The U.S. Federal Trade Commission is once again seeking to update the provisions of the Children’s Online Privacy Protection Act. It’s not an unusual move by the agency, which reviews COPPA for potential amendments every 10 years, but it’s one that seems increasingly pressing and especially necessary now, according to children’s privacy advocates.
Indicative of the uncertainty around how to handle children's privacy and what rules might apply are YouTube's recent decision to create a child-friendly version of its site and end its ad targeting of kids. There's also the growing concerns with edtech's increased data collection. Those incidents are fueling calls for children’s privacy to be re-examined and re-established. While advocates have their own ideas on the amendments that are plausible and make the most sense, the final decision ultimately falls back to the FTC. However, uncertainty remains as to whether the real answers to children's privacy regulation will come from the FTC or Congressional action.
The FTC’s review was announced July 25, but that doesn't mean a resolution will follow in short order. It took three years for the last set of COPPA amendments to be settled upon in 2013, though the process was initiated in 2010.
“We thought it made sense to initiate the rule review early to see how those changes affected the marketplace, if there were any issues with those changes and also to consider whether further changes are needed given the rapid changes in technology,” said Kristin Cohen, senior attorney in the Division of Privacy and Identity Protection for the FTC’s Bureau of Consumer Protection.
The FTC has put forth nine topics for comment, including parental reviews and consent, data-operator notices and data collection on children.
Burns & Wilcox's David Derigiotis, CIPP/US, and Linnette Attai, who owns consulting firm PlayWell and this year published "Protecting student data privacy: classroom fundamentals," said the problems surrounding COPPA are due to rapid changes in technology and what that means for parental consent, data collection and storage. There's also concern over the third-party vendors' use of children's data, now that apps are an integral part of education as well as entertainment now.
"There are requirements that need to be addressed and assessed when bringing tech into schools, and that can sometimes be quite daunting for education institutions, many of which are under-resourced in getting the education, funding and manpower they need to stand up a secure network and properly manage data privacy through the increasingly complex matrix of laws, particularly in the K-12 environment," Attai said.
Often, it plays out like this, Derigiotis explained: A school district distributes electronic tablets to children in elementary school, and those kids will hold on to the tablets throughout the years as they progress within the school district. The tablets are capturing tons of information that can be shared not only with tech companies everyone uses every day, like Google or Apple, but also with third-party vendors the schools are contracting with to track student progress, homework, grades and tests.
"Data such as internet search history, photos and videos taken, as well as voice recordings are all captured on this tablets and can build up over the course of a week, month, and especially the entire school year," Derigiotis said. "Much of this data is used for specific classroom assignments, but some of it in the students leisure time as well. The organizations that collect this information do not care what the use might be for, they are still collecting it."
And that raises issues of consent as well as third-party data sharing.
"Clear disclosure not only needs to be provided where third-party contracts exist but I am advocating for data retention limitations on all non-essential information collected each and every year," Derigiotis said of the comments he plans to submit to the FTC. "Some of this may include uploaded user content as it relates to assignments, usage of a program or service as well as the time spent in a particular program or service. Any data not relating to grades specifically should be fully erased."
Besides addressing non-essential data collection, Attai sees an opportunity for the FTC to specify permissible forms of consent.
"Another area where many schools would like to see more clarity in COPPA is to understand if they are permitted to act as an agent of the parent when providing consent for the operator's collection of personal information from students under age 13 when that collection is for the use and benefit of the school and for no other commercial purpose, or, if the school must actually obtain the consent from parents," Attai said.
Derigiotis believes a look at possible mandates for companies to explicitly clarify or explain their data collection could help parents make more appropriate decisions.
“It’s an unconscious willingness. I don’t think parents are intentionally giving consent and truly understanding just what’s being collected and shared,” Derigiotis said. “Everybody wants to be able to trust the school system and believe there’s no harm coming from it. There’s no malicious intent here. But if you look at the way vendors are leveraged and the way tech providers are being implemented, everybody is trying to come up with the quickest, best possible system to chop up data.”
In general, Derigiotis said, his comments will hit on “two easy changes”: revising the maximum age for a protected individual under COPPA from 13 to 16 and including biometrics under the definition of personal information. He also plans to propose a mandatory data deletion provision, which would purge student data at the end of each school year.
For her part, Attai would like to see clarity on the intersection between COPPA and FERPA, or, the Family Educational Rights and Privacy Act. "Specifically, how the schools and technology companies respect the rights and requirements around education records,” Attai said, adding there’s been an “inherent tension” between the two laws because of “lacking guidance and clarity.”
