Let’s be honest: The internet – and how we use it – has changed significantly since the Children’s Online Privacy Protection Act was first written in 1998. The introduction of mobile phones and portable devices has changed when and where we can use the internet. Social media use has changed the kinds of information we share publicly through online communities. Advertisers and data collectors have expanded the kinds of information possible to glean from users.
The intent of COPPA has not changed within the context of these other changes online: it exists to protect children’s privacy and personal information. As originally conceived, COPPA requires websites that target children cannot collect personal information from any users under 13 without parental permission. Compliance was mostly left to the individual companies, who were left to address assumptions that children primarily use websites targeted for their age group, and that the companies themselves know their user demographics and are conscientious in their data collection practices.
Recognizing the need to address changes in online social practices and assess whether COPPA continues to fulfill its purpose, the FTC called for comments last spring on whether changes to technology warrant changes to the COPPA. More than 300 comments were provided by individuals, advocacy groups, online businesses, the gaming industry. They addressed a number of questions proposed by the FTC, including increasing the age of COPPA compliance to include teenagers, integration of new technology to verify parental consent, best practices of COPPA compliance, and the types personal information collected by websites and third-party data trackers.
While all of these topics are worthy of lengthy discussion, I was most intrigued by the concept of applying COPPA to a broader range of the “personal information” being collected and the practice of data-harvesting in general.
COPPA currently defines personal information as “individually identifiable information about an individual collected online,” including first and last name, physical address, email address, telephone number, Social Security number,” or other identifying piece of information as defined by Congress. However, since COPPA was enacted, the types of personal identifying information available on the internet have changed, and privacy groups like EFF and EPIC argue that the definition of personal privacy should be expanded to include IP addresses, geolocation information, behavioral marketing information, and user screen names. EPIC sees websites collecting too much information about users already, stating that at times “manipulating privacy policies and privacy settings of users to intentionally confuse and frustrate users so more personal information is revealed.” These groups advise that COPPA should update its definition and scope of personal information to ensure that it continues to reflect its original intent.
Industry comments from Google, the MPAA, Facebook, the Entertainment Software Association, and the Internet Commerce Coalition argue that such information is only identifiable when used in association with other identifiable personal information such as name or email address. According to the ICC, IP address information is barely identifiable in any case – who knows which user might be using a particular computer at any one time? Google and Facebook also explain that behavioral and demographic information results in enhanced user experience, through targeted advertising and search results; blocking the collection of this information would “chill innovation and result in a less satisfying online experience without promoting privacy or safety” (Facebook). But I’m still not convinced.
Why do we care?
The underlying question that I’ve been grappling with throughout this research and course is simply this: why do we care? Google and Facebook have some reasonable arguments. Targeted marketing does actually make my life easier, at least ensuring that the ads I’m bombarded with are tangentially related to my interests. Demographic data should ideally be used to enhance my user experience. But what else are they doing with that data?
Are fears of the end-of-days implications of personal information collection and data tracking just another example of the fear-mongering Julia described in her post a few days ago? The WSJ has posted a study of data trackers active on a selection of children’s websites, identifying some with several hundred programs tracking information from users.
The Direct Marketing Association claims there is “no harm to consumers resulting from online behavioral advertising,” and in fact “consumers benefit from services that rely on third-party data use and sharing.” Is this truly the catastrophe that we’re led to believe? Maybe not, if we trust that the companies who collect the data protect its anonymity, and ensure responsible usage for the life of the data. Unfortunately, when we give up that data to others – actively or passively (especially through third-party trackers) – we lose that control, and rely only on trust. Tracking companies have the ability to harvest a great deal of personal information from our online activity that we never realize they are taking; the problem isn’t necessarily that they’re taking it for their own demographic and advertising uses, but that we don’t know the uses of those who use it afterward.
Ultimately I think this links back to our understanding of privacy as control and consent. Bruce Schneier says that privacy is no longer about secrecy, as Warren and Brandeis contended a century ago; rather, privacy today is about control over one’s personal information, being able to choose with whom we share that information. Perhaps Schneier would say that the COPPA is a kind of security theater, giving us a false sense that parents are keeping control over their children’s information and protecting children’s privacy, when in practice this is merely a false comfort. But children should be treated with more care – they are more vulnerable, and just learning the maturity to make decisions on their own; until that point, parents can and should make information-sharing decisions with their children, discussing potential risks and the implications at stake, while at the same time modeling good behavior.
COPPA was intended to “enhance parental involvement in a child’s online activities;” part of parental involvement is understanding the digital environment in which we live, and encouraging discussion and learning with their children regarding personal online safety. The Berkman Center comments that the COPPA is currently misunderstood by families: an important addition to the revised COPPA should be a requirement that companies provide educational materials in human-readable language to users, encouraging parents and children to have important conversations about online privacy issues for all members of the family. Common Sense Media further suggests that parents should have opt-in control over the collection of their children’s information; this opt-in option would empower parents to make informed choices with their children, and ensuring a standard of protection and parental responsibility and engagement.
Privacy regulations for children should be based in the same basic privacy regulations we expect for all adult users. A significant step in creating a better COPPA is making sure to align that Rule with a cohesive privacy framework in general. Since the FTC’s call for comments on revising the COPPA, it has asked for comments on a broader privacy framework that would be applicable to all ages and users. One part of this proposal, implementing a do-not-track system, addresses the collection of personal information – identifiable or not – and the fears and concerns associated with the large-scale data tracking currently at work throughout the internet. The Center for Democracy and Technology recommends that the FTC consider ways to apply fair information practices to all users equally, regardless of age. Whether or not the FTC institutes broader regulation, I believe COPPA continues to be important legislation to safeguard children’s privacy, and ensures that parents have continued opportunity and right to exercise decisions over the collection of their children’s personal information.