Saturday, February 08, 2014

Understanding COPPA

COPPA came from two identified needs related only by the medium of digital technology and the fact that they involved children. The initial problem, identified by the Center for Media Education, involved the collection of personal information from preteens by website operators for using in marketing. Their “ complaint” filed with the FTC in Summer, 1997 charged’s operators with misrepresenting their data collection practices and asking preteens to provide information that could have been shared with marketers and advertisers. They also had concerns about advertorial content that was not identified as such. These issues drove the initial approach for COPPA (marketing abuse issues and ways to address them using COPPA, hereinafter referred to as the “Marketing Concerns”). (For the full history of COPPA, including the FTC’s response to CME’s complaint (the “ Letter”), visit

Parallel with the concerns about online marketing practices and children, certain child advocates, policymakers and legislators had growing concerns about the risks young people faced when too much personal information was shared online, presumably with strangers. (The child protection and safety concerns are hereinafter referred to as “Safety Concerns.”) So, COPPA was finally crafted to address both the Marketing Concerns and to protect preteens from online predators and other Safety Concerns. Over the years the marketing advocacy groups saw it one way, and the child protection advocacy groups saw it another. But unless both the Marketing Concerns and the Safety Concerns are analyzed and taken into account, COPPA cannot be reasonably addressed.

The Marketing Concerns involve what information is being collected from preteens, how it is used and with whom it is shared. There was a slight initial concern that offline contact information might be collected by marketers to send sample items, promotional materials and otherwise clog our postal mailboxes with junk mail and items we didn’t want. There was also a concern that offline addresses and contact information could be used to provide better tracking and profiling of preteens with long term privacy consequences. But for the most part, the Marketing Concerns covered transparency. 

What’s real editorial and what is sponsored content, promotional materials or ads? What information were you collecting? Why were you collecting it? Did the users understand your intent and what you were doing? With whom did you share it and how? What choices did a user have if they didn’t want you to do that? How secure are your processes? And, how do they fix what wasn’t accurate or make you delete the data when they didn’t want you to have it any longer?

Transparency, in best practices, involves understanding and managing stakeholder expectations. This was reflected in the requirement that advertisements were identified as such with designations such as “ad” placed somewhere prominently. It also recognizes that many users, parents and children alike, expect the site, virtual world or digital network to have a special relationship with return users. We expect that sites and networks with which we are registered can tie things together that we do while signed-in. We hope that they will help direct us to content or activities on that site or network that improve our experience and interest us. We understand the chosen relationship with that site or network.

We don’t necessarily understand their corporate affiliations, strategic partnerships or promotional networks. We may not understand how much information they have about our interests, demographics, relationships with other users, patterns of use, and technologies we use. And we don’t know what they do with the information they have once they have it. We don’t understand our choices, either.

What COPPA does is require this level of transparency of data collection and use by notices on the site or network (the privacy policy requirements) and special alerts and consent requirements based upon the perceived level of risk (one-time use, notice opt-out, email plus and verifiable parental consent). If we think of COPPA Marketing Concerns this way, they make sense.

One-Time Use Exception – If the site, service or network receives a communication online that is a single inquiry, not tied to previous inquiries or other information you have collected on that preteen, and you do not store the personally identifiable information provided by that preteen, no notice has to be sent to parents, not consent is required. (Obviously, the privacy policy has to otherwise comply with COPPA’s requirements, if applicable.) Parents would not be concerned about a commercially-responsible operator or provider answering a one-time question and not collecting information from their child.[1] 

WiredSafety’s polls reflect that 96% of parents had no problem with their preteens asking a one-time question and getting an answer from a site, network or game provider without being informed by the site, network or game provider.

Online Contact Information for Multiple-Use Exception – This exception is most easily understood if you separate online and offline contact information in your analysis. If all you are collecting is the preteen’s email address and not combining it with any other personal information (full name, postal address, mobile or phone numbers, etc.) other than the parent’s email address, you can have multiple communications with the preteen user. This is most commonly used with newsletters, alerts about new activities and regularly-scheduled communications going from the provider to the preteen. Here, the parents receive notice via email sent to the email address collected from the preteen. 

The notice, inter alia, must include the information being collected, how it is being used, links to the privacy policy and the ability to opt-out on behalf of their preteen. This too makes sense. Parents may want to know, but not necessarily want to have to take affirmative action to consent to their preteen’s subscription to a newsletter at a commercially-responsible site/network/provider. Email works for this purpose, and given the low level of risk at a COPPA-applicable commercially-responsible operator, the notice not getting delivered isn’t a serious problem. Parents have informed WiredSafety that they appreciate the notice, but rarely read it and never opt-out. They don’t particularly care if they are informed about newsletter signups, etc.

Many providers confuse this consent level and use it to notify parents when they are collecting multiple types of information from their preteens, instead of the Email Plus method required under those circumstances. They sometimes even try and use it when open-chat is offered at a site, or user-generated-content is permitted without full white list technologies or pre-screening without understanding the full-fledged verifiable parental consent requirement for such capabilities.

