COPPA came from two identified needs related only by the
medium of digital technology and the fact that they involved children. The
initial problem, identified by the Center for Media Education, involved the
collection of personal information from preteens by website operators for using
in marketing. Their “Kidscom.com complaint” filed with the FTC in Summer, 1997
charged Kidscom.com’s operators with misrepresenting their data collection
practices and asking preteens to provide information that could have been
shared with marketers and advertisers. They also had concerns about advertorial
content that was not identified as such. These issues drove the initial
approach for COPPA (marketing abuse issues and ways to address them using
COPPA, hereinafter referred to as the “Marketing Concerns”). (For the full
history of COPPA, including the FTC’s response to CME’s complaint (the
“Kidscom.com Letter”), visit Aftab.com.)
Parallel with the concerns about online marketing practices
and children, certain child advocates, policymakers and legislators had growing
concerns about the risks young people faced when too much personal information
was shared online, presumably with strangers. (The child protection and safety
concerns are hereinafter referred to as “Safety Concerns.”) So, COPPA was
finally crafted to address both the Marketing Concerns and to protect preteens
from online predators and other Safety Concerns. Over the years the marketing
advocacy groups saw it one way, and the child protection advocacy groups saw it
another. But unless both the Marketing Concerns and the Safety Concerns are
analyzed and taken into account, COPPA cannot be reasonably addressed.
The Marketing Concerns involve what information is being
collected from preteens, how it is used and with whom it is shared. There was a
slight initial concern that offline contact information might be collected by
marketers to send sample items, promotional materials and otherwise clog our
postal mailboxes with junk mail and items we didn’t want. There was also a
concern that offline addresses and contact information could be used to provide
better tracking and profiling of preteens with long term privacy consequences.
But for the most part, the Marketing Concerns covered transparency.
What’s real
editorial and what is sponsored content, promotional materials or ads? What
information were you collecting? Why were you collecting it? Did the users
understand your intent and what you were doing? With whom did you share it and
how? What choices did a user have if they didn’t want you to do that? How secure
are your processes? And, how do they fix what wasn’t accurate or make you
delete the data when they didn’t want you to have it any longer?
Transparency, in best practices, involves understanding and
managing stakeholder expectations. This was reflected in the requirement that
advertisements were identified as such with designations such as “ad” placed
somewhere prominently. It also recognizes that many users, parents and children
alike, expect the site, virtual world or digital network to have a special
relationship with return users. We expect that sites and networks with which we
are registered can tie things together that we do while signed-in. We hope that
they will help direct us to content or activities on that site or network that
improve our experience and interest us. We understand the chosen relationship
with that site or network.
We don’t necessarily understand their corporate
affiliations, strategic partnerships or promotional networks. We may not
understand how much information they have about our interests, demographics,
relationships with other users, patterns of use, and technologies we use. And
we don’t know what they do with the information they have once they have it. We
don’t understand our choices, either.
What COPPA does is require this level of transparency of
data collection and use by notices on the site or network (the privacy policy
requirements) and special alerts and consent requirements based upon the
perceived level of risk (one-time use, notice opt-out, email plus and verifiable
parental consent). If we think of COPPA Marketing Concerns this way, they make
sense.
One-Time Use Exception – If the site, service or network
receives a communication online that is a single inquiry, not tied to previous
inquiries or other information you have collected on that preteen, and you do
not store the personally identifiable information provided by that preteen, no
notice has to be sent to parents, not consent is required. (Obviously, the
privacy policy has to otherwise comply with COPPA’s requirements, if
applicable.) Parents would not be concerned about a commercially-responsible
operator or provider answering a one-time question and not collecting
information from their child.[1]
WiredSafety’s polls reflect that 96% of parents had no problem with their
preteens asking a one-time question and getting an answer from a site, network
or game provider without being informed by the site, network or game provider.
