The Federal Trade Commission is recommending updates to the Children’s Online Privacy Protection Act (COPPA), which sounds timely, wise, and worthy. But it is doing so blind to the impact and unintended consequences of its regulation.
COPPA requires that sites serving children under the age 13 must give parents notice and get consent if they collect and use personally identifiable information — which is broadly defined — about a child. Under the proposed changes, parents may no longer use email to grant consent but must jump through hoops — printing, signing, and scanning or faxing forms or holding videoconferences with the site’s employees.
The unintended consequences of COPPA are many, but the most obvious is that children have learned to lie about their age. On the Internet, everyone is 14.
On a conference call organized by the Future of Privacy Forum, an industry group, I asked Mamie Kresses, senior attorney for the FTC’s Division of Advertising Practices, whether there had been any study about how truthful children are reporting their ages online. They have no such research, she said. I asked whether the FTC had any data about how often parents use the means of notice and consent COPPA provides. None, she said.
The most disturbing unintended consequence of the regulation, I think, is the chill it likely puts on serving children online. In the early days of the web, I started the Yuckiest Site on the Internet — about goo, bugs, and science — to serve young readers at the local news sites I ran. After COPPA, my employer decided the risk in serving young people and even inadvertently recording a child’s name or targeting an ad was too great.
We don’t know how many sites have not been started to serve children online. Isn’t this the group we should be serving best? I asked Kresses whether the FTC had done research on the extent of a chill. No, she said.
Finally, I asked whether the FTC had revisited the reasons for COPPA. What harm are we trying to prevent by restricting identity online — and is it effective? She responded with circular logic: They are giving parents the opportunity of notice and consent regarding children’s information.
But why? In the panic around privacy brought on by technology — the Internet today and the portable camera a century ago — the discussion is being driven by the worst case, the often unspoken, presumptive fear of what bad could happen. Could children be exploited online? Sadly, yes. Are they sometimes kidnapped from streets? Tragically so. But they still play outside under our watchful eye, because they need to.
Children need to play online, too. They should create and get credit for their creativity. They should be able to establish a relationship with an educational site where they can track their own progress. Technology and the net don’t just present danger; they afford opportunity. But by focusing only on the former, we can risk losing sight of the latter.
So how do we protect young people? In the research for my book about publicness and privacy, I learned much from Danah Boyd, a leading researcher in social media and youth for Microsoft and NYU. In matters of privacy, she cautions against concentrating only on the gathering of information and suggests we focus more on regulating the use of information. That a site knows my child is from New Jersey isn’t necessarily sinister, a case of stranger danger; it’s what the site does with that knowledge that matters. In not addressing that issue, COPPA both overreaches and underserves.