COPPA Changes Soon Go Into Affect But Are Mostly Political Theatre
Note: The opinions are my one and not the author of the linked article.
As I always say, politicians love to say that they are “protecting the children”, but the reality is that doing that is really hard and would actually be super unpopular with voters. Read on to find out why.
The Children’s Online Privacy Protection Act rule changes are designed to impose additional restrictions on websites and online services that collect user data (which is pretty much all of them). The rule was written during the last administration and was supposed to go into effect before the current administration came into office but was paused so the new administration could review it. It was published last April without any significant changes and goes fully into effect this coming April.
COPPA has been around for more than 20 years and its heart is in the right place, but it has no teeth.
This most recent set of changes adds biometrics, for example, to the potentially covered information.
One of the requirements for the new rule is that operators are required to obtain separate verifiable parental consent before disclosing personal information collected from children that are not for purposes integral to the services being provided. They have to do other things as well such as have a written information security program and a written data retention policy but neither of these requirements have any specificity, meaning they are mostly for show.
Here is why it would be very unpopular if actually implemented in a way that achieved the declared goal. As you read the rest of this post, think about how fun it would to interact with every website that you use if you had to, separately, just through these hoops separately on each of the many dozens of web sites you use on a weekly basis.
Where I would like to focus is on the “verifiable” parental consent part, with the key word in quotes. In theory, that means that you have approval from the child’s parent, but how do you do that in an online setting?
The first and most obvious “get out of jail free” card is to put a notice on the site saying that kids under 13 can’t have an account. If you don’t allow kids to have accounts then COPPA doesn’t apply. This is what all social media properties do and you and I are both aware than no one under 13 has a Facebook, TikTok or Twitter account. Sure.
But lets assume for some reason that you can’t wiggle your way out of that one. What constitutes “verifiable” parental consent.
Well, one is a credit card. Since kids don’t have access to their parents’ credit cards, that is a sure winner. And the fact that the kid presents a credit card surely means that the owner of the card (a) knows about it, (b) is the kid’s parent and (c) approved of what the kid is doing.
Next is a government issued ID. So, the kid takes a picture of someone’s drivers license and uploads it. How does that prove that the owner of the drivers license knows about it and is the kid’s parent.
Next is a live video conference. I am sure this will work for the next TikTok. How many people would they need to hire and how much friction would that add? Not to mention you still don’t know if the adult is the kid’s parent.
Another suggestion is knowledge-based authentication. That is like when banks used to ask you for your mother’s maiden name. Even the banks figured out that was worthless.
So far I have not heard of a single, workable, effective way to obtain “verifiable” parental consent.
The websites like it because it really doesn’t stop kids from getting accounts and generating revenue and the politicians like it because they can say they did something to “protect the children”, even though they did nothing of the kind and finally, the kids like it because it is easy to game – assuming they need to do anything more than lie about their age or birthdate.
Bottom line, it is a win for all parties – except that it does nothing to protect the children. Hence this is all for show. Political Theatre. Sorry.
Credit: The Alston & Bird Law firm
by 