The annual FOSI conference held in DC last week really helped to articulate for me some of the current ambiguity in the COPPA legislation, specifically with it’s intention and it’s enforcement.
Currently, the law is written in such a way that it clearly intends to protect childrens’ personally identifiable information (PII) from being used for nefarious purposes by the websites collecting it or their third party partners. Some of the changes being proposed (public comments are due by the end of Nov) help to update and articulate this point and make the criteria points a bit more salient with todays tech climate (i.e adding geo-location, behavioral advertising, etc).
One point that is hotly debated is Email Plus. Currently, sites can use this method (sending notification emails to a parent informing them of a child’s intent to share PII), but the FTC is trying to remove this. The reason for this being that the sites should, by in large, not be soliciting PII from children in the first place and if they are, they should be complying with the more rigid parental verification models detailed in the law. As Amy Pritchard from Metaverse Modsquad articulated to me, “Email plus is being eliminated as a way to collect PII and use it internally, as most sites had used it as a best practice parental notification method. In order to allow sites to continue to do this, the proposed changes allow for sites to collect the parent email address for purposes of notifying the parent that the child has become a member of [or registered for] the site.”
The informal debates that I heard and participated in at the FOSI conference dealt mostly in the intent of the law. Most of us agreed that the law should protect a child’s PII from being used for anything other than to make the game play better. For the most part, the consensus is that, except for specific situations, like contests, DOB and gender are really the only 2 pieces of child PII a site needs to collect, and these are allowed currently under COPPA.
The finer point that I recognized in our sometimes spirited debates was between solicited PII and passively collected PII. A site should not solicit PII from kids, such as in the registration process, as most of this information is not needed for normal game-play (unless, again, they get verifiable parental consent). But what if kids give PII freely, such as in chat or on forums/boards? What, if any, sanctions should be levied unto the site in these scenarios? The informal consensus was that the site should at least employ means of screening and moderating such content so as to make sure that this PII is not easily given and read on the site – but that this should not be legislated as part of COPPA.
Anne Collier wrote about this recently (http://www.netfamilynews.org/?p=30775) – “The proposed [COPPA] changes respond to the advent of social media (social network sites, virtual worlds, online games, apps, etc.) in that sites can “allow children to participate in interactive communities without parental consent so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public,” and companies will also have to hold third parties such as app providers to the same privacy standards their services are held to.”
I do not think that the intention of the law should be about teaching and protecting kids to be safe with their PII. While this is an ethical and moral imperative that companies that target this demographic should abide by, I fall pretty firmly on the side that this should not be federally mandated. Many of us, myself included, believe that the free market, and hopefully vocal parent groups and watchdog organizations, should be more of the gauge as to whether this is being done on individual sites. In theory, educating and protecting kids from sharing PII in chat is a great idea, but those of use who have to DO that work, realize how difficult and sometimes impossible it is to be 100% effective. I do not see how the government could keep up with or track down how effectively sites are at keeping up with that.
This was the 5th Annual FOSI conference, and it was very good to see more representation from practitioners, rather than just lobbyists, marketers, safety advocates, researchers and bloggers. Hopefully, those of us with real-world/front-line experience in implementing these sort of laws can gain influence in the conversations so laws can be amended or written practically the first time, rather than after the fact (or not at all).
Joi Podgorny 
Thanks for the excellent summary and information Joi. As always, everyone at Inversoft is looking forward to the changes made to COPPA over the coming months as it will certainly have wide reaching effects on many companies and industries.
Very interesting and informative– It concerns me that there is a growing possibility of the FTC forbidding gaming companies to solicit emails during their registration processes. While I absolutely agree that most of kids’ personal information should never be collected, I do suspect that where game moderation is concerned there is currently not a less invasive replacement available for what that piece of information provides. The benefit to kids’ safety in having an email address readily available to game moderators seems to invalidate the reasoning of those with scruples about collecting this information. Simply notifying parents of an account’s creation definitely falls short of the intention of the legislation in the first place (to help make kids safer).
While many parents do not receive notifications emails “to a parent informing them of a child’s intent to share pii”, for example (since many kids use their own or bogus email addresses when they register), nevertheless they are an effective online safety teaching tool. The debate on whose responsibility it is to educate kids about online safety continues (and I agree with you, Joi, on this issue if I’ve interpreted your opinion correctly), and it seems like the FTC believes it is the gaming industry’s. However, whether or not they’re correct is mostly irrelevant, isn’t it? Why can’t the FTC see that simply for the sake of good business practices that encourage more gameplay, it makes absolute sense for companies to encourage game safety as well as gamer privacy by protecting pii— it is in their own best interest to promote online safety. Notifying parents and/or kids of pii violations, etc. does just that.
Is a federal mandate prohibiting companies asking for email addresses while simultaneously forcing companies to screen all possible cases of pvp pii giveaways really necessary here? Would it be productive? Would it be preventative?