"It's not uncommon to see educational products intended for use by children under age 13 being used in the classroom, often brought in directly by teachers. There are any number of apps, websites and other connected technologies that support young learners and provide tremendous benefits. However, all of the privacy laws that apply were not written to serve the same purpose, and they sometimes simply don't get along very well together," said Attai.
Attai explained that when an education institution shares personal information from the education record with a technology provider, it is most commonly done under the school officials' exception to the parental consent requirement in FERPA. Under this exception, the technology provider must — among other things — remain under the "direct control" of the education institution when it comes to the use and maintenance of the education record.
"However, COPPA requires that the operator give parents the rights to access and request deletion of the personal information collected from their child," Attai said. "The challenge is to be able to delete student personal information at the request of a parent, while staying under the direct control of the education institution with respect to the use and maintenance of the education record.
Kids and social media apps
When it comes to social media and COPPA, particularly with regard to targeted advertisement, there’s a “hear no evil, see no evil” mentality among companies, said Future of Privacy Forum Senior Counsel Amelia Vance. “This whole process is happening at a time when academics and society at large are asking hard questions about what it means to have actual knowledge that there are kids on your platform and how much companies can stick their heads in the sand on any arguments about it,” she said, adding that companies look to “avoid actual knowledge at all cost.”
Common Sense Media's Ariel Fox Johnson, CIPP/US, believes the FTC shouldn’t tolerate apps claiming any sort of unawareness related to kids populating a platform.
“Addressing the sites and services COPPA covers more clearly is something to look at,” Johnson said. “I think it’s ridiculous that you have sites like Musical.ly, YouTube and Instagram that pretend they don’t have kids under 13 on them. If FTC needs more comfort to claim those sites are covered under the rules, I think they already can, but it’s somewhere you could see them making things even more clear.”
Vance said companies are claiming no knowledge in an effort to steer clear of liability issues and difficult consent requirements that would need to be in place to proceed with their business. There’s also curiosity among Vance and her FPF colleagues as to whether the FTC draw a clearer line for platforms to decide whether they will simply deny access to COPPA-protected individuals or buy in on creating a kid-friendly version of their site.
FTC changes or federal overhaul?
A question worth asking is whether the appropriate actions to improve children’s privacy rely on the FTC or potential federal regulation. Congressional talks regarding federal privacy legislation have varied between rampant and nonexistent, and the same goes for legislation on children’s privacy. However, there have been three congressional bills recently introduced that seek to amend parts of COPPA.
Sen. Richard Durbin, D-Md., has proposed the Clean Slate for Kids Online Act, which would amend COPPA to allow a personal information deletion option for activity by kids under age 13. Sens. Ed Markey, D-Mass., and Josh Hawley, R-Mo., are co-sponsoring a bill that would raise the COPPA’s protected age to 15. In the U.S. House, Rep. Bobby Rush, D-Ill., is sponsoring H.R. 3900, which would amend strengthen protections for children’s data collection and personal information disclosures.
Attai believes the best chance at congressional action on COPPA will come via Markey and Hawley’s bill or a future bill that mirrors it. “I think what we might see ultimately are some COPPA protections get extended from age 13 to 16. … I would certainly expect that if we see federal regulation, and this is a sort of as old as time, that it would happen for kids before anyone else,” Attai said.
Vance is skeptical that either the FTC or Congress can make substantial changes. She said federal bills from Markey, who was a privacy stalwart in the House before moving to the Senate, aren’t as likely to move due to his current lack of seniority and that “viability depends on the co-sponsors he brings in.” On the other hand, Vance isn’t sure the FTC has the right timing to get its work done properly.
“We’re coming up on a re-election year where we deal with the political tensions that occur when an independent agency is doing work that could indirectly support an incumbent,” Vance said. “Whether the FTC will be able to put out text for new rules and get comments before the political questions become viable is a big question in my mind.”
The questions remain open for comments from stakeholders, including consumer groups, industry, and lawyers, for 90 days. In addition, the FTC will host “The Future of the COPPA Rule: An FTC Workshop” Oct. 7 to discuss possible COPPA amendments.
Following a review of all comments and information gathered from the workshop, the process then could go in a couple different directions, according to Cohen. If the commission determines, based on feedback, changes to COPPA are warranted, Cohen said the next step is likely a notice of proposed rulemaking, followed by a final rule, both of which will require public comment as well.