Online Contact Information for Multiple-Use Exception – This
exception is most easily understood if you separate online and offline contact
information in your analysis. If all you are collecting is the preteen’s email
address and not combining it with any other personal information (full name,
postal address, mobile or phone numbers, etc.) other than the parent’s email
address, you can have multiple communications with the preteen user. This is
most commonly used with newsletters, alerts about new activities and
regularly-scheduled communications going from the provider to the preteen. Here,
the parents receive notice via email sent to the email address collected from
the preteen.
The notice, inter alia,
must include the information being collected, how it is being used, links to
the privacy policy and the ability to opt-out on behalf of their preteen. This
too makes sense. Parents may want to know, but not necessarily want to have to
take affirmative action to consent to their preteen’s subscription to a
newsletter at a commercially-responsible site/network/provider. Email works for
this purpose, and given the low level of risk at a COPPA-applicable
commercially-responsible operator, the notice not getting delivered isn’t a
serious problem. Parents have informed WiredSafety that they appreciate the
notice, but rarely read it and never opt-out. They don’t particularly care if
they are informed about newsletter signups, etc.
Many providers confuse this consent level and use it to
notify parents when they are collecting multiple types of information from
their preteens, instead of the Email Plus method required under those
circumstances. They sometimes even try and use it when open-chat is offered at
a site, or user-generated-content is permitted without full white list
technologies or pre-screening without understanding the full-fledged verifiable
parental consent requirement for such capabilities.
The notice and opt-out works very well if the parent’s real
email is provided by the preteen. The emails need to get through as well. Even
with the correct email, with network-level SPAM filters and those employed on
the local machine level, many emails never arrive at their intended
destination. Once these two issues are addressed, this method has substantial
promise.
Requiring opt-in is a problem.[2]
Parents often don’t have the time, or inclination, to provide consent to a
site. They have been taught to distrust online communications asking for opt-in
or them to take some sort of action. Initially we concluded that parents didn’t
provide consent because they didn’t want their preteens engaged in those
activities with that operator. But experience has taught us otherwise.
Finding ways to broaden this method of providing notice to
other applications, in a safer filtered environment, perhaps, will help promote
COPPA-compliance and obtain parental involvement. This can allow preteens to use a
commercially-responsible site or network without having to wait for their
parent to give permission.[3]
Email Plus – Initially designed to get the industry over the
hump of finding ways to digitally authenticate parents in 2000, the FTC adopted
“Email Plus” when the safety risks are deemed relatively low and personal
information is not shared outside of the provider or posted for third-parties
to see. It was designed for Marketing Concerns, exclusively, but has some practical
applications with the Safety Concerns as well.
We all assumed it would be
phased out once digital signatures became broadly used. But when new
authentication models and technologies failed to gain in parental adoption, it
was continued and is in broad use for one reason – it’s simple. If a provider
wants to start pairing online contact information with offline contact
information and broader regular communications, especially in marketing of the
provider’s services and doesn’t share this with third parties, this method of
consent is still available.
This level of consent, however, is the most confused and
most abused (largely because of the confusion). Most providers understand the
need not to share personal information they have collected from a preteen user
with third-parties. They understand the Marketing Concerns pretty well. But
they don’t understand the Safety Concerns and how user-generated-content,
chatrooms and fora and online communications implicate COPPA and what they have
to do to notify parents and obtain the requisite level of consent from parents.
They expect that an online method using email would be available and this seems
to fit expectations.
Parents are never crazy about marketing (few are). They are
not particularly happy with anyone promoting anything, even their own products
and services, to their preteens. And the more personal information the
marketer/provider has about the preteens, the less parents like it. At the same
time, many sites still operate on a “marketing” model promoting products or
services or building brand recognition and loyalty. That means, unless we are
going to drive all sites and operators to a subscription model or only allow
preteens whose parents have credit cards or disposable income to use the site,
we have to address this reality. Many quality sites, virtual worlds and
networks can remain free if a responsible internal marketing solution can be
identified.
