COPPA Workshop Takeaways

|

On Monday, the Federal Trade Commission (FTC) held a public workshop focused on potential updates to the Children’s Online Privacy Protection Act (COPPA) rule. The workshop follows a July 25, 2019 notice of rule review and call for public comments regarding COPPA rule reform. The comment period remains open until December 9th. Senior FTC officials expect the process to result in changes to the COPPA rule. The workshop also follows the Commission’s high-profile settlement with YouTube regarding child-directed content.

Monday’s workshop was a key part of the Commission’s review; the day-long session featured panel discussions focused on the various questions raised regarding COPPA’s continued effectiveness as technology evolves. FPF’s Amelia Vance spoke on a panel focused on the intersection of issues related to children’s privacy and student privacy.

During the edtech focused panel, there was a consensus that schools should be able to use the Family Educational Rights and Privacy Act’s (FERPA) school official exception to provide consent on behalf of under-thirteen students under COPPA, rather than collect consent directly from parents. This allows schools to continue to exercise judgment over what technology is used, while also preserving the privacy protections of both COPPA and FERPA. Many speakers expressed that parents feel they have little transparency about the technology being used in their child’s school. The FTC may potentially require increased transparency or notice to assuage these worries.

We also noticed several recurring themes throughout the workshop:

  1. The tension between child-directed content and “child-attractive” or child-appropriate content and what that means under COPPA;

  2. The misconceptions surrounding the meaning of “actual knowledge” and COPPA’s “product improvement” exception; and

  3. A need to focus on frameworks and technology that allow children to safely be online.

The Tension Between “Child-Directed” Content and “Child-Attractive” or Child-Appropriate Content

Several questions were posed regarding the meaning of “child-directed content:”

  • Does child-directed content also mean child-attractive content⁠—content that may interest children but is aimed at broader audiences, such as an interview with a sports player⁠?

  • Does child-directed content also include child-appropriate content⁠—content that doesn’t typically interest children, but is not violent, explicit, or objectionable, such as a video teaching viewers how to change the oil in their car?

  • If child-attractive or child-appropriate content gains a large enough child audience, does it transform into child-directed content?

Panelists cautioned that determining whether content is child-directed by focusing solely on audience makeup could create a moving target for creators; they would constantly have to monitor their audience to ensure they don’t break the “child-directed” threshold. Without clear methods for monitoring when children are accessing general audience content, this tension could not only encourage additional data collection, but it also makes it very difficult to create content for teenagers or “nostalgia-content” for adults. Panelists noted that this tension can transcend beyond content creators to services originally intended for a general audience that unintentionally attracts a child audience.

Harry Jho, a YouTube content creator, raised a concern that COPPA, as applied in the FTC’s YouTube settlement, will stifle creators’ ability to produce quality children’s online content. The settlement requires YouTube and creators to disable behaviorally targeted advertisements on child-directed content. Jho stated that he relies on behavioral advertising for the “lion’s share” of his revenue. Jho claimed that this settlement requirement will cause creators to suffer, and the quality of free children’s content on the internet to decline. Jho also articulated that there is confusion among creators about whether child-attractive or child-appropriate content will be considered “child-directed” under COPPA, resulting in less certainty than ever about whether COPPA applies to particular creators, channels, or videos.

Misconceptions: Actual Knowledge and Product Improvement

There was also significant confusion around the scope of COPPA and its definitions throughout the workshop. We heard many different opinions about the meaning of the actual knowledge standard, and the only point of agreement was that the YouTube settlement has contributed to the confusion. The FTC has said that having actual knowledge that there is child-directed content on your platform triggers COPPA. However, in the YouTube settlement, the FTC cited evidence that showed YouTube had knowledge that children were using the site, as well as pointing to channels that were obviously child-directed. Phyllis Marcus, a partner at Hunton Andrews Kurth, argued that the distinction between actual knowledge of child-directed content on a website versus actual knowledge that children are using a website seems to be collapsing. This shift, coupled with the confusion regarding the definition of “child-directed,” has caused significant uncertainty. Marcus believes that the use of the term “actual knowledge” in various other privacy regimes, such as California’s Consumer Privacy Act, will also create substantial confusion for companies.

While discussing edtech, the question of whether product improvement remains acceptable under COPPA was raised.  Ariel Fox Johnson of Common Sense Media argued that product improvement is a commercial purpose under COPPA, full stop, and if schools are paying for a service, they should not also be “paying” with student data. FPF’s Amelia Vance argued that the product improvement exception is necessary to allow essential functions like security patches and authenticating users, so any changes should be carefully tailored.

Keeping Kids on the Internet 

A recurring discussion was that some strategies for COPPA compliance have the unintended consequence of keeping kids off the internet. Jo Pedder, Head of Regulatory Strategy at the United Kingdom Information Commissioner’s Office discussed the UK’s implementation of the age-appropriate design code. The code’s goal is to empower kids on the internet while keeping them safe, rather than keeping them out of the digital world. Instead of a one-stop age-gate⁠—largely decried by panelists as an ineffective method of keeping kids safe from age-inappropriate content and data collection⁠—the design code requires entities to understand the age ranges of users and use these “age bands” to, for example, tailor privacy notices or settings.

Similarly, sites with a “mixed audience” under COPPA were heavily discussed, including if age gates can be effective in the space. Dona Fraser of the Children’s Advertising Review Unit pointed out that when kids see an age-gate, they see it as a requirement to lie about their age. Children want to use the internet and they are worried about what they are missing out on. When a mixed audience online service implements a holistic design approach by, for example, establishing a child-appropriate service by default, kids don’t feel like they are missing out on content and don’t have to lie.

Next Steps for the FTC

Several privacy advocates called for the Commission to exercise its 6(b) authority regarding COPPA-covered online services: under Section 6(b) of its enabling Act, the FTC has investigative authority to require reports providing “information about [an] entity’s ‘organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals.’ 15 U.S.C. Sec. 46(b).” Panelists who brought up Section 6(b) raised concerns about the lack of insight about what information is being collected by websites and applications, especially in the education technology sector. Panelists also asked the FTC to do studies on the effectiveness of age-gates and whether behaviorally targeted ads actually have a higher market value than contextual advertisements, and even include the voices of the most important stakeholders–children–in the FTC’s analysis. Additionally, it is important to note that several panelists commented that the child privacy conversation needs to evolve beyond notice and consent, and urged the FTC to focus on creating requirements that provide privacy protections to children, while not creating additional notice or consent mechanisms that burden both parents and companies.

Many panelists also urged the FTC to engage in more enforcement actions. One panelist stated that more frequent enforcement actions would have a “tremendous effect” in rooting out bad actors and encouraging COPPA compliance.

For additional reading on the workshop, see these articles:

https://iapp.org/news/a/ftc-workshop-aims-to-inform-potential-coppa-updates/

https://www.edsurge.com/news/2019-10-08-the-ftc-has-its-sights-on-coppa-and-edtech-providers-should-take-notice