[co-author: Sidharth Sharma, Transportation Policy & Regulatory Specialist]
On October 7, the Federal Trade Commission (FTC or the “Commission”) brought together privacy and technology stakeholders for a public workshop aimed at informing updates to regulations promulgated under the Children’s Online Privacy Protection Act (together with its implementing regulations, COPPA). COPPA requires operators of websites and other online services to provide notice and obtain parental consent before collecting, using or disclosing personal information from children under 13.
The FTC is currently seeking public comment on potential updates to COPPA in light of rapid technological changes in the children’s online marketplace, including the increased use of Internet of Things devices and social media. Comments are due October 23, 2019. The Commission last updated COPPA in 2013.
Last week’s public workshop came about a month after the FTC announced a $170 million settlement with YouTube and its parent Google resolving alleged COPPA violations—the largest COPPA settlement to date. Nevertheless, the Commission has faced criticism for failing to adequately enforce COPPA’s protections, and privacy advocates have expressed concern that the FTC will weaken COPPA through this round of updates. Days before the workshop, a bipartisan group of senators sent a letter to the FTC urging the agency to enhance COPPA’s protections.
In her opening remarks, FTC Commissioner Christine Wilson stated that the agency is not attempting to roll back any of its protections. She noted that COPPA must be updated to take into account the proliferation of new technology and services such as voice activated connected devices, platforms that host third-party content and behavioral advertising.
The workshop agenda included panels and presentations featuring over 30 app developers, child content creators, privacy advocates, COPPA safe harbor representatives, FTC officials and legal professionals. Panelists discussed how the FTC could update COPPA in a manner that provides robust protection for children without stifling technological innovation. In particular, the panelists largely grappled with the following major topics:
- The extent to which COPPA’s scope should be expanded.
- Whether changes should be made to COPPA’s verifiable parental consent requirements.
- Transparency surrounding COPPA’s safe harbor program.
- Whether the “actual knowledge” standard is sufficient to protect children visiting general audience websites.
- How the FTC can conduct research to inform COPPA updates.
Expanding COPPA’s Scope
Throughout the workshop, a number of panelists discussed ways in which COPPA could be expanded to provide greater protections for children. Speakers suggested applying the law’s protections to teenagers. Currently, the law only applies to children under 13.
Some urged the FTC to increase its focus on enforcing aspects of COPPA related to data security, in addition to the law’s notice and consent requirements. Panelists pointed to emerging privacy frameworks, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), as indicative of a trend for privacy regimes to require more than just notice and consent. One speaker suggested the FTC examine the way other privacy regimes limit data collection to only what is reasonably necessary and require collectors to maintain the confidentiality of personal information.
As to whether COPPA should be updated to specifically address education technology, one speaker suggested the FTC align COPPA with the Family Educational Rights and Privacy Act (FERPA) to address children’s privacy associated with technology used in schools.
Verifiable Parental Consent
COPPA requires operators of online services to obtain verifiable parental consent prior to the collection of children’s personal information and provides examples of methods that operators can use to obtain such consent. Many panelists discussed ways to improve COPPA requirements regarding verifiable parental consent. One speaker proposed allowing platforms such as Google and Apple to develop a one-stop consent system that developers using that platform can use to verify age without engaging with the user or adding costly features to their own products.
Panelists discussed the fact that many parents do not actively monitor their children’s online activity and called for greater education and outreach to ensure parents are informed about their children’s privacy online.
COPPA includes a safe harbor program that enables industry groups or others to submit for Commission approval self-regulatory guidelines that implement COPPA protections. One panelist criticized the lack of transparency about the safe harbor program and suggested that some safe harbors may be competing with each other to provide the easiest regime under which to comply with COPPA requirements, an approach contrary to the framework’s intent of providing high standards for users. Others called for greater policing of the safe harbor program, more transparency and greater FTC resources to audit safe harbors.
Operator Use of Persistent Identifiers
Several panelists weighed in on whether COPPA should permit website operators to monetize children’s data through the use of behavioral advertising, which provides targeted advertisements based on the use of persistent identifiers such as data collected through cookies.
FTC Commissioner Noah Joshua Phillips argued that advertisements directed at children are not necessarily harmful and that COPPA should not be a tool to stop this type of advertising. A number of panelists warned that restrictions on developers being able to monetize their products through advertisements could force small companies out of the children’s product market, leading to monopolization. Others noted that restrictions on the use of persistent identifiers would prevent sites from offering a customized user experience. A number of speakers urged the Commission to consider whether the limited use of persistent identifiers, or even anonymized identifiers, would actually harm children.
In comparison, many panelists questioned whether website operators needed to use behavioral advertising to generate advertising revenue from children’s content. One panelist noted that operators can provide contextual advertisements without the use of any personal information.
COPPA provides an exception to its requirement that operators obtain verifiable parental consent if the operator collects persistent identifiers (and no other personal information) and uses them only to provide support for internal operations—i.e., does not disclose them to any third parties or use them to deliver behavioral advertisements. Workshop panelists discussed whether this exception is too broad or properly allows operators to use this information to analyze site function and make improvements.
“Actual Knowledge” Standard
COPPA applies, in part, to operators of online services that are directed to children, as well as to operators of online services directed to a general audience if the operator has “actual knowledge” that it is collecting personal information from children under 13. Workshop speakers discussed whether the “actual knowledge” standard is too lenient or creates an incentive for operators to look the other way when children use their sites.
Some panelists suggested that the FTC instead implement a constructive knowledge standard or add a provision that holds operators responsible for willfully disregarding the age of a website’s users. One speaker suggested employing a constructive knowledge standard for situations where there is increased risk to children and an actual knowledge standard for instances where there is less risk.
Panelists disagreed over the extent to which developers should be responsible for knowing the demographics of their users, particularly in light of the fact that many children are adept at gaming age gates. Some asserted that most developers provide information that demonstrates a knowledge of their audience to their partners, such as advertisers and platforms. Speakers discussed whether developers should be responsible for regularly reassessing their audiences to see if their demographics have changed. Some cautioned that an obligation to do so under COPPA could create costs that small businesses may not be able to handle.
Several panelists also urged the FTC to use its investigative authority to conduct research to better inform COPPA changes. FTC Commissioner Phillips stated that any rulemaking should be based on facts and informed data rather than fear or speculation. Panelists suggested that the FTC research areas such as the effectiveness of the one-stop age gate, how often children are using services not marketed towards them, behavioral advertising, whether parents are using parental controls and making informed decisions, and the privacy concerns surrounding education technology. Additionally, speakers asked the FTC to research what developers tell their advertising and platform partners about their intended audience and how companies use persistent identifiers under the internal operations exemption.