Smarter providers don’t pair unnecessary personal
information with online contact information if they don’t have to. You don’t
need to know Johnny’s last name to promote sporting goods to him, but knowing
his zipcode is helpful to identify the right kinds of sports and
weather-related sportswear. The zipcode is also helpful to identifying sports
teams and location of sporting events. It makes the communications more
relevant. It provides value in ways marketing messages without zipcodes can’t.
If they don’t combine information, the notice and opt-out method (Online
Contact Information for Multiple-Use Exception) might work better, be cheaper
to manage[4]
and streamline their consent/compliance process.
The difficulty of getting parents to take affirmative action
or respond to a link in an email to consent to their preteen’s use of a
website, game or online network is a reality that is forcing many operators to
find a way around COPPA or pretend no preteen users are allowed on their sites.
Verifiable Parental Consent – Verifiable parental consent is
not email. It requires a higher level of authentication to demonstrate the
likelihood that the person providing the consent is the preteen’s parent.[5]
But even if this has been overcome,
VPC’s weren’t working. In previous testimonies and on FTC panels since before
COPPA was adopted, Parry Aftab has repeatedly explained that verifiable
parental consent wasn’t workable unless and until a paid subscription model for
the preteen Internet industry emerged. Until Disney’s Club Penguin caught on
five - six years ago (a year prior to its acquisition by Disney), the paid
subscription model wasn’t viable. Everyone trying it either changed their
business models or closed their doors. But the demand for Club Penguin by the
preteens themselves and the resulting “nag factor” gave COPPA a new life.
Obtaining verifiable parental consent (“VPC”) when a credit card or other
financial transaction is involved is easy and just one more step in the payment
process. It reduced the cost of obtaining a compliant VPC from $45 - $108 per
initial consent to barely more than the cost of legal advice and system design
spread over the size of the preteen subscriber-base – virtually pennies.
While not all sites, networks or games require a paid
subscription, the use of payment mechanisms have become very common and more
acceptable. For the preteens whose parents have credit cards or online payment
accounts, COPPA full-fledged VPC is attainable. (Many operators don’t
understand that it is not the fact that a credit card exists that provides
acceptable verification, it is the actual charging of the card so the parents
can see the charge on their monthly statement that is required.)
But what about all of those without credit cards or online
payment accounts (such as PayPal)? Are those preteens locked out of COPPA VPC
networks? Are they prohibited from using chat or posting
user-generated-content? Do their parents have to resort to fax, print-and-mail,
or out-of-date telephone call verification systems? Do they have to wait a week
to get their user name and password?
COPPA currently has the unintended consequence of allowing
more affluent children access to services and online activities than their
less-privileged counterparts. That has to be addressed. This is as much an
issue of accessibility as broadband. The Internet is the great equalizer, except
when interactive communications and preteens are involved. For that, we need
easier and a wider range of VPC methods.
Ten years ago we thought COPPA would drive technology that
would authenticate parents and perhaps preteens. While it didn’t do that, in some
ways it has driven more important safety technology and systems. Being able to
avoid having to obtain VPC for a non-paid-subscription network or site is an
important goal for most in the kids Internet industry. It is time-consuming,
often interrupts the user-experience and the site’s user-acquisition process,
expensive and not very effective. It is, ironically, this high cost and
manpower demand that has driven safer technologies.
The responsible sites want to comply with COPPA and care
about the safety of preteens using their sites. Recognizing the realities of
VPC compliance, though, they have created new systems that avoid their having
to obtain VPC by prohibiting the sharing of personal information and keeping
their users safer at the same time. Moderated and filtered systems, where the
site operator can limit the terms, combinations of those terms and the methods
of communications, tracks abuse reports, provide proactive review of
user-generated-content postings, and moderate fora, games and chats are
improving. Patterns of “grooming” behavior, suicidal threats, self-harm and
cyberbullying communications can be analyzed and tracked to spot illegal and
high-risk activities and identify troublemakers in the online systems, as we
would in offline playgrounds. Kids can be enlisted to help patrol their own
networks, as virtual hall monitors. And triaged abuse-reporting user-interfaces
can help get problems before those who can do something about them – user
reports to site responses.
