Yesterday, the Federal Trade Commission (FTC) released its long-awaited proposed revisions to the Children’s Online Privacy Protection rule (the “COPPA Rule”). Below I offer a few brief thoughts on the draft document. My remarks assume a basic level of knowledge about COPPA so that I don’t have to spend pages explaining the intricacies of this complex law and regulatory regime. If you need background on the COPPA law and rule, please check out this paper by Berin Szoka and me: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.”
Dodging the COPA / Mandatory Age Verification Bullet
The most important takeaway from yesterday’s proposal involves something the FTC chose
not to do: They agency very wisely decided to ignore some requests to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18. An effort to expand COPPA’s “verifiable parental consent” requirements to all teens would have raised thorny First Amendment issues as well as a host of practical enforcement concerns. In essence, it would have required Internet-wide age verification of children and adults in order to ensure that everyone was exactly who they claimed to be online. We already had an epic decade-long legal battle over that issue when the constitutionality of the Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA, was tested many times over and always found to be in violation of the First Amendment.
Regardless, the FTC didn’t go there yesterday, so this concern is off the table for now. The agency deserves credit for avoiding this constitutional thicket. Continue reading →
Concerns about children’s privacy are an important part of [the ongoing privacy debate]. The Children’s Online Privacy Protection Act of 1998 (COPPA) already mandates certain online-privacy protections for children under the age of 13. The goal of COPPA was to enhance parents’ involvement in their children’s online activities and better safeguard kids’ personal information online. The FTC is currently considering an expansion of COPPA, and lawmakers in the House of Representatives introduced legislation that would expand COPPA and apply additional FIPPS regulations to teenagers. Some state-based measures also propose expanding COPPA
While well-intentioned, efforts to expand privacy regulation along these lines would cause a number of unintended consequences of both a legal and economic nature. In particular, expanding COPPA raises thorny issues about online free speech and anonymity. Ironically, it might also require that
more information about individuals be collected to enforce the law’s parental-consent provisions. There are better ways to protect the privacy of children online than imposing burdensome new regulatory mandates on the Internet and online consumers. Education, empowerment, and targeted enforcement of unfair and deceptive practice policies represent the better way forward.
The paper can be downloaded on SSRN, Scribd, or directly from the Mercatus website at the link above.
On May 26th, it was my great pleasure to participate in a panel discussion on “Growing Up with the Mobile Net,” which was co-sponsored by the Congressional Internet Caucus and Common Sense Media. It was a conversation about kids’ privacy, online safety, teen free speech rights, anonymity, and the possibility of expanding the Children’s Online Privacy Protection Act (COPPA) and implementing the so-called “Internet Eraser Button.”
I was joined on the panel by Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, and Alan Simpson, Vice President of Policy at Common Sense Media. And the session was very ably moderated, as always, by the supremely objective Tim Lordan.* We really unpacked the “Eraser Button” and “right to be forgotten” notion and thought through the ramifications. And the discussion about the extent of First Amendment rights for teenagers was also interesting.
The video for this 48-minute session can be found on the Congressional Internet Caucus YouTube page here and is embedded below.
Note: During the session, Tim Lordan claimed that he takes no position and that if anyone says he take positions on issues that he will slap a super-injunction on them. Well, I say Tim Lordan is brimming with positions and he’s letting them fly at every juncture. In fact, I’ve never met someone so full of controversial positions in my life as Tim Lordan! OK, so sue me Tim!
Lost in the smoke surrounding that privacy blitzkrieg is an important distinction between these two proposals: There is a very big difference between re-engineering browsers and websites to comply with a “Do Not Track” mandate and a new regulatory scheme aimed at identifying the ages or identities of individuals using certain online sites or services. Namely, the latter likely necessitates some sort of mandatory age verification or online authentication regime for the Internet.
