INTRODUCTION
We at the Committee for Justice (“CFJ”) write to the Federal Trade Commission (“FTC”) regarding its request for public comment[1] on the implementation of and potential changes to the Children’s Online Privacy Protection Act (COPPA). Founded in 2002, CFJ is a nonprofit legal and policy organization that promotes and educates the public and policymakers about the rule of law and the benefits of constitutionally limited government. CFJ has recently focused on issues at the intersection of constitutional law and technology.[2] Consistent with that mission, our latest efforts have encompassed areas such as administrative law, antitrust law, and data privacy law and policy.[3]
In recent years, CFJ has actively advocated for digital privacy protections in Congress, the federal courts, and the Supreme Court.[4] Today, our focus is on innovation, free speech, and economic growth. We believe that restrictive requirements or penalties for data collection and use are not only unwarranted but would also threaten the online information ecosystem that has transformed our daily lives in the last few decades.
ADDITIONAL AND MORE DETAILED COPPA REGULATIONS WOULD IMPACT SMALL ENTITIES AND REDUCE CONTENT AVAILABILITY
The Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent for the collection of a child’s personal information online and defines a child as an individual under the age of thirteen. The class of persons protected under COPPA are considered particularly vulnerable as they have a higher likelihood of suffering real, cognizable harm if a data breach were to occur.
However, as it is not generally possible to ascertain whether a visitor to a site is a child,[5] the FTC has applied its regulations under COPPA to any “web site or online service directed to children” and has adopted methods intended to determine whether any such website or online service is directed to children or whether an entity has “actual knowledge” that it is collecting information from a child.[6]
In addition to being ineffective at preventing the personal information of children from being collected without parental consent, this approach has the effect of burdening sites targeted towards children. This can potentially lead to unintended consequences because sites dedicated to children's programming are subject to a higher regulatory burden than sites developed for the general public. One possible unintended effect of COPPA regulations could be exposure to lower quality and even potentially unsuitable content than they would otherwise see, as COPPA tends to restrict the variety and availability of child-oriented content.
In considering revisions to COPPA, the FTC should carefully weigh these unintended effects, especially if the FTC is considering more detailed regulations that will impose additional compliance costs on sites targeted towards children. Such additional costs of regulation can readily be absorbed by large entities, such as Google and YouTube, but may put a smaller site out of business or give it an incentive to arrange their content to avoid being regulatorily labeled as a site directed to children. The results of more extensive regulation, including more complex processes and procedures for tracking and reporting on all use of children’s personal information, may reduce the quality and variety of child-appropriate content available.
In particular, the FTC should be cautious of continuing in line with its September 4, 2019 complaint filed against YouTube. While YouTube and its parent company Alphabet can easily absorb the $170 million settlement[7] for potential COPPA violations from the collection of children’s personal information by some of its “channels” that were found to be directed to children, such a penalty could easily be put a smaller company out of business.[8] Therefore, smaller companies and sites would likely be deterred from providing the kind of content that could be interpreted as directed to children.
Additionally, since the YouTube settlement for the first time imposes liability on a general purpose platform for a third-party’s child-directed content, it is also possible that some sites may refuse to carry any type of “channel” or other sub-set of programming that could be classified as directed at children.
Each of these potential consequences would have a chilling effect on content creation, speech, and the availability of cost-free information and educational resources online.
COPPA RULES ARE OVERLY FOCUSED ON TARGETED ADVERTISING
As written, COPPA rules are overly concerned with use of children’s personal information for advertising. Exposure to advertising, even if targeted, is not usually a significant harm. Children are exposed to a large amount of advertising daily in offline environments, including TV. Most children do not have credit or debit cards, so online purchases implicitly require parental consent. It is the responsibility of parents or guardians, not Internet host sites, to monitor the purchases of children that do have such cards.
The rules should be targeted against the collection of potentially dangerous personally identifiable information on children, should continue to afford parents the right to know what information is collected on their children, and should require children’s data to be removed from any site’s databases upon request. Most content creators, especially the smaller ones, need advertising revenue to be able to produce good content for children. Without a revenue stream from advertising, only non-profit organizations would be able to produce significant amounts of content, thereby greatly reducing the amount and variety of children’s content.
Specifically, in response to the FTC’s question on changes in definition of “support for the internal operations of the website,” this definition could be amended to expressly include allowing “advertising attribution” which allows advertisers to track the effects of a particular advertisement. This change would make it easier for creators of content, especially on the smaller sites, to realize enough revenue from their sites to be able to remain in business.
THE FEDERAL TRADE COMMISSION SHOULD CHANGE COURSE BY REPEALING THE 2013 AMENDMENTS TO COPPA
The 2013 revised COPPA Rule amended the definition of “personal information” to include, among other items, a “persistent identifier that can be used to recognize a user over time and across different websites or online services.” This was the turning point where the FTC began to stray from the intended purpose of COPPA protections and focus on online advertising.
With the 2013 amendments, the FTC needlessly created a new categorization of data to protect. COPPA intended to protect against harms that arise from the exposure of personally identifiable data. The amendments are not only a departure from Congress’ intent and the statutory text, but they also create self-defeating requirements. Data found in “persistent identifiers” need only to be repetitive, not sensitive. But when linked to personally identifiable information, all persistent identifiers become personal information.
