Cross-posted from Concurring Opinions
The Child Online Privacy Protection Act (COPPA), enacted in 1998 and finalized in 2000, requires commercial websites that target children under 13 or have actual knowledge that users are under 13 to ask for parental permission before collecting and using their information. Legislators hoped to protect children from predatory marketing, safety risks such as stalking or kidnapping, and other abuses related to the use of children’s private data. They also wanted more parental involvement in online data-collection practices and to encourage the development of technologies designed to give parents better tools to protect their kids’ online privacy. Although COPPA has succeeded in stopping egregious predatory data practices, it has fallen short of its core goals.
The Federal Trade Commission (FTC), tasked with implementing and enforcing COPPA, admits that online industries have neither innovated nor emphasized mechanisms for obtaining verifiable parental consent. Instead, to avoid costs associated with obtaining parental consent including potential fines for inappropriately dealing with children’s data, many sites just limit their services to children 13 and older. Sites typically include the age restriction in their Terms of Service agreements (ToS), to which users must consent when they create an account. Many sites ask users for their age or birth date to ascertain if they are 13 or over. Facebook does, for instance, and reserves the right to terminate accounts of users who “violate the letter or spirit” of its ToS. To protect itself from possible legal exposure, Facebook employs cookies to prevent users from changing their minds about their age to evade the site’s requirements and actively deletes accounts where evidence suggests that the users are not in fact 13 or older. This spring, the FTC called for comments on a proposed amendment to its Child Online Privacy Protection Rule, enacted in 2000 and renewed without change in 2005. As FTC Chairman Jon Leibowitz explained: “In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses. We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.”
A study released this week by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey sheds new light on COPPA’s failings. Given the current regulatory attention to COPPA, the study could not be more timely or more important. The authors surveyed a national sample of 1,007 parents and guardians who have children ages 10-14 living with them. They found that although many sites restrict access to children, many parents knowingly allow their children to lie about their age–indeed, they often help them do so– to gain access to age-restricted sties in violation of the sites’ ToS. This is true for some of the most popular social media sites and services, such as Facebook, Gmail, and Skype. Specifically, the study revealed that 55% of 12 year olds had Facebook accounts while 32% of 11 year olds and 19% of 10 year olds did as well. Seventy-eight percent of the parents of 10 year olds helped their kids set up their Facebook accounts; 68% of the parents of 11 year olds helped their kids sign up; and 76% of the parents of 12 year olds did the same. Of those parents who reported that their child joined Facebook underage and helped create the child’s account, 74% knew that Facebook had a minimum age that their kids failed to meet. Although Facebook’s minimum age is a requirement, just over a third of the those parents believed the minimum age was a recommendation. Over three-quarters of parents believed that there are circumstances that make it okay for their child to sign up for a service even if their child fell short of the age requirement. Those reasons included communicating with parents, other family members, and friends; use of the service for educational purposes; and because classmates used the service. Half of the parents indicated that their child could violate the restriction only if under parental supervision. As the authors explained, those parents felt as though the violation was acceptable because they were monitoring their children’s online practices. Importantly, most parents either did not understand the reason for the age requirement or failed to appreciate its privacy goals. While most parents had no idea what animated the requirement, some offered explanations such as concerns about the adult content or language on the site, “children don’t need to have a social media presence,” and “to protect minors from perverts.” A small fraction of the parents referred to legal issues. Only two parents referenced privacy.
What does all of this tell us? Rather than providing parents and children with greater options for controlling the use of youth’s personal information, COPPA has actually encouraged the adoption of formal limits on children’s access to online services. Those limits are rather meaningless, though. As the authors explain, parents are “taking matters into their own hands to circumvent the restrictions . . . at the cost of their children’s privacy and at the risk of acting unethically and potentially in violation of the law.” While providers and parents together circumvent COPPA’s requirements, the true losers are the parents who don’t get the chance to audit and delete their children’s data, as COPPA mandates when sites have actual knowledge that they are collecting and using data from kids under 13. We are also seeing parents help their children engage in public deceit because they think their kids would benefit from online services. This creates a serious parenting conflict among those who wish to encourage honesty. Because children pretend that they are far older than they actually are in online interactions, they also may open themselves up to other risks including stalking, something the statute sought to avoid. In the end, COPPA has accomplished very little and risked a lot. Kids under 13 do not end up with privacy protections afforded by COPPA and may even put themselves at risk. Providers get around COPPA’s requirements with age cutoffs that are routinely violated. Innovation for greater parental controls remains illusive. As the study’s authors urge, policy-makers should “shift away from privacy regulation models that are based on age or other demographic categories and instead develop universal privacy protections for online users.”
More broadly, the study shows us that parents are involved in their kids’ social media use, whether it’s deceptive and in violation of ToS or not. One might say that parents are increasingly taking over the role of Chief Family Privacy Officer, but, as we now appreciate, without COPPA’s protections. What’s needed is far more education for parents and kids about the privacy risks associated with social media. That’s of course true for the under 13 set and for those 13 and older. But since parents are helping expose their kids to social media services without COPPA’s protections, we need to work on education as early as elementary/lower school. High school students, their parents, and educators often don’t appreciate the potential privacy risks of social media so one can imagine that kids in lower school, their parents, and teachers don’t as well. Do students really want to spend hundreds of thousands of dollars on a college education and then end up unemployable due to something they posted on Facebook (which now is at greater risk for being indexed and searched online due to changes in Google’s algorithm)? Do they know that colleges may someday look at their social media activity, to their detriment? A new survey done by Kaplan Test Prep of admissions officers at 359 selective colleges and universities revealed that 24 percent of respondents reported using Facebook or other social networking pages to research an applicant, see here too. All of this also reinforces the lessons of Ryan Calo’s important work on the flaws of current notice regimes and the potential for improvement through thoughtful design–parents neither get that ToS requirements are not just suggestions nor appreciate the privacy concerns animating those requirements. Intermediaries can and should do better in that regard. The study has contributed much to our appreciation of COPPA and the regulation of privacy online more generally. I am hoping that legislators and regulators are paying attention.