Let’s take a step back for some context. Markey helped author the Children’s Online Privacy Protection Act (COPPA) of 1998, which dealt with the collection of information for kids under 13 online. But COPPA wasn’t a strict age verification or online authentication regime for the Internet. Instead, COPPA mandated a “verifiable parental consent” regime which the Federal Trade Commission (FTC) later enforced using a so-called “sliding scale” approach. Essentially, sites that are “directed at” kids under 13 are supposed to get parental consent using a variety of mechanisms (credit cards, sign and fax forms, phone calls, etc) before any collection of information takes place. Of course, there are some devilish details here regarding what counts as “directed at” or “collection,” but the crucial point here is that COPPA does
not require the formal authentication of web surfer identities or ages — whether they kids or parents.
So, the really tricky question here is how one goes about expanding the COPPA regulatory regime without stumbling into the legal thicket that tied up the Child Online Protection Act (COPA) of 1998, a law which did mandate such an authentication regime and, as a result, witnessed a grueling decade-long legal battle over its constitutionality. Ultimately, the courts rejected COPA as inconsistent with America’s tradition of anonymous speech, something central to our evolution as a democracy, pre-dating even the First Amendment that protects it from government interference. Thus, we have, at least for now, closed the book on COPA. But are we about to re-open it with COPPA expansion a la the forthcoming Markey bill? Continue reading →
An important anniversary just passed with little more notice than an email newsletter about the report that played a pivotal role in causing the courts to strike down the 1998 Child Online Protection Act (COPA) as an unconstitutional restriction on the speech of adults and website operators. (COPA required all commercial distributors of “material harmful to minors” to restrict their sites from access by minors, such as by requiring a credit card for age verification.)
The Congressional Internet Caucus Advisory Committee is pleased to report that even after 10 years of its release the COPA Commission’s final report to Congress is still being downloaded at an astounding rate – between 700 and 1,000 copies a month. Users from all over the world are downloading the report from the COPA Commission, a congressionally appointed panel mandated by the Child Online Protection Act. The primary purpose of the Commission was to “identify technological or other methods that will help reduce access by minors to material that is harmful to minors on the Internet.” The Commission released its final report to Congress on Friday, October 20, 2000.
As a public service the Congressional Internet Caucus Advisory Committee agreed to virtually host the deliberations of the COPA Commission on the Web site COPACommission.org. The final posting to the site was the actual COPA Commission final report making it available for download. In the subsequent 10 years it is estimated that close to 150,000 copies of the report have been downloaded.
The COPA Report played a critical role in fending off efforts to regulate the Internet in the name of “protecting our children,” and marked a shift towards focusing on what, in First Amendment caselaw is called “less restrictive” alternatives to regulation. This summary of the report’s recommendations bears repeating:
After consideration of the record, the Commission concludes that the most effective current means of protecting children from content on the Internet harmful to minors include: aggressive efforts toward public education, consumer empowerment, increased resources for enforcement of existing laws, and greater use of existing technologies. Witness after witness testified that protection of children online requires more education, more technologies, heightened public awareness of existing technologies and better enforcement of existing laws. Continue reading →
Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.
Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.” For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.
Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:
Yesterday, the Federal Trade Commission (FTC) hosted an all-day workshop on “Protecting Kids’ Privacy Online,” which looked into the Children’s Online Privacy Protection Act of 1998 (COPPA) and challenges posed to its enforcement by new technological developments. The FTC staff did a nice job bringing together and moderating 5 panels worth of participants, all of whom had plenty of interesting things to say about the future of COPPA. But I was more struck by what was not said yesterday. Namely, there was:
ZERO explanation of the supposed harms of advertising, marketing, and data collection. Advertising-bashing is an old sport here in Washington, so I guess I should not have been surprised to hear several panelists yesterday engaging in teeth-gnashing and hand-wringing about advertising, marketing, and the data collection methods that make it possible. But this grousing just went on and on without any explanation by the critics of the supposed harms that would result from it.
ZERO appreciation of the benefits of advertising, marketing, and data collection. Not once yesterday — NOT ONCE — did anyone pause to ask what it is that makes all these wonderful online sites, services and content free (or dirt cheap) to consumers. Everyone at this show was guilty of the “manna fallacy” (that all this stuff just falls magically to Earth from the Net Gods above). Well, back here in the real world, something has to pay for all those goodies, and that something is advertising and marketing, which are facilitated by data collection! Or would you like to pay $19.95 a month for each of those currently free sites and services? Yeah, I didn’t think so.
