Close-up on COPPA at FTC Roundtable
Children’s privacy online continues to generate great debate as evidenced at an FTC roundtable discussion yesterday, where panelists dissected the finer points of the Children’s Online Privacy Protection Act (COPPA).
Enacted in 2000, COPPA prohibits companies from collecting personal information online from children under 13 without verifiable parental consent. In its requisite five-year review of the COPPA rule this year, the FTC is examining whether new technological advancements necessitate an update.
The commission is also examining whether to expand the definition of personal information to include IP addresses, mobile devices and information collected through Web tracking, though there is some concern about the burden that would create.
Yesterday’s roundtable was the first public discussion in the FTC’s fresh look at the law. It seems a lack of consensus persists about which aspects of COPPA are working, which are not and what may need to be done to fix perceived problems. However, most panelists agreed on two points: kids are going to circumvent parental consent and age verification methods, and it is difficult to incent Web site operators to employ stronger consent methods beyond automated e-mail verification.
Panelists also largely agreed that should the definition of personally identifiable information be expanded, it must be done in a way that won’t hamper e-commerce or place unrealistic expectations on Web site operators. Some expressed concern that an expanded definition of personally identifiable information could overreach to include information that is not actually identifiable.
“If you start calling an IP address PII, the ramifications are going to be huge and not just for COPPA,” said Heidi Salow, CIPP, counsel for DLA Piper. “You’re going to shut down mom-and-pop sites.”
Panelists were divided on the topic of emerging parental verification methods. Some argued that “e-mail plus,” which takes the additional step of proving the consenter is a parent, has not proven to be adequate and remains expensive.
One panelist said that even stronger verification standards are needed.
“If the best we can do is send an e-mail to a parent and get an e-mail back, then we as an industry haven’t done a good job of creating new methods,” said Denise Tayloe, president and CEO of Privo, Inc. “If you’re supposed to be reasonably assured you’re dealing with a parent, most methods don’t do that. E-mail plus doesn’t even allow you to say you’re dealing with an adult.”
But an audience member asserted that “Unless you can find a new way of doing this, e-mail plus works. It’s an easy way in, easy way out. When you’ve got eight, 10, 12 million users in a kids’ space, it may not be time to kill it, it may be time to expand it.”
Shai Samet, CIPP, founder and president of kidSAFE Seal Program by Samet Privacy, said e-mail plus has served a beneficial purpose and to get rid of it “would be a very dangerous proposition.”
Panelists debated the efficacy of the law’s “actual knowledge” standard. Opinions varied on whether the rule should move to a constructive knowledge standard, favored by children’s advocates, which would require Web site operators to do more homework to verify age using methods similar to those used in behavioral targeting. Though some argued constructive knowledge places too high a burden on operators, others pointed to examples of where it is already at work.
“Constructive knowledge does work,” said Dr. Gwen Schurgin O’Keefe of the Council on Communications and Media for the American Academy of Pediatrics. “Behavioral targeting happens all the time. We know who they are by what they post every single day. If we change what knowledge we use to determine the age of a child, we can better serve their needs.”
But Jeffery Greenbaum, a partner at Frankfurt Kurnit Klein & Selz, PC, said he thinks actual knowledge is working and warned against enacting standards that are too difficult for operators to meet, given the vast amount of data posted on social networking sites every day.
“We have to be rational. It’s not possible to screen that in any productive way. We don’t want to create reverse incentive, either.”
A constructive knowledge standard could reduce a child’s expectation of privacy, as increasing amounts of data is collected on users solely to determine age, said Phil Terzian, senior director of government affairs at Activision Blizzard, Inc. He added that such a standard is a burden that the FTC may not want to put on site operators.
“Depending on how we define these issues, we’re going to break the Internet,” agreed Sheila Millar, partner at Keller and Heckman LLP.
The commission will seek public comment on the rule through June 30.
-- Angelique Carson
Join Shai Samet, Denise Tayloe and Mamie Kresses for next week’s Web conference: COPPA Moving Forward: FTC Review Underway.