COPPA Developments In Early 2022

The Children's Online Privacy Protection Act - A Rocky Road

For a law that has been around for multiple decades, COPPA hasn't got much easier to implement or understand, particularly for people outside of the U.S. who might accidentally run afoul of it.

The first major issue is that there's no solid definition of 'targeted towards children'. In fact, the Federal Trade Commission (FTC) implements a sliding scale when judging whether or not a site or app needs to comply with COPPA:

'Thus, under the ''sliding scale,'' the more reliable methods of consent will be required for activities involving chat rooms, message boards, disclosures to third parties, and other ''disclosures'' as defined in Section 312.2 of the Rule.'

An archive of the FTC ruling on how they planned on implementing COPPA regulation can be found here.

So now website owners have to guess the intent and judgment of the FTC if they want to ignore COPPA. Since the fines can be crippling to small businesses, that's not a gamble many are willing to take. But websites intended for the young adult audience can get tattooed with a 'kids' vibe if they include the disclosures and checks required, just to be safe. This threatens to drive away their actual target audience.

So many sites avoid this entire issue by stating that children 13 years or younger simply cannot sign up or have a profile. They also try to avoid appealing to younger audiences at all costs. This creates a virtual wasteland of content for 10 to 13-year-olds because nobody wants to deal with the cost of age verification, COPPA compliance, or fines.

The sites that do implement information collection for pre-teens, so that they can create personalized accounts, for example, need to meet the parental permission standards. Methods include:

• Signed consent forms
• Credit or debit card validation
• Having the parent call a toll-free phone number staffed by trained personnel
• A parent video-conference
• Checking a government-issued identification against central databases
• Requiring the parent to answer a series of knowledge-based challenge questions
• Verifying a picture of a driver's license or other photo ID via facial recognition technology

As you might imagine, the more reliable the method, the more expensive and time-consuming it is. Most small businesses will opt for the cheapest methods and hope that they are considered adequate for their type of content.

Others will simply rely upon the fact that it's trivially easy to lie about one's age online, and kids aren't stupid. If the website claims to be 13+ only, even if its target audience is younger, they know that most kids will simply say they're over 13 to access the content. Then the website is off the hook, as long as they avoid themes and advertising that specifically goes after pre-teens.

The fact that a U.S. law can be applied to people and companies in other nations might seem disturbing. But if the FTC determines that the majority of their customers are U.S. based and they meet all of the other COPPA criteria, they will fine foreign entities. If those fines are ignored, they'll freeze their accounts via the payment processors, if they have a significant U.S. presence.

What's Happening With COPPA in 2022?

Some recent incidents and court proceedings have come to light in 2022 that may influence how the Children's Online Privacy Protection Act is interpreted and implemented going forward. Here are some of the highlights.

In late April 2022, Google / Youtube in conjunction with channel owners including Hasbro, Cartoon Network, and DreamWorks finished their reply brief to the COPPA-related case brought against them in California courts.

In a nutshell, Google and the channel owners contend that the FTC has jurisdiction to regulate COPPA rules and restrictions on a national level. The plaintiffs claim that they can add additional requirements on a state-by-state basis.

Though the plaintiffs lost round one, if this appeal reverses the decision, things will get a lot more complex in the world of COPPA. Not only will national and international entities be responsible for additional state-by-state restrictions… but so will overseas content creators and site hosts. This is one to watch closely, as it will multiply the regulatory responsibility of pre-teen websites, and likely force even more sites to restrict account creation to the 13+ crowd (or those willing to lie about their age).

In a related statement from attorneys at Robins Kaplan, a warning has gone out to the legal community: Streamers are the next group in the FTC's sights.

Because most content creators have no control over the advertisers that make use of their streaming platform, they may accidentally be used as pawns to appeal to and collect the personal information of viewers under the age of 13. In order to protect themself, they might need to eliminate all content that could be construed as appealing to kids, while explicitly banning any viewers 12 or younger from their channels.

Additionally, the 'child star' provisions of COPPA that have hit streamers in the past are likely to rear their ugly head again if streaming services fall under the FTC's crosshairs. And because so many stream viewers are from the U.S., this will impact even young international stars.

Finally, kids on a diet may have landed WW International (formerly known as Weight Watchers) in hot water recently. In March 2022, the FTC launched a case against the health and lifestyle company for multiple COPPA violations. The allegations are that WW illegally harvested children's health data without proper consent or regulation.

Rather than going through the parental verification steps mentioned above, their Kurbo app and website just let kids skip the process by claiming they were over the age of 13. This loophole only works if the site isn't targeted specifically at pre-teens, which Kurbo seemed to be. They were also (supposedly) keeping their information without an expiration date, only deleting it when a parent specifically requested it.

This might be one of those cases that the FTC plans to use as an 'example', seeing as it got its own press release from the government organization. Certainly, one to follow.

Protect Your Family's Privacy

Whether or not websites properly comply with COPPA, the act doesn't take into account one of the greatest threats to online privacy today: Device and browser fingerprinting.

COPPA would be far more reasonable if it had concrete standards without a sliding scale. Free, publicly available portals that could be used for parental validation would be nice as well, to relieve the burdens of the law on small businesses. In its current state, the regulations are far too easy to mess up and far too subjective and unreliable.

In the meantime, a robust privacy app can go a long way towards protecting children under the age of 12 from predatory advertising, as well as shielding the browser fingerprints of their entire family.