[1]
Backend issues exist with offsite moderators and customer service personnel
using their own equipment, often retained without background checks, training
or supervision. “Commercially-responsible” is measured under accepted best
practice standards for those working with preteens and children. The Socially
Safe Kids Seal and related best practices audits address these and similar
process and system risks and practices.
[2] “Parents
care about privacy and online safety, but they aren’t interacting with the
sites or supporting the sites that protect their children’s safety and privacy.
It may be that they are intimidated, or just plain too busy. But the children’s
online laws depend on obtaining parental consent, and if parents aren’t
bothering to provide consent, sites are running into problems.
Bonus’s experience is a case in point. It found that
out of the parents who were asked for their consent for Bonus to use children’s
information internally, 51% never replied, 31% provided consent and 5% said
“no.” (13% are still pending from this sample group.) This was a six to one
ratio of parents allowing their children to use those services, over those who
wouldn’t allow them to share the information. But the 51% of parents not
bothering to respond is frightening.
Bonus is losing more than half of the children who
want to participate. And Bonus doesn’t have chat, e-mail, e-commerce, on
instant messaging. Bonus is a site that has games for children, and sends
newsletters to their site visitors. This is a typical situation faced by many
children’s sites.”
Quoting Parry’s 2000 COPPA Testimony (see below).
Quoting Parry’s 2000 COPPA Testimony (see below).
Ten years later, little has changed other than for the
closing of Bonus a few years ago.
[3] In
Parry Aftab’s testimony before Congress in connection with the implementation
of COPPA on October 11, 2000, she discussed the cost of COPPA compliance and
the slow adoption of parental verifiable parental consent methods. (See Parry Aftab’s Testimony before the U.S. House of Representatives, Committee on
Commerce, Subcommittee on Telecommunication, Trade, and Consumer Protection,
October 11, 2000 attached hereto (the “Parry’s 2000 COPPA Testimony”.)
[4]
In 2000, during Parry’s 2000 COPPA Testimony, Parry Aftab laid out the cost of
COPPA compliance six months after its implementation. While the costs and
processes are changed, the overall approach has not. It can be illustrative.
(The full text of the Testimony is appended hereto.)
We have polled most of the
mid-sized children’s websites for the cost of COPPA-compliance, in hard
dollars, not as to any lost revenue or loss in traffic. This can run from more
than $115,000 per year to $290,000 per year, depending on whether the site is
fully interactive, with chatrooms, etc. and what level of consent they collect.
Here’s what they told us:
· $10,000 - 15,000 for legal, including audits and construction
of privacy practices and policy
· Cost of toll-free telephone and dedicated fax service [note:
for obtaining verifiable parental consent in the days before an accepted paid
subscription model]
· $35,000 in engineering costs to make the site complaint
· $2,500 - $10,000 monthly for professional chat moderators
(price differs depending on training, hours of operation and organization)
· $35-60,000 per year for one person to oversee offline
consent, respond to parents= questions, review phone
consents, and review permission forms.
· $35-60,000 per year for person to oversee compliance,
database security, respond to verification and access requests.
[5]
The VPC methods designed to provide parental consent are a bit of a fiction.
They are designed to obtain consent from an adult, not necessarily the parents
or even the custodial parent. But it was the best the FTC could and still can
do, under the circumstances. Methods proposed to obtain consent via schools
that identify the legally-responsible parent or legal guardian have failed to
address FERPA concerns, the liability of the school and ways to get them
engaged in helping facilitate the commercial use of the Web. They haven’t
delivered on the promise of getting the one broadly-capable system to
authenticate preteen students and their parents. Proposals for large databases
of preteens and their parents are more frightening than helpful, in our
opinion. Proxy-consent mechanisms should work, if a trusted third party can be
identified to verify parental authority,and the adoption rate is high enough.
(But many larger providers do not want to share the valuable data they get by
working directly with the parents and don’t want to share their “edge” and
customer acquisition lead.)
