COPPA – probably not the last word


The COPPA Rule is an online child protection measure. It was adopted and became Federal law in the USA under the Children’s Online Privacy Protection Act, 1998. The Rule came into effect in 2000. It governs key data collection and advertising practices for every major US company that operates over the internet. Because these same companies have a global reach what happens to COPPA matters on every continent.

Back in 2000 we were still in a world of Web 1.0. Interactivity was minimal. There were no Apps. Most people thought tablets were things you took to cure a headache. If you handed over information to a company on a web site you did so largely by manually filling in a form. Younger children had a limited capacity to do that.

The Federal Trade Commission has operational responsibility for the application of the COPPA Rule. It reviewed the Rule in 2005 but proposed no changes. Since that time the internet industry has shot itself in the foot repeatedly. The politics have been shifting, even if slowly.

Now a great deal of data collection is automated and feeds an enormous amount of personalized online advertising. This, in turn, finances some of our largest and most important technology businesses, Google and Facebook being the most obvious ones in the present context. About eighteen months ago the FTC announced a fresh review. This time out they had a lot of catching up to do.

It is undoubtedly this convergence of Apps and data collection to feed advertising which triggered the review. Apps have barnstormed on to the scene. They are particularly prevalent on devices which are extremely popular with kids: tablets and smartphones.

The Apps market is now gigantic and still growing apace. Moreover following two recent detailed studies the FTC concluded that, on a substantial scale, the Apps industry was simply failing to observe the spirit of the COPPA law. As we shall see the FTC felt they needed to change the letter of it the better to fulfil its original intent.

The wait is over

19th December saw the adoption and publication of the FTC’s final reportMost of the changes the Commissioners agreed will be seen as reasonable, sensible and logical. But it’s unlikely they all will be.

When it came to the vote one Commissioner abstained, another voted against and issued a dissenting opinion. The matter was settled 3-1-1. Lots of lawyers are ruminating. The dust has not yet settled. Otherwise subject to any legal challenges the new provisions become operative from 1st July, 2013.

The new Rule will

To quote from the FTC’s summary

  • modify the list of “personal information”  that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  • extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
  • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  • require that covered website operators adopt reasonable procedures for data retention and deletion; and
  • strengthen the FTC’s oversight of self-regulatory safe harbor programs.

A question of definition

The new Rule includes a range of modified definitions. With one exception these merely extend the text shown above consequently there is little point repeating them here.

The exception relates to the definition of personal information. It has been changed so that operators may allow children to participate in interactive communities without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.

The eight

Overall there were important changes made to the Rule under eight distinct headings.

  1. How do we verify parental consent?
  2. Safe harbour provisions
  3. Definition of personal information
  4. How is notice to be served to parents?
  5. Security and data retention
  6. Who is an operator?
  7. Is it directed at children?
  8. What are “internal operations”

Not all of the changes and “non-changes” are of equal moment

I do not propose to comment on every one of the changes. Some are in any event self-evident. I will look at what I think are the most important ones, focusing on the key areas of uncertainty. But first the biggest non-surprise and non-change.

The “Rule of 13” remains undisturbed

Very early on the FTC made plain that they had no intention of proposing any departure from one of the fundamental aspects of the COPPA Rule. To do so would anyway have required fresh legislation.

13 remains the cut-off point. When they register on a new site or for a new service, as long as an applicant enters a birth date which is consistent with that they are in.

Thus nothing in the new proposals can be expected to have any significant impact on the number of sub-13 year olds who improperly register for membership, with or without parental connivance. I can see that the FTC was constrained by the legislative framework within which it has to work but, from the perspective of public policy looked at in the round, it seems astonishing that a rule of law that in a major respect plainly does not work and which, in effect, encourages lying on an industrial scale should be left undisturbed.

This leaves an enduring sense that the current position cannot be stable. In the long run, probably off the back of a larger debate about the wider implications of the emergence of the internet into the public sphere, what is currently the centre will not hold.

Recent decisions of the US Supreme Court have not helped the cause of online child protection, although poor drafting in the legislature was at least partly to blame in some instances. But let’s not forget the Supreme Court has been spectacularly wrong before. Pre-internet thinking still rules in the internet age. It will not always be like that.

Alternatively in other jurisdictions, to paraphrase the words of an old song, reason in revolt shall triumph. Other countries will adopt a framework of regulations which work for them and the global giants will have to follow them within their territories. What happens in the USA will  therefore be relegated to the status of a wholly US domestic policy, which is perhaps how it should be, whereas now it is an international one.

Apps Store exempted

For the avoidance of doubt App Stores such as Apple’s and Google’s are exempted from any compliance requirements under COPPA on the grounds that they “merely offer the public access to someone else’s child-directed content”.

