The Federal Trade Commission (FTC) today announced the release of an 18-pageÂ Request for Public Comment (embedded below) on its implementation of the Children's Online Privacy Protection Act or 1998 (COPPA), which governs online sharing by, and collection of information from, children under age 13. The FTC had previously announced that it would accelerate the review, which had been planned for 2015, particularly because of concerns about the mobile marketplace, as noted in the FTC's report on that topic released in February.
COPPA has undoubtedly succeeded in its primary goal of enhancing parental involvement in their child's online activities in order to protect the privacy and safety of children online.Â Yet these benefits have come at a price, as COPPA's considerable compliance costs (estimated at $45/child, which can be crushing in the era of "free")Â have likely reduced the digital media choices available for children.Â So I'm glad to see the Commission recognize these trade-offs by asking about the costs and benefits of COPPA and any proposed changes right off the bat (Questions 1-5). Such trade-offs are an inevitable part of life and policymakers can't simply ignore them, even when it's "for the children."
The Potential for COPPA Expansion
I look forward to seeing comments on the important questions raised by the Commission about precisely how best to implement the framework enacted by Congress.Â But I do worry that the Commission has explicitly invitedÂ proposals for legislative changes to the statute itself. In particular:
6. Do the definitions set forth in Part 312.2 of the Rule accomplish COPPA's goal of protecting children's online privacy and safety? ...
28. Does the commenter propose any modifications to the Rule that may conflict with the statutory provisions of the COPPA Act? For any such proposed modification, does the commenter propose seeking legislative changes to the Act?
Note that question #6 does not include the critical limitation "consistent with the Act's requirements," which appears no less than 17 times in subsequentÂ questions about specific aspects of the current rules. Whatever the FTC intended, this will omission, combined with question #28, willÂ be taken as an open invitation by many to propose not just changes in how the COPPA rules are implemented, but wholesale revisions to the COPPA statute itself.
(In this sense, this inquiry is somewhat reminiscent of the FCC's far more open-ended inquiry in its related "Empowering Parents" proceeding, where the FCC all but asked commenters to draw up new statutory authority for the agency and go lobby Congress to enact it. Check out the joint comments PFF filed with EFF in that important proceeding.)
Most troubling would be any proposal to extend COPPA to cover adolescents age 13-17--which Congress considered, but rejected, back in 1998 in recognition of the free speech rights at stake. As Adam Thierer & I explained in our June 2009 PFF paper, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, at least four states have considered such "COPPA 2.0" laws in recent years. Maine actually passed such a law last summer but decided not to enforce it and gave up on trying to amend it, as Braden recently explained. (See my testimony on that new Maine law here.)
In practice, such COPPA 2.0 laws would require age verification of all visitors to general audience websites, and would likely therefore be struck down by the courts on First Amendment grounds for much the same reasons the courts have struck down efforts to require age verification for access to pornography. In essence, a "scaled-up" COPPA would converge with COPA as a broad age verification mandate, as we explained in our COPPA 2.0 paper. Furthermore, such broad age verification mandates could, ironically, reduce online privacy by requiring more information to be collected from both adolescents and adults for age verification purposes, while doing little to make adolescents safer.
Even if COPPA's age bracket is not expanded, I worry that broad revision of key terms like "collection" (Question #10) and "personal information" (#12-13) could have serious unintended consequences for online advertising and data use, which are the lifeblood of the online ecosystem.
In particular, the bill would give the FTC broad APA rulemaking authority. Today, the FTC can issue rules only subject to certain important procedural safeguards, but Congress has given it specific mandates to issue narrow rules under the APA in particular areas--like COPPA and CAN-SPAM. If such legislation were ultimately enacted (which now depends on the Senate), the FTC could conceivably supplement COPPA's rules for kids under 13 with its own APA rules for older kids--and Congress would never have to revisit the issue at all. Indeed, it's not clear how the COPPA statute would continue constrain the agency in reshaping the COPPA rules.
But even if the FTC doesn't take such a drastic step to expand COPPA, the new enforcement powers the FTC would gain under HR 4173 could transform how COPPA is implemented. For the first time, the FTC would be able to impose civil penalties for any violation of Section V of the FTC Act, including violations of COPPA; bring suit on its own rather than going through the DOJ; and go after parties that merely provided "substantial assistance" to those that violated COPPA. In such an enforcement environment, the potential cost of violating COPPA could become astronomical, as every separate violation (even on a per user or per day basis) could be subject to a fine of up to $16,000.
FTC Chairman Jon Leibowitz has pushed for all this authority, including at Senate testimony back in February, but promised to use these powers only wisely. However, when pressed to enumerate areas in which APA rulemaking authority would be helpful, Leibowtiz could only respond that, "...we'd really want to [...] think for a while if we got this authority about what we wanted to do and what we wouldn't want to do..." So... does that include COPPA, Mr. Chairman?
Chairman Leibowitz may not intend to use these powers to expand COPPA or radically change COPPA enforcement, but as I've said, I fear these soothing promises of regulatory restraint will ultimately prove hollow, if not under this FTC Chairman, then under his successors. And any discussion of re-writing COPPA has to take into consideration such radical changes in the FTC's rulemaking and enforcement powers.
What about Education?
Finally, I'm surprised to see that the word "education" is used nowhere in the FTC's Request for Comments. Just about everyone involved in debates about online child safety and privacy would agree that the solution begins with education--even if it doesn't end there. One might have thought the FTC would ask about whether effective implementation of COPPA's goals required more education efforts rather than (or perhaps in combination with) stricter regulations--especially since the FTC has done such a terrific job with its own education efforts, such as:
OnGuard Online, the inter-agency website intended to educate all Internet users about online safety
NetCetera, the FTC's excellent child safety effort
The "You Are Here" virtual mall launched by the FTC last year to educate kids in 5th-8th grade (age 10-14) about marketing both online and offline.
Comments on the COPPA review are due June 30, 2010. Adam Thierer and I will definitely be filing comments on behalf of PFF. If you're planning to file, too, and would like to compare notes, we'd be happy to hear from you.