Rethinking COPPA in the Age of Social Media

Audrey Watters is a technology journalist specializing in education technology news. You can follow her on Twitter at @AudreyWatters.

Earlier this year, Facebook CEO Mark Zuckerberg caused quite a stir when, speaking at the NewSchools Venture Summit, he indicated that he wanted to see kids under 13 be able to join his giant social network. According to Fortune, Zuckerberg said that COPPA prevented Facebook from allowing children on the site but "that will be a fight we take on at some point." "My philosophy," Zuckerberg said, "is that for education, you need to start at a really, really young age."

Conflation of "education" and "Facebook" aside, Zuckerberg's comments about Facebook wanting to challenge COPPA made headlines. But there was a lot of confusion over what Zuckerberg meant by this, in no small part because there's a lot of confusion about what COPPA itself entails.

About COPPA

COPPA or the Children's Online Privacy Protection Act actually does not stop Facebook from allowing users under age 13 to join. What COPPA does require is stricter privacy measures from those websites that are aimed directly at users under 13 as well as at those sites that know they are collecting and disclosing personal information from those under 13.

And that is why Facebook doesn't allow users under age 13: because Facebook collects our personal data when we sign up, when we complete our profiles, and when we "like" things. Much of this data is default public (unless you do a good job navigating the site's privacy settings). This data is also shared with advertisers and third-party developers. COPPA does not stop users under 13 joining Facebook per se. Rather Facebook has this age limit in its Terms of Service as adding the necessary measures to become COPPA compliant would run afoul of company's business model and privacy practices.

For its part, COPPA says you can't collect children's personal information without "verifiable parental consent" -- a parent's email or sometimes even, their credit card number. The law also says you need to give parents a choice as to whether their child's personal information is disclosed to third parties. COPPA says you need to maintain the "confidentiality, security and integrity" of personal information collected from children and you need to have a privacy policy posted on every page where personal information is collected.

Of course, none of these rules have stopped some 7.5 million children under the age of 13 from joining Facebook, according to recent statistics from Consumer Reports. In all fairness to Facebook, the social networking site is hardly the only company that faces this problem of those under 13 joining against the Terms of Service (as a recent story about Google Plus attested). And Facebook does make a good faith effort to kick "under-age" users from the site. About 20,000 under-13-year-olds are expelled from the site a day, Facebook's chief privacy officer recently told the Australian parliament.

New Legislation

Australian legislators have been closely scrutinizing Facebook's privacy practices, and in this country, governmental inquiry into Internet privacy and consumer protection has led to several pieces of proposed legislation, including an update to COPPA -- originally passed in 1998, ironically, the year Mark Zuckerberg turned 14.

That was also the same year that Google was founded, and as such, it's not hard to imagine that a law about online privacy from that era could be out-of-date with the realities of the Internet today. But does the law need to be changed? If so, what should an update (or revision or rewrite) of COPPA look like?

The proposed changes were introduced by Representative Joe Barton, COPPA's original sponsor. Dubbed the "Do Not Track Kids Act of 2011," his bill would add language to expand COPPA's purview to mobile and not just "Web" sites. It would also extend the scope of the data covered to include not just the physical addresses where children live but the IP addresses from which they access the Internet. The proposed updates to COPPA also say that sites must continue service to children, even when their parents withdraw consent for having their data shared (unless it's impossible to continue the service without the sharing of data). And sites must offer an "eraser button," whereby personally identifiable information is deleted upon demand.

Although the Barton bill did not leave a House subcommittee this year, the pressures to rethink how privacy should work for children online reflect attention to more general questions of consumers' rights to online privacy: What happens to our data when any of us sign up for services online? How is our data used -- not just to offer us advertising, of course, but to give us autocompletes and recommendations and the like? What are our expectations for the privacy and security of our data?

And what are our expectations for the privacy and security of the data of consumers and web users under age 13? Do we need better legislation about online privacy, or do we need better education (or both)? After all, it's pretty clear that children under 13 want to be -- and already are -- on sites like Facebook.