If parents must forfeit sensitive or personal information in order to authorize future user data generated by a digitally-linked child, then the first step of verifying parental consent renders COPPA’s original objective dead on arrival. This makes COPPA little more than a gatekeeper to online services demanding personal data as the cost of admission. At best, this incentivizes evasion of COPPA requirements. At worst, it increases the likelihood of harmful data exposure and could create a treasure trove for cyber attackers.
CONCLUSION
More detailed and complex regulation under COPPA is likely to significantly reduce for-profit content on sites directed at children, thereby reducing the number and availability of these sites. This could cause children to visit less appropriate sites. Since advertising revenue is needed to support the existence of a wide variety of sites, COPPA regulation should de-emphasize concern over advertising and concentrate on dangerous collection of personally identifiable information, and on protecting parental rights to see and require removal of personally identifiable information maintained on their children.
The FTC should avoid imposing large monetary penalties, especially on smaller sites, except for violations of COPPA rules that are egregious and dangerous, as such exposure to high monetary penalties and compliance costs is likely to prevent smaller sites and creators of content from creating or carrying extensive content directed to children.
[1] “Request for Public Comment on the Federal Trade Commission's Implementation of the Children's Online Privacy Protection Rule.” Federal Register, Federal Trade Commission, 25 July 2019, https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online.
[2] See, e.g. Curt Levey and Ashley Baker, Letter to the Senate Judiciary Committee on the Nomination of Brett Kavanaugh to the Supreme Court. Sept. 2018, bit.ly/CFJ-Letter; Ashley Baker, Gorsuch, Carpenter, and the Fourth Amendment. The Federalist Society. [Video file]. March 2019, http://bit.ly/2IpDNJf; Ashley Baker, New Technology, Same Principles: The Supreme Court and Tech. American Action Forum. March 2019, http://bit.ly/SCOTUStech.
[3] See, e.g. Ashley Baker, Comments Submitted to the NTIA Regarding Developing the Administration’s Approach to Consumer Privacy, Docket No. 180821780-8780-01. Nov. 2018, bit.ly/CFJ-NTIA; Ashley Baker, Comments Submitted to the FTC Regarding Hearings on Competition and Consumer Protection in the 21st Century, Docket No. FTC-2018-0098. Dec. 2018, http://bit.ly/2XW8laO; Ashley Baker, “Privacy Policy and the Economics of Data Collection Rules.” The Committee for Justice. Jan. 2019, http://bit.ly/PrivacyEcon; Ashley Baker, Comments Submitted to the DOJ Antitrust Division Regarding Competition in Television and Digital Advertising. June 2019, http://bit.ly/2PwehnJ.
[4] See, e.g., amicus briefs filed in Carpenter v. United States. 11 Aug. 2017, https://www.scribd.com/document/356288790/Amicus-Brief-Filed-in-Carpenter-v-United-States and United States v. Kolsuz. 20 March 2017, https://www.scribd.com/document/355249553/United-States-v-Kolsuz-Amucis-Brief; The Committee for Justice, Letter to Congress in Support of the Clarifying Lawful Use of Overseas Data (CLOUD) Act. 13 Feb. 2018, https://www.committeeforjustice.org/single-post/support-clarifying-lawful-use-data.
[5] Age falsification is a predictable challenge to the implementation of COPPA rules. See, e.g. Mary Madden, et al. “Part 4: Putting Privacy Practices in Context: A Portrait of Teens' Experiences Online.” Pew Research Center: Internet, Science & Tech, 19 Feb. 2014, https://www.pewresearch.org/internet/2013/05/21/part-4-putting-privacy-practices-in-context-a-portrait-of-teens-experiences-online/. (“In 2011, we reported that close to half of online teens (44%) admitted to lying about their age at one time or another so they could access a website or sign up for an online account. In the latest survey, 39% of online teens admitted to falsifying their age in order gain access to a website or account…In the current survey, 36% of online teens who are 12 years old admitted to falsifying their age in order to gain access to a website or account.”)
[6] See 16 CFR 312.2. (“Web site or online service directed to children means a commercial Web site or online service, or portion thereof, that is targeted to children and goes on to lay out its criteria as follows: In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.(2) A Web site or online service shall be deemed directed to children when it has actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.”)
[7] “Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children's Privacy Law.” Federal Trade Commission, 4 Sept. 2019, https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations.
[8] Makena Kelly and Julia Alexander. “YouTube's New Kids' Content System Has Creators Scrambling.” The Verge, 13 Nov. 2019, https://www.theverge.com/2019/11/13/20963459/youtube-google-coppa-ftc-fine-settlement-youtubers-new-rules. (“Within YouTube, it’s clear that child-directed videos will have fewer advantages on the platform. The most obvious is the removal of targeted ads, but a number of other YouTube features are also impossible without personalized data. In particular, child-directed videos will no longer include a comments section, click-through info cards, end screens, notification functions, and the community tab, all powerful tools for driving viewers back to a channel.”)