COPPA and the Digital Playground
Specifically, the workshop discussed the state of the world in children’s privacy, the scope of the COPPA Rule, definitions, exceptions, and misconceptions of the Rule, and uses and minuses of persistent identifiers. Attendees and speakers included consumer groups, industry representatives, and regulators. Predictably, consumer groups encouraged the FTC to use its authority to obtain additional information about current industry practices and advocated for more regulation and broader protection for children, while industry representatives sought clarity and increased enforcement of the existing rule. The FTC was primarily listening for comments without providing much input.
Some of the key areas of discussion included an overview of COPPA, what entities and children should be covered, how best to obtain verifiable consent, and notable exceptions to the COPPA Rule.
Background: What is COPPA?
COPPA requires website operators that target or have actual knowledge that data is collected from children under 13, to obtain verifiable parental consent before collecting, using or disclosing personal information, including persistent identifiers that can be used to recognize users over time and across websites, from such children. Additionally, COPPA prohibits operators from conditioning a child’s participation in an activity on the collection of more data than is necessary to participate in that activity, and requires operators to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.
- What is the trigger for COPPA Compliance?
COPPA currently covers those companies that either target children under 13 (they are “child directed”) or have actual knowledge that personal information is collected from such children. We will start with the analysis of the latter conversation.
a. Actual Knowledge vs. Constructive Knowledge
The standard of knowledge is an important trigger for COPPA Compliance. Recent enforcement actions, including actions against TikTok and YouTube, have clarified that if companies direct their products at children or have actual knowledge that they are taking personal information from a “significant percentage” of children, they must comply with COPPA. This led to a discussion of what constituted knowledge under COPPA.
Actual Knowledge Discussion: During the workshop, panelists discussed whether “actual knowledge” is the correct standard or if a “constructive knowledge” standard is more appropriate. Actual knowledge is found when companies ask for, and receive, user information like a birth date that confirms the user is under 13 years old. Under a constructive knowledge standard, knowledge is presumed if reasonable care and due diligence would have uncovered the fact. Varying perspectives were set forth by different members of the industry.
- Consumer Groups: Consumer group representatives opined that the actual knowledge standard incentivizes companies to avoid obtaining the information necessary to meet the standard, i.e., engage in willful disregard. However, consumer groups recognized that there may be problems with universally applying a constructive knowledge standard and some suggested that actual knowledge could remain the standard in lower risk scenarios.
- Industry Representatives: Industry representatives pointed out that the due diligence necessary to meet a constructive knowledge standard could require companies to collect more data from children, which would be counterintuitive and unworkable in practice. Industry representatives also asked the FTC to continue to evaluate the percentage of children as just one of the factors in determining whether a particular company is covered by COPPA and spoke about the need to clarify how to quantify a “significant percentage,” noting that many companies currently define a significant percentage as 35%. FTC representatives expressed some hesitation at establishing a bright line rule.
b. Determining what it means to be “Child-directed”
Child-Directed Discussion: COPPA also covers those platforms that are child-directed. In determining whether a platform is child-directed, COPPA assesses various aspects of a website, including the subject matter, visual content, use of animated or child characters or child-oriented activities or incentives, music and other empirical evidence. The panelists were asked whether the intended audience or the actual audience is more important in determining whether a platform is child-directed. Again, the various groups took different positions.
- Consumer Groups: Consumer groups stated that actual audience should be the standard, as otherwise companies can claim they were not intending to reach children and thus opt-out of COPPA. Consumer groups also recommended the FTC evaluate other factors such as the marketing tie in of toys, the name of the site and app store categories.
- Industry Representatives: Industry representatives repeatedly stated that child-directed does not mean child-attractive, as children are often attractive to inappropriate content due to the fact that it is “off limits.” Additionally, industry groups explained that ratings do not indicate what is intended, but rather the minimum appropriate viewing age.
Both consumer and industry representatives agreed that if a company is telling marketers that their site or service is a good place to reach children, the content is directed at children.
