July 10, 2020

Improving Protections for Children’s Privacy Online

CITP’s Tech Policy Clinic submitted a Comment to the Federal Trade Commission in connection with its review of the COPPA Rule to protect children’s privacy online. Our Comment explains why it is important to update the COPPA Rule to keep it current with new privacy risks, especially as children spend increasing amounts of time online on a variety of connected devices.

What is the Children’s Online Privacy Protection Act (COPPA)?

As background, Congress in 1998 gave the FTC authority to issue rules that govern how online commercial service providers should collect, use or disclose information about children under the age of 13. The FTC issued the first version of the Rule in 2000 which requires providers to place parents in control over what information is collected from their young children online. The Rule applies to both providers of services directed to children under 13 as well as those serving a general audience who have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. This Rule was subsequently revised, after a period of public comment, in 2013 to account for technological developments, including the pervasive use of mobile apps. In 2019, the FTC announced it was revisiting the Rule in light of ongoing questions about the efficacy of the Rule in a data-fueled online marketplace and soliciting public comment on potential improvements to the Rule. 

Core Recommendations to Update the COPPA Rule

Our Comment makes three main points:

  • We  encourage the FTC to develop rules that promote external scrutiny of provider practices by making the provider’s choices about how they are complying with the Rule available in a transparent and machine-readable format. 
  • We recommend that the FTC allow providers to rely on an exemption from collecting or tracking information related to “internal operations” only under extremely limited circumstances, otherwise the exception risks swallowing the rule. 
  • We offer some suggestions on how education technology providers should be responsive to parents and recommend that the FTC conduct further studies about how such technology is being used in practice. 

We elaborate on each point below.

Enabling Effective External Compliance Checks Through Transparency

One of the central challenges with the COPPA Rule today is that it is very difficult for external observers (parents, researchers, journalists or advocacy groups) to understand how an online provider has decided to comply with the Rule. For example, it is not clear if a site believes it is in compliance with the Rule because it argues that none of its content is directed at children or because it has implemented rules that seek appropriate consent before gathering information about users. Making a provider’s choices on compliance transparent will enable meaningful external scrutiny of practices and hold providers to account. 

Under the COPPA Rule providers are responsible for determining whether or not a service is child directed by looking to a variety of factors. If the service is directed at children, then the provider must ensure they have verified parental consent before collecting information about users. If the audience is of mixed age, then the provider must ensure that it does not collect information about users under the age of 13 without parental consent.

The determination about whether a service is child directed, as the FTC explains, includes factors such as “its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children . . . [and] competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.” If the service is child directed and children under the age of 13 are the primary audience, then it is “primarily child directed.” If services that are child directed, but do not target children as the primary audience, they are “child directed, but mixed audience” services under the COPPA Rule. 

If a mixed audience service seeks to collect information about users it can choose to implement an age gate to ensure it does not collect data about underage users. An age gate is, a mechanism that asks users to provide their age or date of birth in an age-neutral way. 

Our principal recommendation is that the COPPA Rule should be revised to explicitly facilitate external scrutiny by requiring providers to make their design choices more open to external review. Specifically, we suggest that the FTC should make sites or services disclose, in a machine-readable format, whether they consider themselves, in whole or part, “directed to children” under COPPA. This allows academic researchers (or parents) to examine what the provider is actually doing to protect children’s privacy. 

We also recommend that the FTC establish a requirement that, if a website or online service is using an age gate as part of its determination that it is not child directed, it must publicly post a description of the operation of the age gate and what steps it took to validate that children under 13 cannot circumvent the age gate. 

In addition, drawing on our work on online dark patterns, we suggest that the FTC examine the verifiable parental consent mechanisms used by providers to ensure that parents are being given the opportunity to make fully informed and free choices about their child’s privacy. 

Finally, we suggest some ways that platforms such as iOS or Android can be enlisted by the FTC to play a more effective role in screening users and verifying ages.

Restrict Providers from Relying on the “Internal Operations” Exception

Another significant issue with current practices is that providers rely on an exception for providing parental notice and obtaining consent before collecting personal information when they use persistent identifiers for “internal operations.” The 2013 revisions to the Rule included this new exception, but required it to be used for a limited set of circumstances necessary to deliver the service. It appears many providers now use that exception for a wide variety of purposes that go well beyond what is strictly necessary to deliver the service. In particular, users have no external way to verify whether certain persistent identifiers, such as cookies, are being used for impermissible purposes. Therefore, our Comment urges the FTC to require providers to be transparent about how they rely on the “internal operations” exception when using certain persistent identifiers and limit the circumstances when the providers are allowed to use such an exception.

Give Parents Control Over Information Collected by Educational Technology Service Providers

Finally, our Comment addresses the FTC’s query about whether a specific exception for parental consent is warranted for the growing market of providers of educational technology services to children (and their parents) in the classroom and at home. We recommend that the FTC should study the use of educational technology in the field before considering a specific exception to parental consent. In particular, we explain that any rule should cover the following issues: First, parents should be told, in an accessible manner, what data educational technology providers collect about their children, how that data is used, who has access to the data, and how long it is retained. Parents should also have the right to request that data about their children are deleted. Second, school administrators should be given guidance on how to make informed decisions about selecting educational technology providers, develop policies that preserve student privacy, and train educators to implement those policies. Third, the rule should clarify how school administrators and educational technology providers are accountable to parents for how data about their children are collected, used and maintained. Fourth, the FTC needs to clearly define what is meant by “educational purposes” in the classroom in considering any exceptions for parental consent.

* The Comment was principally drafted by Jonathan Mayer and Mihir Kshirsagar, along with Marshini Chetty, Edward W. Felten, Arunesh Mathur, Arvind Narayanan, Victor Ongkowijaya, Matthew J. Salganik, Madelyn Sanfilippo, and Ari Ezra Waldman.