Posted in kids, Safety/Privacy, web business

COPPA musings

The annual FOSI conference held in DC last week really helped to articulate for me some of the current ambiguity in the COPPA legislation, specifically with it’s intention and it’s enforcement.

Currently, the law is written in such a way that it clearly intends to protect childrens’ personally identifiable information (PII) from being used for nefarious purposes by the websites collecting it or their third party partners.  Some of the changes being proposed (public comments are due by the end of Nov) help to update and articulate this point and make the criteria points a bit more salient with todays tech climate (i.e adding geo-location, behavioral advertising, etc).

One point that is hotly debated is Email Plus.  Currently, sites can use this method (sending notification emails to a parent informing them of a child’s intent to share PII), but the FTC is trying to remove this.  The reason for this being that the sites should, by in large, not be soliciting PII from children in the first place and if they are, they should be complying with the more rigid parental verification models detailed in the law.  As Amy Pritchard from Metaverse Modsquad articulated to me, “Email plus is being eliminated as a way to collect PII and use it internally, as most sites had used it as a best practice parental notification method.  In order to allow sites to continue to do this, the proposed changes allow for sites to collect the parent email address for purposes of notifying the parent that the child has become a member of [or registered for] the site.”

The informal debates that I heard and participated in at the FOSI conference dealt mostly in the intent of the law.  Most of us agreed that the law should protect a child’s PII from being used for anything other than to make the game play better.  For the most part, the consensus is that, except for specific situations, like contests, DOB and gender are really the only 2 pieces of child PII a site needs to collect, and these are allowed currently under COPPA.

The finer point that I recognized in our sometimes spirited debates was between solicited PII and passively collected PII.   A site should not solicit PII from kids, such as in the registration process, as most of this information is not needed for normal game-play (unless, again, they get verifiable parental consent).   But what if kids give PII freely, such as in chat or on forums/boards?  What, if any, sanctions should be levied unto the site in these scenarios?  The informal consensus was that the site should at least employ means of screening and moderating such content so as to make sure that this PII is not easily given and read on the site – but that this should not be legislated as part of COPPA.

Anne Collier wrote about this recently (http://www.netfamilynews.org/?p=30775) – “The proposed [COPPA] changes respond to the advent of social media (social network sites, virtual worlds, online games, apps, etc.) in that sites can “allow children to participate in interactive communities without parental consent so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public,” and companies will also have to hold third parties such as app providers to the same privacy standards their services are held to.”

I do not think that the intention of the law should be about teaching and protecting kids to be safe with their PII.  While this is an ethical and moral imperative that companies that target this demographic should abide by, I fall pretty firmly on the side that this should not be federally mandated.  Many of us, myself included, believe that the free market, and hopefully vocal parent groups and watchdog organizations, should be more of the gauge as to whether this is being done on individual sites.  In theory, educating and protecting kids from sharing PII in chat is a great idea, but those of use who have to DO that work, realize how difficult and sometimes impossible it is to be 100% effective.  I do not see how the government could keep up with or track down how effectively sites are at keeping up with that.

This was the 5th Annual FOSI conference, and it was very good to see more representation from practitioners, rather than just lobbyists, marketers, safety advocates, researchers and bloggers.  Hopefully, those of us with real-world/front-line experience in implementing these sort of laws can gain influence in the conversations so laws can be amended or written practically the first time, rather than after the fact (or not at all).