As part of what Politico’s Tony Romm calls this week’s “all-out online privacy blitzkrieg,” Rep. Ed Markey (D-Mass) announced he would be proposing legislation aimed at better protecting kids from the supposed evils of online “tracking” and marketing. Apparently, Rep. Markey’s effort will build on the “Do Not Track” proposal that is garnering so much attention this week.
Lost in the smoke surrounding that privacy blitzkrieg is an important distinction between these two proposals: There is a very big difference between re-engineering browsers and websites to comply with a “Do Not Track” mandate and a new regulatory scheme aimed at identifying the ages or identities of individuals using certain online sites or services. Namely, the latter likely necessitates some sort of mandatory age verification or online authentication regime for the Internet.
Let’s take a step back for some context. Markey helped author the Children’s Online Privacy Protection Act (COPPA) of 1998, which dealt with the collection of information for kids under 13 online. But COPPA wasn’t a strict age verification or online authentication regime for the Internet. Instead, COPPA mandated a “verifiable parental consent” regime which the Federal Trade Commission (FTC) later enforced using a so-called “sliding scale” approach. Essentially, sites that are “directed at” kids under 13 are supposed to get parental consent using a variety of mechanisms (credit cards, sign and fax forms, phone calls, etc) before any collection of information takes place. Of course, there are some devilish details here regarding what counts as “directed at” or “collection,” but the crucial point here is that COPPA does not require the formal authentication of web surfer identities or ages — whether they kids or parents.
So, the really tricky question here is how one goes about expanding the COPPA regulatory regime without stumbling into the legal thicket that tied up the Child Online Protection Act (COPA) of 1998, a law which did mandate such an authentication regime and, as a result, witnessed a grueling decade-long legal battle over its constitutionality. Ultimately, the courts rejected COPA as inconsistent with America’s tradition of anonymous speech, something central to our evolution as a democracy, pre-dating even the First Amendment that protects it from government interference. Thus, we have, at least for now, closed the book on COPA. But are we about to re-open it with COPPA expansion a la the forthcoming Markey bill?
At yesterday’s House Energy & Commerce hearing on “Do Not Track” where he announced his intention to drop legislation, Rep. Markey didn’t offer concrete details about how his bill would work, but he did go out of his way to praise the work of Common Sense Media (CSM) on this front. This implies his plan will be in line with what CSM has already advocated. As I noted in this essay in July, CSM recently submitted a filing to the FTC advocating expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”
As I pointed out in that earlier essay, as well as in this beefy paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech,” there are many profound questions raised by any proposal to expand COPPA along the lines that Common Sense Media and presumably now Rep. Markey suggest. Here are a few questions that privacy advocates and policymakers need to consider before heading down this path:
- What is the supposed harm that requires such a significant expansion of Internet regulation? Why the need for a massive expansion of federal regulation in this area? CSM never makes it clear in its FTC filing. Are there corresponding benefits to be considered? Aren’t other values or principles at stake here?
- What are the free speech implications of their proposals. Extending COPPA to cover older teens will require websites used by large numbers of adults to age verify all users. This raises the same First Amendment concerns about government interference with anonymous communication that caused COPA to be struck down by the courts as unconstitutional. Thus, another lengthy legal battle likely awaits.
- Is it the case that — in the name of protecting privacy — this approach might demand a massive amount of additional information be collected to facilitate the regulatory regime? Expanded age verification mandates would mean more information has to be collected about kids and their parents, but also about adults who, after all, have to prove they aren’t children! That means a honey pot of new information would be created and held by someone, potentially the government itself.
- How would such a proposal cope with all the sites or services that allow voluntary sharing of personal information by children? In an era of widespread user-generated content, instant messaging, online gaming, and other forms of digital interaction, expanded verifiable parental consent requirements become a formidable regulatory problem.
- Don’t older teens have some speech rights? The Common Sense Media proposal implies that teens are utterly incapable of making decisions for themselves until the day they turn 18. Never mind that most U.S. states set their age of consent at 16 or 17, for example. These teens are people who we already allow to hold jobs and drive cars and who will shortly be in college and then eligible to vote and serve in our Armed Forces. Yet, the CSM approach would require “verifiable parental consent” before older teens could read or look at anything online.
- What will the economic impact be of this mandate on smaller websites that cater to kids & teens? If expanded regulation crowds out smaller start-ups, the resulting level of creativity and innovation in this market will suffer. Thus, COPPA expansion could lead to unnecessary industry consolidation as smaller operators are forced to sell to bigger player who can cover regulatory compliance costs.
- What’s the potential cost to consumers / parents? Expanding verifiable parental consent requirements will no doubt burden the creators or various sites and services, but those costs will ultimately be borne by the public when they are passed along in the form of a fee for services, many of which were previously free of charge.
- Aren’t there better, less burdensome, ways to protect kids’ privacy online? There are many beneficial steps being taken by site operators today that make kids safer online. If we assume that COPPA is the most important approach to keeping kids safe online, we are making a huge mistake. COPPA is probably one of the least important things that keeps kids safe online. It’s what sites do after kids get into their online communities that is really important because—guess what!—kids are going to get in to social networking communities and other sites. There are many important steps being taken by countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” online neighborhoods. We should be encouraging a lot more of that and working to find new “oversight and intervention” methods to deal with problems when they pop up. Common Sense Media has done a lot of great work on this front and should have focused on how those methods could be improved instead of how the create a more cumbersome, intrusive, expensive, and ultimately unworkable age verification regulatory regime for the Internet.
As Rep. Markey and his fellow policymakers move forward with any plan to expand COPPA, they should carefully weight these considerations against the supposed evils of online data collection, advertising, and marketing. It’s certainly true that greater care must be taken by advertisers and marketers when dealing with kids, but education, user / parental empowerment, and industry self-regulation may be the better approach here.