The Family Online Safety Institute (FOSI) is based in Washington DC. I’m on their Advisory Board and have been since its inception.
FOSI is supported by most of the big US internet companies and it is extremely well connected inside the Beltway. With a growing number of the larger European technology players also now joining, increasingly a feature of FOSI events is the high level dialogue they engender between different jurisdictions, cultures and traditions. Everyone is learning to be more ecumenical.
However, in the internet space for now and the foreseeable future US law and practice very often determine the defaults for the rest of us. And that’s the real point of this blog.
FOSI in London
FOSI’s European office organized a conference in London last week. It took place in the splendid surroundings of the BT Centre in the shadow of St Paul’s. I am delighted to report that, on this occasion, among the many stellar presentations made from the platform for me some of the most dramatic and radical things were said by a British public servant. At least I think they were.
David Smith is a Deputy Commissioner within the UK’s Information Commissioner’s Office. This means he is a big wig in our principal statutory data protection and privacy organization. The import of Mr Smith’s words at the FOSI conference didn’t quite sink in at the time he said them but they have been percolating and I have been pondering.
COPPA is not law in the UK
Put simply, Smith reminded us that the Children’s Online Privacy Protection Act, 1998, (COPPA) is a US Federal law and therefore has no legal status in Britain, or anywhere else in Europe. If that was all that was said it would simply be a statement of the utterly obvious. But there was more.
In the USA, under COPPA, commercial companies that operate on the internet are obliged to obtain parental consent before they can knowingly collect any personal data from a child under the age of 13. That includes all of the sorts of information routinely required to open an account or become a member of a social network or online service.
Rather than get involved in, as they saw it, the messy, time consuming, off-putting and expensive business of obtaining parental consent, most internet companies simply decided to make 13 their minimum age for membership. And with one bound they were free! This means the only sites in the US that regularly or consistently seek parental consent are those expressly targeted at sub-13 America.
In some instances a number of sites or services that are free at the point of use went a step further, announcing 18 as their threshold. Before you go thinking this shows a higher level of responsibility remember we are talking about an environment in which no one checks anyone’s age anyway. You could say companies that stipulate 18 are merely applying a different cosmetic.
13 is the line of least resistance
Returning to 13, bear in mind the date COPPA became law. 1998 was long before the first social network site had materialised. Thus the subsequent decision of the arrivistes to adopt and adapt to 13 as their lower age limit was not the result of a careful consideration of all available options. It was a commercial decision, a pragmatic response to an external constraint. Nothing more or less. The Web 2.0 sites that started springing up took the line of least resistance.
As long as a company has no actual knowledge that an account holder or end user is in fact below the age of 13 they have no liability under COPPA. Yes, if someone is reported as being under 13 or a site finds this out in some other way they are obliged to kick the child off, but they are under no obligation to be proactive about it. So by and large they’re not although seemingly a Facebook employee recently told an Australian Parliamentary enquiry they are ejecting 20,000 under age users per day. It would be good if that number could be independently confirmed.
In effect the COPPA rule means from a legal point of view US companies have no incentive to enquire further into the matter of a person’s true age. This has had a chilling effect on innovation and the numbers show it.
Almost 40% of 9-12 year olds in the USA have accounts with social networking sites that give 13 as their minimum age. Another study showed 50% of all US 12 years olds had accounts with Facebook. Yet another told us 7.5 million young Americans below the age of 13 are on Facebook, including 5 million under the age of 10.
The UK’s figures are not light years away from America’s. According to Professor Livingstone of the LSE, 34% of all 9-12 year olds who use the internet have accounts on Facebook. In Europe as a whole it comes in around 20%.
Mr Smith went on to say
Having heard these sorts of numbers and percentages trotted out the doughty Deputy Commissioner gently reminded companies that over here they cannot shelter behind a legal barrier that was erected in another jurisdiction. Moreover Smith was underlining that the UK, and the EU as a whole for that matter, does not have any immunities of the kind COPPA confers on the other side of the Atlantic Ocean. Was this a warning?
Intriguing possibilities
A number of intriguing possibilities are racing through my head right now.
Many sites not only say 13 is their lower age limit, they also insist their sites are not at all suitable for persons below that age. They construct them with 13s and above in their sights, not 9 year olds. So, absent any statutory defence of the COPPA kind, are Facebook and others in some as yet unspecified way in breach of UK data protection laws? That looks pretty much what Smith was saying in a politely understated way. And if the companies are in breach, how do they bring themselves into compliance? If they don’t bring themselves into compliance what happens next? When?
Foreign companies operating in the US must observe COPPA
Smith might have added that the US Federal Trade Commission, the body that administers the COPPA rule, is very clear that commercial companies that operate from overseas but direct themselves towards young Americans are expected to comply with COPPA exactly as US based ones are. I should think so too. The same should obviously apply in reverse.
The COPPA rule has been under review for what now feels like an eternity. I understand a final result will be announced this Summer. But it has been pointed out to me that, save for a few tiny tweaks, the smart money is on no change to the status quo. Where will that leave us?
Desiderata 