The deadline for complying with the revised Children’s Online Privacy Protection Act (COPPA) regulations passed a week ago, but many website operators, research companies included, remain confused as to what the revised rule actually means and how it affects them. The new rules came into effect amidst a tangled privacy landscape, with California legislators toying with expanding COPPA protections to any minor under the age of 18, and granting California teens a “right to be forgotten” online, while associations in the nation’s capital like MRA raised multiple concerns during the COPPA re-writing process over the last few years about complicated new rules with which no one was certain how to comply.
On July 8, the think tank TechFreedom hosted a panel of speakers to debate “COPPA: Past, Present, and Future of Children’s Privacy & Media.”
Kandi Parsons, a senior attorney with the Federal Trade Commission (FTC), the regulatory agency charged with writing and enforcing COPPA rules, outlined the basic requirement of the revised Act. Operators of commercial websites and online services directed to children or with actual knowledge they are collecting from children must provide notice and obtain parents’ consent before collecting personal data from children under age 13.
Lack of clarity in COPPA compliance
Stu Ingis, a privacy lawyer at Venable LLP, lamented that, “everyone is in favor of protecting children, but unfortunately, sites and advertisers do not always know the identity of users.”
Parsons responded to Ingis’s criticism by stating that if you do not know the identity of your users, then you are not strictly liable. Although Parsons seems to think of the term “knowledge” in black and white, attorneys representing companies in COPPA violation cases have found that “actual knowledge” is a very ambiguous term.
So what are website operators to do? Gabriel Rottman, legislative counsel at the American Civil Liberties Union (ACLU), described 1 of 2 things websites may do: either change the nature of the content of their websites or exclude children under the age of 13 from their sites.
The first choice means a hefty price tag for website operators. Shai Samet, founder and president of the kidSAFE Seal Program, a certification service and seal program purportedly designed for children-friendly websites and technologies, stated that COPPA compliance costs businesses an average of three dollars per child user.
Berin Szoka, president of TechFreedom, warned that small website and app developers are “the primordial ooze of Internet innovation,” but might easily be wiped out by COPPA regardless of the FTC’s good intentions.
Eric Goldman, a law professor at Santa Clara Law School and director of the High Tech Law Institute, advised website operators to follow Rottman’s second option of excluding children under the age of 13 from their sites. Goldman explained, “kids are the least profitable,” but they cost more because the FTC makes you jump through a lot of hoops to get them. Goldman’s advice is simple: “do everything you can to avoid being covered by the COPPA statute.”
The future? You will comply…
In the end, the COPPA rule revisions could have gone much more badly. Plenty of activists sought to extend the restrictions to anyone under the age of 18. Congressmen and Senators had circulated proposals to set specific new privacy controls for teenagers aged 13-17.
Despite the coarse reviews, Parsons expects companies will ultimately comply and innovate within the revised COPPA kids online privacy rules . She said that she looks forward to providing guidance to industry and welcomes everyone’s questions. In the meantime, MRA encourages survey, opinion and marketing researchers to review the COPPA FAQs and MRA’s COPPA issue brief and get up to speed fast.