The new Maine law I blogged about on Sunday is much worse than I thought based on my initial reading. If allowed to stand, it would constitute a sweeping age verification mandate introduced through the back door of “child protection.”
The law, which goes into effect in September, would extend the approach of the Children’s Online Privacy Protection Act (COPPA) of 1998 by requiring “verifiable parental consent” before the collection of kids “personal information” about kids, not just those under 13, but also adolescents age 13-17. Unlike other state-level proposals in New Jersey, Illinois, Georgia and North Carolina, Maine’s “COPPA 2.0” law would also cover health information, but would only govern the collection and use of data for marketing purposes (while the FTC has interpreted COPPA to cover to essentially any capability for communicating personal information among users).
But the Maine law would go much further than these proposals or COPPA itself by banning transfer or use of such data in anything other than de-identified, aggregate form. Still I took some comfort in the fact that the Maine law, unlike COPPA or these other proposals, lacked the second of COPPA’s two prongs: (i) collection from kids and (ii) collection on sites that are directed at kids. It’s because of the second prong that COPPA applies not only when a site operator knows that it’s collecting information from kids (or merely allowing them to share information with other users), but also when the operator’s site is (like, say, Club Penguin) targeted to kids in terms of its subject matter, branding, interface, etc. Because I initially concluded that the Maine law would apply only to knowing collection, I supposed that it would be less likely to require age verification of all users, as other COPPA 2.0 proposals would—something that would be unlikely to survive a First Amendment challenge based on the harm to online anonymity.
But I was quite wrong. During the PFF Capitol Hill briefing Adam and I held on Monday, Jim Halpert, one of our panelists, noted that the bill imposed “strict liability.” When I re-read the law, two small provisions with enormous consequences jumped out at me. First, this section:
Unlawful collection. It is unlawful for a person to knowingly collect or receive health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor’s parent or legal guardian.
The knowledge requirement above pertains to whether the collection is done “knowingly,” not whether the operator “has actual knowledge that it is collecting personal information from a child” (COPPA’s language). It’s possible that the Maine legislature meant to require that operators know that they’re collecting information from kids, not merely that the collection is intentional and not inadvertent, but if so, they either didn’t read COPPA or don’t understand statutory drafting.
But even if operators could be held liable if they had actual knowledge that they were collecting personal or health information without parental consent, the other operative language of the bill has no knowledge requirement at all. Thus, if an operator truly had no idea it was collecting information from a kid—kids commonly lie about their age to gain access to age-restricted sites—the operator would still be strictly liable for transferring or using that data under the other operative provisions of the law:
Unlawful use. A person may not sell, offer for sale or otherwise transfer to another person health-related information or personal information about a minor if that information:
A. Was unlawfully collected pursuant to subsection 1;
B. Individually identifies the minor; or
C. Will be used… for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.
Thus, the only way affected site operators (e.g., anyone who asks for user’s names as part of a profile and also uses personal information in marketing) could protect themselves under the law would be to age verify all users. Thus, the Maine law is, like other COPPA 2.0 proposals, simply an age verification mandate imposed on all adult users of sites with increasingly prevalent social networking functionality dressed up as a child protection measure. Again, unlike other COPPA 2.0 proposals, the Maine law would not apply to all sites that collect personal information for marketing purposes, but for those that do, it would have the same consequence as other COPPA 2.0 proposals. As we argue in our paper (p.24), COPPA 2.0 proposals in general are very likely to be struck down on the same grounds as the Child Online Protection Act (COPA), COPPA’s evil twin sister, which would have required age verification for all content deemed “harmful to minors” and which the courts have struck down as blatantly unconstitutional.
Although one might argue that the Maine law does less harm to speech because it applies only to sites that collect and use/transfer data for marketing purposes, while COPPA’s reach is far broader, the Dormant Commerce Clause argument against the law would also probably succeed: the law unduly burdens interstate commerce by imposing Maine’s standards on the rest of the country. Under the law’s strict liability regime, efforts to geo-target users in Maine (themselves a significant burden on website operators) would not protect out-of-state site operators from liability for collecting data from some users in Maine because geo-targeting is necessarily imperfect.
But wait; there’s more! Other COPPA 2.0 proposals would have this consequence because they would apply either to all social networking sites with a certain functionality (Illinois) or to collection of information through sites “directed at” adolescents (New Jersey), which could apply to sites used by large numbers of adults. But for most sites, such laws would only apply where the operator had “actual knowledge” that the user was a kid, thus recognizing (for those sites) that perfect age verification is impossible and that some kids will inevitably circumvent any age verification system imposed. By contrast, the Maine law would hold sites liable for “predatory marketing” for every collection, use, or transfer of a kid’s personal information whether or not the operator knew (or even had reason to know) that they were collecting information from kids at a rate of $10-20k for the first offense and $20k+ (with no upper bound at all) for each subsequent offense. Since offense here could mean each individual act of collection, and since large social networking websites have tens of millions of users, operators might theoretically be subject to fines in the hundreds of billions of dollars!
If this law survives constitutional challenge, I’ll eat the HTML in which this post is written! More likely, the legislature will back down at the first whiff of a legal challenge and go back to finding other, less obviously unconstitutional ways to impress their constituents with how much they care about “Protecting the Children” (or how little they care about free speech or know about how the Internet works).