The notice and opt-out works very well if the parent’s real email is provided by the preteen. The emails need to get through as well. Even with the correct email, with network-level SPAM filters and those employed on the local machine level, many emails never arrive at their intended destination. Once these two issues are addressed, this method has substantial promise.

Requiring opt-in is a problem.[2] Parents often don’t have the time, or inclination, to provide consent to a site. They have been taught to distrust online communications asking for opt-in or them to take some sort of action. Initially we concluded that parents didn’t provide consent because they didn’t want their preteens engaged in those activities with that operator. But experience has taught us otherwise.

Finding ways to broaden this method of providing notice to other applications, in a safer filtered environment, perhaps, will help promote COPPA-compliance and obtain parental involvement.  This can allow preteens to use a commercially-responsible site or network without having to wait for their parent to give permission.[3]
Email Plus – Initially designed to get the industry over the hump of finding ways to digitally authenticate parents in 2000, the FTC adopted “Email Plus” when the safety risks are deemed relatively low and personal information is not shared outside of the provider or posted for third-parties to see. It was designed for Marketing Concerns, exclusively, but has some practical applications with the Safety Concerns as well. 

We all assumed it would be phased out once digital signatures became broadly used. But when new authentication models and technologies failed to gain in parental adoption, it was continued and is in broad use for one reason – it’s simple. If a provider wants to start pairing online contact information with offline contact information and broader regular communications, especially in marketing of the provider’s services and doesn’t share this with third parties, this method of consent is still available.

This level of consent, however, is the most confused and most abused (largely because of the confusion). Most providers understand the need not to share personal information they have collected from a preteen user with third-parties. They understand the Marketing Concerns pretty well. But they don’t understand the Safety Concerns and how user-generated-content, chatrooms and fora and online communications implicate COPPA and what they have to do to notify parents and obtain the requisite level of consent from parents. They expect that an online method using email would be available and this seems to fit expectations.
Parents are never crazy about marketing (few are). They are not particularly happy with anyone promoting anything, even their own products and services, to their preteens. And the more personal information the marketer/provider has about the preteens, the less parents like it. At the same time, many sites still operate on a “marketing” model promoting products or services or building brand recognition and loyalty. That means, unless we are going to drive all sites and operators to a subscription model or only allow preteens whose parents have credit cards or disposable income to use the site, we have to address this reality. Many quality sites, virtual worlds and networks can remain free if a responsible internal marketing solution can be identified.

Smarter providers don’t pair unnecessary personal information with online contact information if they don’t have to. You don’t need to know Johnny’s last name to promote sporting goods to him, but knowing his zipcode is helpful to identify the right kinds of sports and weather-related sportswear. The zipcode is also helpful to identifying sports teams and location of sporting events. It makes the communications more relevant. It provides value in ways marketing messages without zipcodes can’t. If they don’t combine information, the notice and opt-out method (Online Contact Information for Multiple-Use Exception) might work better, be cheaper to manage[4] and streamline their consent/compliance process.

The difficulty of getting parents to take affirmative action or respond to a link in an email to consent to their preteen’s use of a website, game or online network is a reality that is forcing many operators to find a way around COPPA or pretend no preteen users are allowed on their sites.

Verifiable Parental Consent – Verifiable parental consent is not email. It requires a higher level of authentication to demonstrate the likelihood that the person providing the consent is the preteen’s parent.[5]  But even if this has been overcome, VPC’s weren’t working. In previous testimonies and on FTC panels since before COPPA was adopted, Parry Aftab has repeatedly explained that verifiable parental consent wasn’t workable unless and until a paid subscription model for the preteen Internet industry emerged. Until Disney’s Club Penguin caught on five - six years ago (a year prior to its acquisition by Disney), the paid subscription model wasn’t viable. Everyone trying it either changed their business models or closed their doors. But the demand for Club Penguin by the preteens themselves and the resulting “nag factor” gave COPPA a new life. Obtaining verifiable parental consent (“VPC”) when a credit card or other financial transaction is involved is easy and just one more step in the payment process. It reduced the cost of obtaining a compliant VPC from $45 - $108 per initial consent to barely more than the cost of legal advice and system design spread over the size of the preteen subscriber-base – virtually pennies.

While not all sites, networks or games require a paid subscription, the use of payment mechanisms have become very common and more acceptable. For the preteens whose parents have credit cards or online payment accounts, COPPA full-fledged VPC is attainable. (Many operators don’t understand that it is not the fact that a credit card exists that provides acceptable verification, it is the actual charging of the card so the parents can see the charge on their monthly statement that is required.)

But what about all of those without credit cards or online payment accounts (such as PayPal)? Are those preteens locked out of COPPA VPC networks? Are they prohibited from using chat or posting user-generated-content? Do their parents have to resort to fax, print-and-mail, or out-of-date telephone call verification systems? Do they have to wait a week to get their user name and password?

COPPA currently has the unintended consequence of allowing more affluent children access to services and online activities than their less-privileged counterparts. That has to be addressed. This is as much an issue of accessibility as broadband. The Internet is the great equalizer, except when interactive communications and preteens are involved. For that, we need easier and a wider range of VPC methods.