- Verifiable Parental Consent
As mentioned, COPPA requires website operators that target or have actual knowledge that data is collected from children under 13, to obtain verifiable parental consent before collecting, using or disclosing personal information. Traditionally, this is been through a system of providing the parent with notice and then obtaining their permission before allowing the child to proceed. The parent is notified when a child is prohibited from proceeding due to an age gate. On this, consumer and industry representatives agreed that there are problems with age gates in their current form, as children lie about their age and parents lack the necessary information to make informed decisions or simply feel that age gates are overly burdensome.
- Consumer Groups: Some consumer representatives recommended changing the design of the technology, rather than the parents’ behavior, by requiring companies to state at the outset what the data they are collecting is needed for and limit the use of the data to that particular purpose. This concept is in line with COPPA’s current data minimization requirement. Other consumer representatives suggested that age gates may be sufficient for low risk content, but other methods should be employed in high risk scenarios, such as biometric security in the form of fingerprinting or facial recognition or an activity for children to participate in that demonstrates their age without notifying the child that they may be restricted from certain content if they are not the minimum age.
- Industry Representatives: Industry representative expressed concerns about overly burdensome consent mechanisms that would decrease traffic and revenue.
The conversation also involved a discussion of verifiable parental consent for education technology. Both industry and consumer groups seemed to agree that obtaining consent from each parent and personalizing the classroom accordingly would be impractical. However, the various groups differed on a workable approach.
- Consumer Groups: Consumer representatives stated that school-official consent would only be appropriate if the children’s personal information is not used for another commercial purpose, but disagreed about what constitutes a commercial purpose. Specifically, some consumer representatives noted that any product improvement qualifies as a commercial purpose, while others thought security patches should be allowed.
- Industry Representatives: Industry representatives commented that if they discovered a way to improve their product it would be impractical to allow that improvement in the educational context and not the commercial context, as it would require companies to create two versions of a product. Panelists also seemed to agree that parents should not have deletion rights in the education context and that the right to inspect, change and correct errors is sufficient.
- Evaluation of those COPPA Exceptions
Finally, the panelists were asked to evaluate some of the exceptions to the COPPA Rule. Panelists reviewed the current rule that allows companies to use persistent identifiers to support internal operations of a site or service, and also discussed potentially updating the age of children covered under COPPA from 13 to 16.
Persistent Identifiers Discussion: Companies use persistent identifiers to create a user profile based on aggregated online activity. A persistent identifier is a unique identifier that can be used to recognize a consumer, a family, or a device across different services. While persistent identifiers may not directly link the profile to an individual person, they can be used to identify a user over time, such as tracking the user through different websites using cookies or through a user’s telephone number. While COPPA includes persistent identifiers in the definition of personal information, it allows for the collection of persistent identifiers for the support of internal operations. Panelists were asked whether the definition of personal information in COPPA should continue to incorporate persistent identifiers, and if any changes should be made to the internal operations exception. Varying perspectives were set forth by the panelists.
- Consumer Groups: Consumer groups were adamant that persistent identifiers remain a part of the definition of personal information and noted that the exception is too broad, as it creates the opportunity for companies to categorize their collection of persistent identifiers as necessary for internal operations, when this is not the case.
- Industry Representatives: Industry representatives opined that this exception is what allows persistent identifiers to be included in the definition of personal information, and if all collection of persistent identifiers is prohibited, companies would be unable to keep their sites and services functioning.
- Raising the Age
Expanding Who is Protected Discussion: Panelists also considered the potential need for COPPA to protect children who are 13 and over, bearing in mind the evolving standards in Europe and California that both address children under 16.
- Consumer Groups: Consumer groups advocated for such protection, noting that children from ages 13 to 15 could significantly benefit from a right to have their information deleted from platforms.
- Industry Representatives: Industry representatives were receptive to an increase in age, but mostly wanted uniformity across the laws they must comply with.
Finally, there was some discussion of whether particularly vulnerable groups of children, such as children of color or from low-income families, required additional protections. Both consumer and industry representatives agreed that more research is required on this subject.
Safe Harbor Discussion: Both industry and consumer groups agreed that more transparency around the safe harbor programs is necessary. Several organizations offer safe harbor programs that work with website operators to facilitate COPPA compliance. While these have been in place for some time now with additional ones added periodically, some industry representatives suggested that certain elements of the required annual report that a safe harbor must submit should be made public to provide more information to consumers and industry representatives regarding the effectiveness of these programs.
- Related Practices