Georgetown Law Institute for Technology Law & Policy Looks at Child Online Privacy Law 20 Years Later

Georgetown Law’s Institute for Technology Law & Policy gathered distinguished experts from government, the tech industry, and advocacy groups October 24 to examine how a law enacted in the age of dial-up is faring today.

The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, requires websites and online services aimed at children to provide notice to parents and get their permission before collecting or using personal information from children under 13. They also must post privacy policies and provide parents access to children’s data they’ve collected. The Federal Trade Commission regulates and enforces the law.

FTC Commissioner Rebecca Slaughter provided the keynote speech at the event, “COPPA at 20: Protecting Children’s Privacy in the New Digital Era,” held in the Gewirz Student Center. Slaughter said the Commission has worked to keep up with technological changes since the law went into effect, addressing smartphones, social networking, online photos, video, and audio and Internet-connected toys.

“The FTC will continue to do everything in its power to respond to developments in technology and ensure that the protections afforded by COPPA are as effective as possible,” Slaughter said.

Senator Ed Markey (D-Mass.) said in closing remarks via video that privacy laws should be updated to meet today’s technology landscape. COPPA, he said, was passed in the “B.F. Era” — “Before Facebook,” and when “only birds tweeted.”

“We can childproof a pill bottle, but it only takes the swipe of a finger to open up a smartphone,” said Markey, who as a House member in 1998 was a key drafter of the law. He called for extending COPPA protection to children up to age 15 and creating an “eraser” mechanism so that regrettable mistakes children and young teens make online “don’t haunt them for the rest of their lives.”

20 Years Later

The event featured panel discussions on COPPA’s effectiveness in light of changes in how children interact with the Internet and the potential for technology addiction; how key provisions of the law have been interpreted, including how to assign liability with third parties involved in tracking users’ data; and COPPA enforcement, specifically the “safe harbor” program that lets industry self-regulate compliance with the law.

Professor David Vladeck, who previously served as director of the FTC’s Bureau of Consumer Protection, which is responsible for enforcing COPPA, reiterated that the law needs to adapt.

“We have this regulatory regime that was crafted before anyone could think about these things,” Vladeck said, holding up his smartphone.

The law also needs a higher profile, said Vladeck, who oversaw a 2012 revision of the FTC’s COPPA rules while he was there.

“My concerns about COPPA enforcement is, the parents don’t know anything about COPPA,” he said. “They are worried about their kids online, as they ought to be. We have not managed collectively to educate parents that there are these rules.”

Professor Laura Moy, executive director of the Georgetown Center on Privacy & Technology; Professor Angela Campbell, who leads the Communications & Technology Clinic within Georgetown Law’s Institute for Public Representation; and Associate Dean Paul Ohm also participated. Campbell was involved in efforts that led to COPPA’s passage, and Ohm worked on the 2012 COPPA regulations while serving as a senior policy advisor to the FTC.

Campbell, who as part of her work with the clinic has filed numerous FTC complaints over COPPA violations, concluded that COPPA’s safe harbor system allowing industry to self-regulate compliance with the law was “flawed.” Companies that qualify for one of the several FTC-approved safe harbor programs get a seal of approval that may mislead parents, she argued.

“The problem is the seal doesn’t really mean that they’re not collecting information from their children,” she said. “It just means that they have a privacy policy that meets the COPPA criteria and that it gets reviewed once a year for compliance by the safe harbor. So it really doesn’t take away the burden on the parent to read privacy policies…. I think [it gives] parents a false sense of security.”

Ohm, who moderated the discussion on technological changes since COPPA’s passage, noted that the main concerns back then, such as children’s advertising, differ from those of today, such as cyberstalking. There’s an “inherent tension” in the law, he said — whether it’s about advertising targeted at children, children’s privacy or both.

Other panelists represented a range of organizations, including the Center for Digital Democracy, The Electronic Privacy Information Center, the Software & Information Industry Association, and the New America Foundation. The Future of Privacy Forum, CommonSense Media, Center for Democracy & Technology, and Consumers Union co-sponsored the event.