COPPA Expansion Could End Up in Court, PFF Warns Lawmakers

But Rockefeller was much more peeved at Google and Apple, which declined to send representatives to testify at the hearing. “Was it too expensive to send an associate?” he asked rhetorically. “Are they trying to avoid something?” Rockefeller said he “would absolutely love to use” the committee’s subpoena power to compel the companies to give evidence. “They made a stupid mistake by not showing up today.” Google declined to comment, and we couldn’t reach Apple. Neither operates services targeted to children under 13, the COPPA cutoff, but some observers have said Google’s Buzz social network in Gmail risks exposing children’s information.

Some services are “making great strides” to protect children online, but kids’ data are spilling everywhere, enabling location-based ads through social networks, and tracking their movements through GPS, said Subcommittee Chairman Mark Pryor, D-Ark. Children 2-11 make up almost 10 percent of Internet users, he said. Services and applications are “a little more complicated than” the ones “we were using yesterday,” said Ranking Member Roger Wicker, R-Miss. That’s why lawmakers must be careful not to stifle innovation online or detract from COPPA’s goal of providing children under 13 appropriate content, he said.

"We always seem to go with innovation,” Rockefeller replied, but the spread of personal information is becoming “very un-benign.” The FTC has taken too long to review its COPPA rules as technology has outpaced the law, and Congress will act if the agency doesn’t, he said. A survey found “sex” and “porn” among the top five Internet searches of kids under 13, certainly something that’s changed since COPPA’s enactment 10 years ago, said Sen. Amy Klobuchar, D-Minn. The sponsor of a bill to give consumers additional control over installed P2P software, billed as a child-protection measure (WID Feb 26 p4), she said that “when it comes to kids, we reach a whole new level” on the need for privacy.

The FTC is collecting comments through June (http://xrl.us/bhjpsk) on how to revise COPPA rules and will host a roundtable June 2, said Jessica Rich, deputy director of the Bureau of Consumer Protection. Open questions include whether the definition of the “Internet” covers all relevant communications, whether data such as static IP addresses count as “personal,” and whether there are additional ways to get parental consent for children’s Internet use. The commission recently has focused on enforcing COPPA on general-audience websites, which are required to restrict functionality for users that they know are under 13, and child-directed social networks, she said.

Free speech and anonymity are “on a collision course” with COPPA if it’s updated to apply to teens, PFF’s Szoka said. “Thirteen is just right” as a cutoff for sites that are aimed at kids and need age verification, he said. COPPA would “essentially converge with COPA” if the age were raised, Szoka said. PFF has previously warned that state-level “super-COPPA” laws would draw legal challenges (WID Nov 6 p8). Age verification is a prior restraint on adult speech online, requiring collection of data such as credit card numbers and creating “repositories for huge troves personal information,” Szoka said. Smaller websites would be the victims of a change, unable to shoulder the burden of verifying users’ identities, he said.

Congress shouldn’t “overhaul” COPPA but instead encourage innovations to improve safety for teenagers and younger children, said Tim Sparapani, Facebook public policy director. “No existing system today can verify users’ age online,” which is why his company uses “age-gate” technology that places a persistent cookie on users’ computer when they first enter their age information, catching naive kids on the first try, he said. Facebook isn’t designed for those under 13, but it goes to great lengths -- through “report” buttons across the site and “ongoing authentication checks” -- to protect users below that age who make their way in, Sparapani said.

The FTC should give clear guidance to companies on following the “spirit” of COPPA, said Mike Hintze, Microsoft associate general counsel. The company applies COPPA guidelines even for services not targeted to children, providing parental controls in Xbox Live, Hotmail and Messenger, for example, and giving parents “detailed activity reports” on their kids’ usage. COPPA’s flexibility has worked well and no legislative change is needed, Hintze said, but the FTC should work with others to develop “scalable” mechanisms for parental consent. Its five methods now -- consent form, credit card, toll-free number, digital certificate, or e-mail with PIN that parents got from another verification method -- are “cumbersome,” and the rules may fall apart with mobile devices, he said.