At the April hearing, Senators asked whether COPPA could be improved. Today, as in my April oral and written testimony, I again urged lawmakers to “tread carefully” because COPPA, as implemented, basically works. I explained why COPPA’s technological neutrality and flexibility should allow the FTC to keep pace with technological convergence and change without the need for legislative changes. But expanding the statute beyond its limited purposes, especially to cover adolescents under 18, could raise serious constitutional questions about the First Amendment rights of adults as well as older teens and site and service operators, and also have unintended consequences for the health of online content and services without necessarily significantly increasing the online privacy and safety of children.
The Committee’s follow-up questions also inquired about COPPA’s implementation, the subject of today’s FTC Roundtable. I noted that COPPA implementation has gone reasonably well, meeting its primary goal of enhancing parental involvement in children’s online activities, but that implementation has come at a price, since the costs of obtaining verifiable parental consent and otherwise complying with COPPA have, on the one hand, discouraged site and service operators from allowing children on their sites or offering child-oriented content, and, on the other hand, raised costs for child-oriented sites. The FTC could do more to lower compliance costs for website operators, thus allowing achievement of COPPA’s goals at a lower cost for parents and kids in foregone content and services.
Finally, I raised concerns about the FTC’s seeming invitation for changes to the COPPA statute itself. As a general matter, regulatory agencies should not be in the business of re-assessing the adequacy of their own powers, since the natural impulse of all bureaucracy is to grow. Though the agency has done a yeoman’s job of implementing COPPA, ultimately it is the responsibility of Congress, not the FTC, to make decisions about modifying the statute. Continue reading →
Mr. Chairman and Committee members, thank you for inviting me here today. My name is Berin Szoka.
[1] I’m a Senior Fellow at The Progress & Freedom Foundation. I commend this Committee for studying COPPA, and the FTC for its upcoming COPPA Review and Roundtable.[2]
Background on COPPA
For an “Internet Jr.” of sites “directed at” children under 13, COPPA requires sites either to age-verify all users or limit functionality to prevent children from making personal information “publicly available”—including the sharing of user-generated content. COPPA imposes the same requirement on general audience sites when they have actual knowledge a user is under 13. Because of this forced separation and the costs of age verification, COPPA may well have unintentionally limited choice and competition by driving increased consolidation in the marketplace for child-oriented sites and services online. On the other hand, COPPA has been reasonably successful in fulfilling Congress’s original goal of “enhancing parental involvement” to protect children’s online privacy and safety.
Whatever this trade-off, I’m here today to caution against expanding COPPA beyond its original, limited purpose. COPPA’s unique value lies in its flexibility, subtlety, and intentional narrowness. Continue reading →
The Congressional Internet Caucus Advisory Committee is hosting their second annual State of the Mobile Net conference this Wednesday, April 21 at the DC Hyatt Regency (400 New Jersey Ave NW). The conference runs 12-5 pm followed by a cocktail reception. This conference and the larger State of the Net conference are probably the two best annual Internet policy events in DC, so I hope you’ll attend! This year’s SOMN includes a bonus: a “Growing Up with the Mobile Net” seminar coordinated by Common Sense Media, 9-11:45 am. I’ll be on the first panel of the morning on Kids’ Privacy on the Mobile Net: Is it PII or TMI? with:
Amanda Lenhart of the Pew Internet & American Life Project, veritable goddess of cyber-sociological data (check out her terrific Social Media & Young Adults report);
Phyllis Marcus, who handles childrens’ privacy and COPPA issues at the FTC (and is one of my favorite people there); and
Alan Simpson, Common Sense Media, a tireless advocate for educating children & parents.
I can only assume Alan asked me to be on this distinguished panel panel to represent kids directly on account of my baby-faced-ness! Jerry Rubin famously said, “Don’t trust anyone over thirty”—so I’ve still got 3.5 months of trustworthiness to go! (Or perhaps he actually read the huge PFF paper Adam Thierer and I did last summer about COPPA and my recent post on the FTC’s recently announced COPPA implementation review or my testimony on Maine’s COPPA 2.0 law.) Anyway, the rest of the day looks great (so register here), including these sessions: Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology. Learn more about TLF →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.