02 November 2011

COPPA

'Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’' by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey in 16(11) First Monday (2011) argues -
Facebook, like many communication services and social media sites, uses its Terms of Service (ToS) to forbid children under the age of 13 from creating an account. Such prohibitions are not uncommon in response to the Children’s Online Privacy Protection Act (COPPA), which seeks to empower parents by requiring commercial Web site operators to obtain parental consent before collecting data from children under 13. Given economic costs, social concerns, and technical issues, most general–purpose sites opt to restrict underage access through their ToS. Yet in spite of such restrictions, research suggests that millions of underage users circumvent this rule and sign up for accounts on Facebook. Given strong evidence of parental concern about children’s online activity, this raises questions of whether or not parents understand ToS restrictions for children, how they view children’s practices of circumventing age restrictions, and how they feel about children’s access being regulated. In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data. Our data have significant implications for policy–makers, particularly in light of ongoing discussions surrounding COPPA and other age–based privacy laws
The authors comment that -
COPPA’s approach to privacy depends on two main premises: (1) that parents will be able to give sites informed verifiable consent regarding data collection practices; and, (2) that age–based privacy protections are both appropriate and achievable. Our data suggest that this second premise — relying on age–based models — is producing unintended consequences that undermine COPPA’s goals. In response, we propose that policy–makers shift away from privacy regulation models that are based on age or other demographic categories and, instead, develop universal privacy protections for online users. This would avoid creating an environment where service providers like Facebook have incentives to “divide and conquer” populations in terms of privacy and data collection policies. This would not only eliminate the problems with age–based prohibitions and circumventions, but also provide increased privacy protection to both teens and adults. As modern online data collection and advertising practices become more complex, it is not just children who need protections (Hoofnagle, et al., 2010; Hoofnagle and King, 2008; Montgomery and Chester, 2009).

Furthermore, given many parents’ openness to recommendations, it might be useful to develop mechanisms to provide parents with recommendations about the appropriateness of various sites for children of different ages and the various risks that users may face. Our findings show that parents are indeed concerned about privacy and online safety issues, but they also show that they may not understand the risks that children face or how their data are used. Greater transparency and increased information flow can help parents make appropriate decisions.
Boyd et al conclude -
Our findings call the efficacy of COPPA into serious question. The data also point to unintended consequences of the COPPA model of regulation of Web–based services. The online industry’s response to COPPA’s under–13 rule and verifiable parental consent model is largely proving incompatible, and at times, antithetical to many parents’ ideas of how to help their children navigate the online world. Instead of providing more tools to help parents and their children make informed choices, industry responses to COPPA have neglected parental preferences and have altogether restricted what is available for children to access. As a result, many parents now knowingly allow or assist their children in circumventing age restrictions on general–purpose sites through lying. By creating this environment, COPPA inadvertently hampers the very population it seeks to assist and forces parents and children to forgo COPPA’s protection and take greater risks in order to get access to the educational and communication sites they want to be part of their online experiences.

Legislative or regulatory solutions that seek to “update” COPPA must confront this paradox and these fundamental flaws in its design. As long as the emphasis of the regulatory approach remains on age–based cutoffs and onerous consent mechanisms, it is likely that general–purpose Web sites will continue to block access to anyone under the age cutoff. In response, parents who wish for their children to participate on such sites will continue to assist their children in deceptively circumventing such restrictions. This is neither a solution to privacy and online safety concerns nor a way of empowering parents.

Increased enforcement efforts, either through governmental actions or Terms of Service crackdowns, will only further upset parents and potentially increase legal risks resulting from the acts of circumvention they undertake. Legislative efforts to increase minimum age requirements or strengthen age verification will complicate and increase the cost to companies of compliance, further encouraging them to focus on denying access rather than providing privacy protection or cooperating with parents. Again, this neither empowers parents nor helps youth. Conversely, such efforts would serve to position the government as “in loco parentis,” thereby undermining parental rights and freedoms. Not only would an “in loco parentis” framework run counter to most parents’ desires, but it would also undermine the very goals of COPPA: providing parents with additional information and options.

Parents are concerned about children’s safety and privacy, and governmental agencies have every reason to want to step in and help, but restricting access — or creating regulatory solutions that encourage companies to restrict access — is counterproductive. New solutions must be devised that help limit when, where, and how data are used, but the key to helping children and their parents enjoy the benefits of those solutions is to abandon age–based mechanisms that inadvertently result in limiting children’s options for online access.