. Simply put, an Internet “eraser button” is challenged by practical realities and principled concerns. It’s unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.

Again, the FTC is not proposing a formal “eraser button” in its latest COPPA revision. But by pushing for additional steps to be taken on the data deletion front, the agency might encourage more congressional interest in this topic. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have already included an eraser button proposal in their “Do Not Track Kids Act of 2011.” It will be interesting to see what happens next on this front.  Free speech and privacy rights are on a major collision course here if steps to encourage data deletion become formalized as law or regulatory proposals.

Conclusion

There’s much, much more in the FTC draft to consider that I’m going to hold judgment on for now. For example, plenty has already been said by others regarding the FTC’s proposal to update the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.  That’s going to lead to all sorts of heartburn for a wide variety of online sites and service providers. It’s also going to complicate the wireless world as geolocation services expand and become a more ubiquitous part of our mobile digital experiences. But, again, I’m going to hold off on saying more on that for now.

In closing, the broader, more important questions that need to be asked are:

• Will these new proposed amendments and expanded regulatory requirements really do anything to make kids safer or their information more secure?
• Has the FTC even attempted to conduct a rough cost-benefit analysis of these new regulations?
• Have the specific burdens these new rules might impose on smaller operators even been considered?
• Correspondingly, will expanded COPPA regulations discourage new innovations that could offer kids and parents more rewarding online experiences?
• And, finally, will the new rules have an impact on the online cost equation by forcing various sites and services to charge higher prices–or charge prices for services that were previously free?

The Commission gives some lip service to these concerns toward the end of the document when it notes on page 94:

While the Rule’s compliance obligations apply equally to all entities subject to the Rule, it is unclear whether the economic burden on small entities will be the same as or greater than the burden on other entities.  That determination would depend upon a particular entity’s compliance costs, some of which may be largely fixed for all entities (e.g., website programming) and others variable (e.g., Safe Harbor participation), and the entity’s income or profit from operation of the website itself (e.g., membership fees) or related sources (e.g., revenue from marketing to children through the site).  As explained in the Paperwork Reduction Act section, in order to comply with the rule’s requirements, website operators will require the professional skills of legal (lawyers or similar professionals) and technical (e.g., computer programmers) personnel.  As explained earlier, the Commission staff estimates that there are approximately 2,000 website or online services that would qualify as operators under the proposed Rule, and that approximately 80% of such operators would qualify as small entities under the SBA’s Small Business Size standards.  The Commission invites comment and information on these issues.

It’ll be interesting to see what sort of feedback the FTC gets on that point. What I hope the agency and others understand is that questions like these are not just about the future of online business interests. Rather, these questions cut to the core of whether the public– including children–will be served with more and better digital innovations in the future. As we’ve noted countless times before here, there is no free lunch. Regulation–even well-intentioned regulation like COPPA–is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.

Additional Resources / Reading:

• FTC press release announcing new COPPA revisions
• the new proposed amendments [122 pages]
• summary of revisions by IT Law Group
• summary of revisions by Information Law Group
• Fulbright & Jaworski- “Think the FTC’s Proposed Changes to the Children’s Online Privacy Rule Don’t Affect Your Company? Think Again!”
• analysis from Emma Llanso of CDT
• comments on proposed changes from COPPA expert Izzy Neis
• “COPPA: What happens when a generation ignores a law?” – by Robert Niles
• “How will the FTC’s new digital privacy rules impact developers?” by Jason Ankeny
• “Proposed COPPA Rules: A Mobile Perspective” – by Cooley LLP
• my recent paper on potential dangers of COPPA expansion & mandatory “eraser button”
• my paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech“

The latest edition (Version 4.0) of my PFF special report on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now up.  For those not familiar with the report, it explores the market for parental control tools, rating schemes, education and media literacy efforts, and various other tools, methods, and initiatives aimed at promoting online child safety.  After evaluating that state of this market, I conclude: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”  Moreover, I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation.

Version 4.0 of the report is now over 250 pages long (up from 200 pages in Version 3.0) and it contains almost 70 exhibits (up from 50), 725 references (up from roughly 500), and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. Other new sections or appendices have also been added to the report, including:

• a new section examining how many households really need parental control tools;
• a new appendix on the downsides of mandatory parental controls and restrictive default settings;
• a new section on the dangers of “deputizing the online middleman” solution as an approach to solving child safety concerns;
• a new appendix reviewing the findings of 5 past online safety task forces;
• … and much more.

