"Don't turn COPPA into a sweeping age verification mandate for the Internet!" That was essentially the core message of joint comments (below) Adam Thierer and I today filed with the Center for Democracy & Technology and the Electronic Frontier Foundation on the FTC's Implementation Review of the rules that implement the Children's Online Privacy Protection Act of 1998 (which requires verifiable parental consent for kids under 13 to use most interactive sites and services if those sites are "directed to" them or if the site has "actual knowledge" it might be collecting personal information from such kids or allowing them to share such information through the site).
Specifically, we counsel the Commission against expanding COPPA beyond its original, limited purposes and scope, or calling on Congress to enact an expansion. In a techno-functional sense, COPPA is already "expansive," since it is essentially device- and technology- neutral--essentially applying to any site or service that uses the Internet. That flexibility should allow the FTC to apply the statute in a changing landscape without further legislative changes. But we explain why COPPA is necessarily narrow in its age scope and the "directed to" and "actual knowledge" concepts that actually trigger COPPA's requirements--and why changing any one of these three critical parts would inevitably lead to unconstitutional restrictions on the speech rights of adults, minors, and site operators, while actually reducing online privacy but without enhancing the online safety of children.
We call instead for the agency (i) to use the breadth and flexibility already given to it by Congress in the COPPA statute to enforce the statute in a manner consistent with the rapidly changing technical landscape and (ii) to supplement enforcement of that existing law with increased educational efforts and promotion of parental empowerment solutions.
Adam and I certainly have our differences with CDT and EFF on some issues, but this is not one of them! I'm deeply proud to join with these organizations in pointing out the unintended consequences of expanding regulation in an area where all too many people stop thinking carefully about the effects of regulation because, they seem to think, "We can never do enough for the children!" As we point out in our comments, the trade-offs here aren't just between "The Children" and anyone's narrow economic interests, but run far, far deeper. Adam & I did our best to succinctly capture the true, complex cluster of issues at stake with the title of the paper we released last summer about COPPA expansion: "COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech."
The stakes here for our digital future could hardly be higher, yet more subtle.
Everyone understands the "Internet Kill Switch" concept in cybersecurity debates, for example, but few really stop to think about what it means to require websites to treat children differently given the fundamental technological reality that site operators don't know who children are (except for sites "directed to" children and in cases of actual knowledge--just as COPPA already requires), and must therefore attempt first to identify everyone before they can even begin to apply any child-specific requirements. If you want to read more on this subject, check out my recent testimony to the Senate Commerce Committee on COPPA and follow-up questions for the record, or my initial thoughts on the COPPA review.