A Fine COPPA Indeed
Written by Emma Llansó
[Editors Note: This blog post was updated on July 13, please see below.]
CDT submitted comments yesterday in the FTC's proceeding reviewing the Rule implementing the Children's Online Privacy Protection Act (COPPA), which regulates website and online service operators' ability to collect personal information from children under the age of thirteen. Sites that are aimed at children cannot collect kids' information, or allow them to post it in a blog, comment field, or chat room, without getting parental consent first. Site operators also have to get parental consent if they actually know that a certain user is a child.
Filing jointly with the Electronic Frontier Foundation and the Progress & Freedom Foundation, and submitting a set of individual comments as well, CDT cautioned the Commission against trying to extend the COPPA Rule to cover older minors (or asking Congress to open the statute up for a similar amendment). COPPA's restrictions prohibit children from requesting information from a website without getting their parents' permission first, and complying with COPPA is such an expensive proposition that most websites tell kids under thirteen to stay away. While this might be an appropriate policy compromise — between children's privacy and parental involvement on the one hand, and minor's free speech rights on the other — for young children, it becomes completely untenable when applied to older minors. Teens have a First Amendment right to access information and use interactive communications platforms without seeking their parents' consent, and any government mandate that they do so would violate that right.
COPPA is a complex, quirky statute that does a reasonably good job of achieving its goals of protecting kids' personal information and increasing parental involvement in children's online activities. But because of the statute-specific way certain terms are defined, and because compliance with COPPA is so onerous for websites and online services, COPPA is not the right vehicle for a more expansive privacy protection regime. Expanding the Rule could cause the whole COPPA framework to collapse under the weight of unconstitutional burdens on free speech, leaving children with less protection than they have now. CDT encourages the Commission to focus on enforcing COPPA in its current form, and to continue its efforts to help parents, children, and educators learn how to navigate the Internet safely.
UPDATE: CDT has filed an additional set of comments in response to several recommendations to extend COPPA-type restrictions to cover older minors' data. Common Sense Media urged the Commission to extend COPPA to cover all minors under the age of 18 (with a modified rule for 16- and 17-year-olds), while another group of commenters called for the Commission to develop a set of Fair Information Practices (FIPs) that would apply only to teens.
As we detail in our supplemental comments, neither of these approaches is likely to pass constitutional muster — they would infringe minors' First Amendment rights to speak and to access information, and would require most websites to implement some sort of age verification technology in a (likely futile) attempt to discriminate among site visitors by age. This would violate the right of adults (and minors) to access speech anonymously, place a burden on websites' ability to reach their audience, and would create significant barriers to entry for start-up sites and services. To avoid these issues, the Commission should ensure that any regulations or recommendations it makes to Congress to expand protections for personal information collected online cover all Internet users, not just 13- to 17-year-olds.