Ten years ago we thought COPPA would drive technology that would authenticate parents and perhaps preteens. While it didn’t do that, in some ways it has driven more important safety technology and systems. Being able to avoid having to obtain VPC for a non-paid-subscription network or site is an important goal for most in the kids Internet industry. It is time-consuming, often interrupts the user-experience and the site’s user-acquisition process, expensive and not very effective. It is, ironically, this high cost and manpower demand that has driven safer technologies.

The responsible sites want to comply with COPPA and care about the safety of preteens using their sites. Recognizing the realities of VPC compliance, though, they have created new systems that avoid their having to obtain VPC by prohibiting the sharing of personal information and keeping their users safer at the same time. Moderated and filtered systems, where the site operator can limit the terms, combinations of those terms and the methods of communications, tracks abuse reports, provide proactive review of user-generated-content postings, and moderate fora, games and chats are improving. Patterns of “grooming” behavior, suicidal threats, self-harm and cyberbullying communications can be analyzed and tracked to spot illegal and high-risk activities and identify troublemakers in the online systems, as we would in offline playgrounds. Kids can be enlisted to help patrol their own networks, as virtual hall monitors. And triaged abuse-reporting user-interfaces can help get problems before those who can do something about them – user reports to site responses.

[1] Backend issues exist with offsite moderators and customer service personnel using their own equipment, often retained without background checks, training or supervision. “Commercially-responsible” is measured under accepted best practice standards for those working with preteens and children. The Socially Safe Kids Seal and related best practices audits address these and similar process and system risks and practices.
[2] “Parents care about privacy and online safety, but they aren’t interacting with the sites or supporting the sites that protect their children’s safety and privacy. It may be that they are intimidated, or just plain too busy. But the children’s online laws depend on obtaining parental consent, and if parents aren’t bothering to provide consent, sites are running into problems.

Bonus’s experience is a case in point. It found that out of the parents who were asked for their consent for Bonus to use children’s information internally, 51% never replied, 31% provided consent and 5% said “no.” (13% are still pending from this sample group.) This was a six to one ratio of parents allowing their children to use those services, over those who wouldn’t allow them to share the information. But the 51% of parents not bothering to respond is frightening.

Bonus is losing more than half of the children who want to participate. And Bonus doesn’t have chat, e-mail, e-commerce, on instant messaging. Bonus is a site that has games for children, and sends newsletters to their site visitors. This is a typical situation faced by many children’s sites.”
Quoting Parry’s 2000 COPPA Testimony (see below).

Ten years later, little has changed other than for the closing of Bonus a few years ago.

[3] In Parry Aftab’s testimony before Congress in connection with the implementation of COPPA on October 11, 2000, she discussed the cost of COPPA compliance and the slow adoption of parental verifiable parental consent methods. (See  Parry Aftab’s Testimony before the U.S. House of Representatives, Committee on Commerce, Subcommittee on Telecommunication, Trade, and Consumer Protection, October 11, 2000 attached hereto (the “Parry’s 2000 COPPA Testimony”.)
[4] In 2000, during Parry’s 2000 COPPA Testimony, Parry Aftab laid out the cost of COPPA compliance six months after its implementation. While the costs and processes are changed, the overall approach has not. It can be illustrative. (The full text of the Testimony is appended hereto.)
We have polled most of the mid-sized children’s websites for the cost of COPPA-compliance, in hard dollars, not as to any lost revenue or loss in traffic. This can run from more than $115,000 per year to $290,000 per year, depending on whether the site is fully interactive, with chatrooms, etc. and what level of consent they collect. Here’s what they told us:

·    $10,000 - 15,000 for legal, including audits and construction of privacy practices and policy
·    Cost of toll-free telephone and dedicated fax service [note: for obtaining verifiable parental consent in the days before an accepted paid subscription model]
·    $35,000 in engineering costs to make the site complaint
·    $2,500 - $10,000 monthly for professional chat moderators (price differs depending on training, hours of operation and organization)
·    $35-60,000 per year for one person to oversee offline consent, respond to parents= questions, review phone consents, and review permission forms.
·    $35-60,000 per year for person to oversee compliance, database security, respond to verification and access requests.

[5] The VPC methods designed to provide parental consent are a bit of a fiction. They are designed to obtain consent from an adult, not necessarily the parents or even the custodial parent. But it was the best the FTC could and still can do, under the circumstances. Methods proposed to obtain consent via schools that identify the legally-responsible parent or legal guardian have failed to address FERPA concerns, the liability of the school and ways to get them engaged in helping facilitate the commercial use of the Web. They haven’t delivered on the promise of getting the one broadly-capable system to authenticate preteen students and their parents. Proposals for large databases of preteens and their parents are more frightening than helpful, in our opinion. Proxy-consent mechanisms should work, if a trusted third party can be identified to verify parental authority,and the adoption rate is high enough. (But many larger providers do not want to share the valuable data they get by working directly with the parents and don’t want to share their “edge” and customer acquisition lead.)