Lawmakers should consider privacy protections for teenagers outside of COPPA, requiring “fair information and marketing practices,” said American University Professor Kathryn Montgomery. The law, which she helped draft, has created a “level playing field” where previously sites had collected “reams” of data from kids, such as one for young investors. But the “immersive and ubiquitous” Web 2.0 environment, including behavioral targeting and mobile geolocation that can even deliver coupons from a nearby restaurant to a user, requires some changes, she said.

Sites are using children’s information for reasons “completely unrelated” to the reasons it was collected, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. Possibly alluding to Facebook’s recent policy changes, which drew Hill concern (WID April 29 p4), Rotenberg said sites are changing their privacy policies after user data have been collected, “a problem COPPA never anticipated.” The FTC has been slow to respond, declining to act on EPIC’s complaint last year against a parental-tools maker that marketed its collected children’s data, he said. “Education is not enough in this area.” The FTC’s Rich didn’t comment.

'Must Be Way to Have It Both Ways'

Protecting kids online isn’t much different from securing companies’ data and networks, Rockefeller said, noting he was scheduled to address a business conference later on cybersecurity. (See separate story in this issue.) Neither task can be accomplished solely through self-regulation, and the “average American family,” technologically illiterate or working two jobs, can’t protect children from all the harms online, he said. “Kids are watching filth, and lascivious, horrible things,” he said, and “money always trumps [privacy] when it comes to information.” Young people are being “coaxed” to share more and parents can’t necessarily parse privacy policies, Rotenberg said, citing himself and his teens. “I need government to step in to control the things we can’t control.” Internet companies are “socializing them into a system where privacy is not valued,” Montgomery said. She questioned Szoka’s claim that children by age 10 show skepticism toward ads. Teens can be “quite susceptible” to interactive games in particular and “aroused” to act based on included ads, she said, referring to ongoing research on food marketing in games.

"There must be a way to have it both ways,” encouraging innovation and protecting kids’ privacy, Wicker said. COPPA has actually had a “strange disincentive,” spurring innovation in online experiences directed toward teens but not under-13s, including by Facebook, Sparapani said. “It does create additional work” and cost to Microsoft to reach younger users, creating a “speed bump” for potential new entrants into the children’s market, Hintze said. The kind of innovation that companies want isn’t privacy-protective, Montgomery said: They want to “get your child to friend an advertising figure.”

Facebook’s experience with teen users has shown they can be trusted to protect themselves, Sparapani told Wicker. The “community effect” polices the behavior of users and attaches “reprobation” to miscreants on the site, Sparapani said. He couldn’t answer how often Facebook’s “report” button is used, but said “it’s enough to keep a huge team of employees busy all day, day and night.” Hintze similarly couldn’t answer how often its parental tools are used, partly because services are structured differently: Xbox Live controls are built into user accounts, for example. Pryor said Microsoft should “aggressively, periodically” remind users across its sites that it offers free parental controls and safety options.

Szoka and Rotenberg differed on whether COPA’s demise is instructive for considering COPPA revisions. “The COPPA framework breaks down” if applied to teens because age verification for the first time would have to be applied to a large number of Internet users, Szoka said: Disney’s ClubPenguin.com social network for kids is nothing like the typical sites visited by 17-year-olds. Rotenberg, one of the lawyers who challenged COPA, said he was “very confused” by the claim. The two laws are “almost completely unrelated” and websites that collect user data generally require visitors to enter their age when creating an account, though it’s not legally required, he said. Rotenberg said Facebook does a good job of keeping out under-13 users. Privacy advocates aren’t asking for users to be blocked but for restrictions on data collection depending on the user’s age, he added: “I think that can be done without too much difficulty.” Szoka disagreed, saying sites as mundane as blogs that allow comments would have to “actually” verify ages, not simply ask users to give their age.

Surprisingly, problems applying COPPA to mobile devices, one of the major questions in the FTC’s review of the law, were barely mentioned. Montgomery told Pryor that different rules apply to wireless carriers and device makers such as Apple on data collection and use. Pryor asked if changes need to be made to cover Internet-enabled gaming devices such as the Nintendo DS he was holding. Rich said the law clearly applies to all methods of Internet transmission but not necessarily device-to-device communication. She declined to say whether the FTC would revisit COPPA definitions, saying it would decide after the comment period.