Last week, the Federal Trade Commission — the arm of the US government charged with enforcing most of our county's (relatively few) privacy laws — announced that they had reached a $800,000 settlement with the mobile social network Path over allegations the company had collected children's personal information without their parents' permission. While many saw the case as a fairly straightforward settlement, some lashed out at the feds for overreaching against a startup with a good product that kids should be allowed to use.
This publication's editor, Ben Smith, went a step farther with the bold headline: "The Best Parenting App is Against the Law." The law in question is the Children's Online Privacy Protection Act (COPPA) and while it does impose some obligations on startups like Path, they are hardly overwhelming. For the moment, at least. However, new COPPA regulations go into effect on July 1st, and those new regulations (depending on how the FTC enforces them) could pose a serious barrier to services like Path.
First, let's back up a second — Path's social networking service is not prohibited by COPPA or any other law. COPPA is actually fairly narrow in scope, and for that reason hasn't been challenged in courts like other overreaching child protection statutes, like the similarly named Child Online Protection Act (COPA). COPA (one p, long o sound, struck down), like the Communications Decency Act before it, broadly mandated that sites containing "material harmful to minors" (read: sexually explicit material) age-verify site visitors and bar children from accessing such content. The Supreme Court held that both laws violated the First Amendment by restricting online free expression — legally "indecent" speech is still constitutionally protected, and those laws over-burdened website operators and adults without doing much to actually protect children.
COPPA (two Ps, short o sound, still in effect) was drafted with the recognition that sites typically do not and cannot have any way of knowing which of their users are kids. For that reason, COPPA only kicks in in one of two scenarios (1) your site is obviously targeted to children (think nickjr.com) or (2) you have affirmative knowledge that a particular user is under 13 – say, by asking a user to supply her age or birthdate. In these scenarios, site operators have to provide notice about their information collection practices and get verified parental consent before collecting personal information from the child.
For general purpose websites — like Path — the most effective way to not incur COPPA responsibilities is to not ask your users how old they are. That would seem like a fairly low hurdle to pass, and yet a number of sites have gotten tripped up here. The first COPPA enforcement action was against the now-defunct social network Xanga which blithely asked users for their date of birth and then treated all users the same. Once Xanga knew that certain users were self-reporting as under-13, it had an obligation under COPPA to ask the parent's permission for the child to blog using Xanga's service. Xanga didn't, so it had to pay the FTC a $1 million fine.
Path ran into the exact same problem: it asked users for birthdate, gained actual knowledge some of its users were under 13, and then didn't do anything about it. It was that neglect —and not a general failure to bar kids from the service — that got Path into trouble (well, that and accessing users' contact lists without permissions, but that was a separate charge). If Path hadn't asked for birthdate, it should have been free and clear under COPPA. Or even if it did identify that some users were under 13, Path could have gotten the parents' permission for kids to use the service, as sites like Club Penguin — which clearly target children under 13 — do today. It's a not-insubstantial cost to have a system in place to receive written permission from a parent, but it's not a legal prohibition.
Now, it is true that in an overabundance of caution, several social sites do flatly say: no one under 13 can use this service. This is partly the result of risk-averse lawyers hedging against being classified as a site "directed to kids" under the law. And that kind of blanket refusal to deal with children is an unfortunate by-product of COPPA. But the text of COPPA doesn't require this, and the FTC's guidance on COPPA is quite clear that all-purpose sites don't have to bar kids.
And, for the moment, a lot of sites' Terms of Service — including Path's — don't actually prohibit kids. They just ask that you not tell them whether you're a child.
But while COPPA today doesn't force general purpose sites to demand users' age, that may be changing. The FTC recently issued new regulations interpreting COPPA that could dramatically expand the scope of sites that are deemed "directed to children." According to the new rules, "sites or services that target children only as a secondary audience or to a lesser degree" will now have an obligation to find out which of their members are kids, and to get the parents' permission before they can use the service. I have no idea what it means to target children as a "secondary audience or to a lesser degree," but broadly construed it could apply to much, if not most of the web.
The new COPPA rule does offer a way out of this new uncertainty: you can age-gate content if you're not sure if you're targeting kids. So the Paths of the world (who today don't require you to provide your age) might feel compelled to collect age information from users and boot out the under-13s just to make sure they're compliant under COPPA. Or they could require users to use Facebook Connect or some other service (which bars under-13s or otherwise knows your age) to authenticate their identity in order to use the service. Perversely, COPPA, ostensibly a privacy law, might force sites to collect and store far more personal information about us than they do today.
The web has thrived as a forum for anonymous and pseudonymous speech, and we absolutely should not jeopardize that with unclear rules about children's privacy that label kids as users non grata across the Internet. Yes, some services like Facebook are predicated on real name identity, but the vast majority of others are not. Should Reddit be forced to evaluate which of its thousands of subreddits are likely to attract children as a "secondary audience," and then collect personal and identifying information from each and every user? Will news sites have to figure out which sections or articles might be of interest to kids, and require a login through Facebook or Google to comment?
At the moment, it's not entirely clear how the FTC will enforce and implement its new rules. It is in the process of revising its website FAQs (which, believe it or not, are actually incredibly important guidance), and there is hope that it will make clear that it won't bring actions against truly open platforms that preserve privacy by not demanding name, age, email address, and credit card information from all their users. However, it's entirely possible that as a result of these stricter rules, sites like Path won't just let users on without identifying them first — they'll force users to authenticate who they are. And that would be a worse internet for everyone.
Justin Brookman is Director of Consumer Privacy at the Center for Democracy & Technology, a public interest group working for stronger privacy and free speech protections online. Previously, he was Chief of the Internet Bureau of the New York Attorney General's office.