Last Thursday, the Federal Trade Commission released  its long-awaited report on the rule implementing the Children’s Online Privacy Protection Act. COPPA is the federal law that requires operators of websites or online services directed to children to obtain verified parental consent before collecting personal information from children under 13 years of age.The Act is administered by the FTC via the COPPA Rule, which the Commission reviews periodically. The 122-page report released today contains a number of proposals for updates to the Rule but stops well short of asking Congress to open the Act for amendment. Overall, the report is appropriately aimed at keeping COPPA current with developing technology and advertising practices, and not on expanding COPPA to serve as an all-purpose minors’ privacy bill. We’re still digging into the report, but a few of the proposals deserve close attention.
Generally speaking, the Commission’s proposals keep COPPA’s focus where it belongs: on children under 13 and the information-collecting practices of websites and online services that are specifically directed to children. Several commenters in the review process urged the FTC to expand COPPA to include older minors or to pull into COPPA’s ambit popular general-interest sites that have some idea that some of their users may be 12 years old or younger. As we noted in our supplemental comments , extending COPPA to require parental consent for older minors to access information would infringe on those minors’ First Amendment rights. And putting requirements on site operators when they have “constructive knowledge” that some users are probably minors– rather than actual knowledge that a particular user is under 13 – would effectively require every popular social media and user-generated content site to identify all of their users in order to ferret out the 12-and-unders in the group. This would encroach on adults’ and minors’ rights to access and post information anonymously, and would lead to exponentially more data collection – an ironic outcome for a privacy-protection law.
Fortunately, the FTC seems to agree, and the report rejects suggestions to alter COPPA’s scope. The Commission explicitly points to older minors’ “right to access information and express themselves publicly,” and notes the practical difficulty in expanding COPPA to cover websites “directed to teens,” which “might unintentionally burden the right of adults to engage in speech online.” Understanding the discouraging effect regulatory uncertainty can have on online innovation, the Commission concludes, “Actual knowledge is far more workable, and provides greater certainty, than other legal standards that might be applied to the universe of general audience websites and online services.”
On the other hand, CDT has significant concerns with the FTC’s proposal that companies obtain verified parental consent by having operators collect a parent’s driver’s license or social security number and cross-check it against existing databases of this information. This proposal raises serious privacy and free speech issues: the information contained in government IDs is sensitive, as the Commission recognizes in the report, and encouraging users to submit copies of their IDs to website operators even in limited circumstances will likely make them more vulnerable to phishing and identity theft scams. Further, while the Commission’s proposal would require operators to promptly delete copies of the IDs from their records after verification is complete, without robust monitoring and enforcement this method of parental verification could lead to the creation of rich stores of sensitive user information that are vulnerable to breach. In any event, it is quite likely that some parents will be discouraged from consenting to their child’s use of a website if it requires them to submit a government ID; whether this is because the parent has privacy concerns or simply lacks a driver’s license, the end result is that the child’s access to information is limited.
And there’s no real upside to the government-ID method. It won’t be any more effective than existing methods at helping operators establish actual parental consent since it cannot guarantee that a parent is actually the user providing the copy of the ID. Nor can it guarantee that the adult on the ID is actually a parent of the child and has the authority to consent on the child’s behalf. And, unlike the credit card verification method currently in the COPPA Rule, the adult whose ID has been used will not get the additional after-the-fact notice that credit card billing statements provide. The privacy and security concerns with government ID- or credential-based identity verification programs discussed in the 2008 Internet Safety Technical Task Force report  remain relevant today. There is little, if anything, to be gained from this proposed consent method and too much to be lost.
Other proposals will also require careful analysis, including the Commission’s suggested update of the definition of “personal information” to include geolocation information as well as IP address and other persistent identifiers, including tracking cookies. At first blush, it looks like the Commission has done a reasonable job of narrowing the scenarios when this type of data will trigger COPPA’s parental consent requirements, exempting the collection of IP address and persistent identifiers to support the internal operations of the website or online service. CDT will be preparing an in-depth analysis of these and other proposals in the coming weeks; the deadline for comments to the Commission is November 28, 2011.