I issue major updates once a year and 1 or 2 minor tweaks during the course of the year to reflect the evolution of the parental control and online child safety marketplace and debate. The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past couple of years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

And so begins another fight over data retention. As Declan summarizes:

Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations. The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates. […] Two bills have been introduced so far — S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act.

Julian also has coverage over at Ars and quotes CDT’s Greg Nojeim who says the data retention language is “invasive, risky, unnecessary, and likely to be ineffective.”  I think that’s generally correct.  Moreover, I find it ironic that at a time when so many in Congress seemingly want online providers to collect and retain LESS data about users, this bill proposes that ISPs be required to collect and retain MORE data. One wonders how those two legislative priorities will be reconciled!!

Don’t get me wrong. It’s good that Congress is taking steps to address the scourge of child pornography — especially with stiffer sentences for offenders and greater resources for law enforcement officials. Extensive data retention mandates, however, would be unlikely to help much given the ease with which bad guys will likely circumvent those requirements using alternative access points or proxies.  Finally, retention mandates pose a threat to the privacy of average law-abiding citizens and impose expensive burdens of online intermediaries.

We’ve had more to say about data retention here at the TLF over the years.  Here’s a few things to read:

• Yahoo! Data-Retention Policy vs. The New Justice Department, by Cord Blomquist
• Another Reason to Be Wary of Age Verification & Data Retention Mandates, by Adam Thierer, October 30, 2006.
• Mandatory Data Retention: How Much is Appropriate? by Adam Thierer, June 26, 2006.
• Internet Data Storage Is The Wrong Way To Combat Child Sexual Exploitation, by Hance Haney, Sept. 20, 2006.
• Data Retention on the Move, by Jim Harper, June 1, 2006.

Just FYI, the latest update of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods” is now live. The new version, Version 3.1, provides minor updates to all sections of the book and a new appendix of relevant research in the field. I issue major updates early each year and 1 or 2 tweaks during the course of the year to reflect the evolution of the parental control and online child safety market and debate.

For those not familiar with the report, it explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

The report is available free-of-charge on the PFF website, and the previous editions of the report are housed there too in case you want to see how it has evolved over the past two years. For those interested in taking a quick look at the report, I have embedded it down below the fold as a Scribd file. Finally, as is always the case, I encourage readers to send me updates and suggestions for how to improve the report and I will incorporate them into future versions.

PFF has just releasing an updated edition of my booklet on “Parental Controls and Online Child Protection: A Survey of Tools & Methods.” The new version, Version 3.0, includes two new appendixes and updates to each section to reflect new parental control tools and programs developed in the last nine months.

The updated report is timely as it comes on the heels of the recently-announced Internet Safety Technical Task Force, which is being chaired by the Berkman Center for Internet & Society at Harvard Law School. I am privileged to serve as a member of the Task Force, which is evaluating various online safety technologies and strategies and then reporting back to state attorneys general with our findings.

Those issues and much more are covered in the latest edition of my report. The report explores the market for parental control tools, rating schemes, education efforts, and initiatives aimed at promoting online child safety. I believe that the parental controls and content management tools cataloged in the report represent a better, less restrictive alternative to government regulation. As I conclude after evaluating that state of the market: “There has never been a time in our nation’s history when parents have had more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.”

Version 3.0 of the special report, now over 200 pages, contains over fifty exhibits and numerous updates in all five sections of the book. Major updates have been made to the Internet, social networking, and mobile media sections, reflecting the growing importance of those sectors and issues. A greatly expanded section on video empowerment technologies has also been included. Finally, two appendices have also been added: a comprehensive legislative index cataloging over thirty bills introduced in Congress on these issues (complied with John Morris of Center for Democracy & Technology), and a glossary of 35 relevant terms and cases.

The report is available free-of-charge on the PFF website, as are the previous editions. And I am happy to provide hard copies to those who are interested.

PFF has just released my latest paper entitled “Parental Control Perfection? The Impact of the DVR and VOD Boom on the Debate over TV Content Regulation.” In the report, I focus on the extent to which new video technologies, such as digital video recorders (DVRs) and video on demand (VOD) services, are changing the way households consume media and are helping parents better tailor viewing experiences to their tastes and values. I provide evidence showing the rapid spread of these technologies and discuss how parents are using these tools in their homes. Finally, I argue that these developments will have profound implications for debates over the regulation of video programming. As parents are given the ability to more effectively manage their family’s viewing habits and experiences, it will lessen—if not completely undercut—the need for government intervention on their behalf.

This 16-page report can be found at: http://www.pff.org/issues-pubs/pops/pop14.20DVRboomcontentreg.pdf