That is understandable at one level but it is a shame that somewhere or other greater responsibility was not placed on the Apps Stores to ensure that the Apps which they approve and allow out on to their platforms are wholly fit for purpose and comply in every particular with best practice. Or if that is too much to ask they should at least be certified as complying with the minimum requirements of COPPA.

I feel sure that very many people buying an App from an App Store will believe that it is only on sale because the App Store owner has given it its blessing and that its benediction extends to every important aspect of the product.

How do we verify parental consent and the safe harbour provisions?

In its original proposals the FTC made clear they had grave doubts about the continued acceptability of email plus but they were met with a gigantic wave of opposition to any changes. They retreated.

Email plus is the most common way for sites that are directed at children to obtain parental consent. Under it the site sends an email to the parent asking them to confirm that they give permission for their child to render personal information to the site as well as receive advertisements and other commercial communications. This system is very obviously open to abuse because in reality, without more, a site can have no way of knowing whether the originating email is from a child or from an adult posing as a child, or if the email they get back giving permission is from a parent or from the very same deceptive adult or a child posing as their parent.

Against that, only sites which are directed towards children use email plus and the potential for anything to go wrong on those sites is usually hugely constrained anyway. This is because of all the security measures which children’s sites normally put in place. Typically there will be limited interactivity and often a great deal of moderation. Thus, although the potential for abuse is plain, in reality things are not working out that way. Absent clear evidence of failure the FTC probably felt they had to yield and let things be.

If you were of a predatory or abusive disposition you really wouldn’t go to the sites using email plus looking for your next victim. At least not as far as we know. The fact is the sites do not publicise their “failure rate” so unless a situation goes to a point where the police get involved and an arrest is made there is no way anyone outside the company would ever find out how well their systems are working.

My gut feeling nonetheless is that among sites which are squarely and obviously directed at children in the main all will be well. Put it another way, if that was not the case it seems highly likely we would all know about it.

Where problems tend to arise, as in the recent case involving Habbo Hotel, is where under age people smuggle themselves into “forbidden” environments where a high level of interactivity is possible i.e. where children go on to sites intended for persons above their age range and other security systems also fail.

New systems may emerge, or there again they may not

The FTC  makes several noises about encouraging the development of new ways of obtaining parental consent both as standalone solutions or as part of a wider safe harbour programme. They are going to open up a new system to allow companies to put schemes to them for approval. I imagine the thinking is that companies might compete to develop approaches which are recognised as being less open to fraudulent manipulation than email plus and that therefore over time these will displace the looser ones.

However, in the absence of any obvious or sustained reason or pressure to desert email plus my guess is that this will remain the dominant mode for some time. Companies that go beyond email plus may calculate that their more reliable systems will improve customer take up because parents will be attracted to the idea of a more secure environment.

On sites which allow both over 13s and under 13s to be members specific approval was given to the development of schemes which allow parental consent to be obtained for sub 13s. I had always understood that this was possible anyway. I guess Facebook’s earlier kite flying about accepting sub 13s may have prompted the FTC to make explicit that which previously was only implicit.

More on personal information

It is now clear beyond peradventure, for example, that geolocation data are covered, as are pictures and video. IP addresses and mobile phone device IDs will also qualify as personal information where they can be seen as being a “persistent identifier” but not where their collection is only to support a site’s or service’s “internal operations”.

Interestingly, under the heading of “internal operations” it seems a distinction is being drawn between what is referred to as “contextual advertising” and behavioural advertising. However, there is a view which seems to suggest that the net effect of the COPPA Rule changes is that it will become harder to advertise to children, not easier.

Is a site “directed to” children and what are “internal operations”?

At the crux of the areas of greatest uncertainty or dissent come two major issues.

First: how do you determine whether or not a site is “directed to” children and what do you do about those which nonetheless have attracted substantial numbers of sub-13s as users?

Second: in some ways linked to that, what responsibilities exist in relation to third-party plug-ins or third-party access e.g. from ad networks, that collect personal information?

In relation to the first part of the first question the FTC proposes to retain its existing rule. In other words it will have regard to the “totality of the circumstances”. If the site or service looks like it is meant for kids or if it knows it is connecting to sites directed to kids it will be caught.

The suggestion is that, combined with the other changes that have been made, COPPA’s scope could now be extended into areas it has never previously been active in and therefore more sites might be required to collect and retain more data.

I suspect it may be a little while before a consensus will emerge as to the operational consequences of the FTC’s final decisions, and given the American penchant for litigation it would be surprising if these latter areas were not the ones where a challenge will come. We are in the midst of uncertainty. No one can know how long it will last.