How the COPPA, as Implemented, Is Misinterpreted by the Public: A Research Perspective

Statement to the United States Senate, Subcommittee on Consumer Protection, Product Safety, and Insurance of the Committee on Commerce, Science, and Transportation

Published April 28, 2010

Authored by danah boyd, Urs Gasser, John Palfrey

Download PDF

Mr. Chairman, Members of the Senate Subcommittee, and Commissioners of the United States Federal Trade Commission: Thank you for focusing attention on the important issues of youth privacy and safety online. As researchers, we welcome the opportunity to provide input into these hearings regarding the Children’s Online Privacy Protection Act (COPPA). We write as individuals, but we work together as the principal investigators of the Youth and Media Policy Working Group Initiative at Harvard’s Berkman Center for Internet and Society. The goal of our working group is to explore policy issues that fall into three substantive categories that emerge from youth media practices: 1) Risky Behaviors and Online Safety; 2) Privacy, Publicity, and Reputation; and 3) Information Dissemination, Youth-Created Content and Information Quality. Our work is intended to consider how research on the intersection of youth and technology can and should be used to inform policy. We seek to translate research from those who study youth media practices into terms responsive to the children’s privacy hearings.

There is no doubt that protecting children’s privacy and safety is of utmost importance in our society. These issues are growing in importance with every passing year. We commend the authors of COPPA for being so deeply concerned about privacy and safety. As you consider the future of legislation and rule-making in this area, we urge you to consider the gap between the intentions of COPPA and how children and their parents perceive the implementation. It is this gap that we’d like to address in our submission. And it is our proposal that this Subcommittee consider how COPPA’s two P’s – of Privacy Protection – might be worked more effectively back into any revision of COPPA.

How the Public Interprets COPPA-Prompted Age Restrictions

In order to understand how American youth use social media as a part of their daily practices, Dr. boyd spent the last five years doing ethnographic studies across 17 U.S. states, interviewing parents, teachers, and youth. One of her goals was to understand how youth managed privacy and navigated safety concerns. What she learned through her fieldwork sheds light on how COPPA is interpreted and experienced by average citizens. The findings in her work are consistent with research findings by other researchers in our network using different methodologies.

We would like to focus on four core findings:

     1. Parents and youth believe that age requirements are designed to protect their safety, rather than their privacy.
     2. Parents want their children to have access to social tools to communicate with extended family members.
     3. Parents teach youth to lie about their age to circumvent age limitations.
     4. Parents believe that age restrictions take away their parental choice.

Functionally, COPPA has been implemented by websites through an age requirement. To avoid collecting data about children under 13, many social websites require participants to be at least 13 years of age to join. The reasons behind this requirement are never explained during the sign-up process and, thus, most consumers are unaware of the privacy intentions that frame this requirement.

Across all socio-economic and educational levels, parents and youth who are not actively engaged in privacy conversations believe that the age requirements that they encounter when signing up to various websites are equivalent to a safety warning. They interpret this limitation as: “This site is not suitable for children under the age of 13.” While this is sometimes true, the safety message conveyed by the age limitation completely obscures any effort to help consumers understand privacy issues, let alone make wise choices about how to navigate issues related to collection of data about them by commercial actors.

While many parents do not believe that social network sites like Facebook and MySpace are suitable for young children, they often want their children to have access to other services that have age restrictions. Many parents want their children to have access to free email accounts, like those provided by Yahoo!, Hotmail, and Gmail. Instant messaging access is often important to parents and video and voice chat services like Skype are especially important to immigrant parents who have extended family outside of the U.S. When Dr. boyd asked parents why they wanted their children to have access to email, IM, and other chat services at a young age, the explanation was consistent: to keep in touch with family. Grandparents were most frequently cited as the reason why parents created accounts for their young children. Many parents will create accounts for children even before they are literate. One parent explained that “giggle vision” was an extremely important way for his daughter to communicate with her grandparents. Although some parents create accounts for children as young as 6 or 8, these parents are very involved in when and how these accounts are used.

By middle school, communication tools like email and IM are quite popular among tweens (ages 10-12). Tweens pressure their parents for permission to get access to accounts on these services because they want to communicate with their classmates, church friends, and friends who have moved away. Although parents in the wealthiest and most educated segments of society often forbid their children from signing up to social network sites until they turn 13, most parents support their children’s desires to acquire email and IM. To join, tweens consistently lie about their age when asked to provide it. When Dr. boyd interviewed youth about who taught them to lie, the overwhelming answer was parents. Dr. boyd interviewed parents who consistently admitted to helping their children circumvent the age restriction by teaching them that they needed to choose a birth year that would make them over 13. Even in households where an older sibling or friend was the educator, parents knew their children had email and IM accounts.

When Dr. boyd asked parents about how they felt about the age restrictions presented by social websites, parents had one of two responses. When referencing social network sites, parents stated that they felt that the restrictions were justified because younger children were too immature to handle the challenges of social network sites. Yet, when discussing sites and services that they did not believe were risky environments or that they felt were important for family communication, parents often felt as though the limitations were unnecessarily restrictive. Those who interpreted the restriction as a maturity rating did not understand why the sites required age confirmation. Some other parents felt as though the websites were trying to tell them how to parent. Some were particularly outraged by what they felt was a paternal attitude by websites, making statements like: “Who are they to tell me how to be a good parent?”

Across the board, parents and youth misinterpret the age requirements that emerged from the implementation of COPPA. Except for the most educated and technologically savvy, they are completely unaware that these restrictions have anything to do with privacy. This is quite unfortunate.

Going Forward

Though the statute is well-intentioned and better than having no such protections in place for children, COPPA as implemented has not effectively protected children’s privacy online. Websites continue to collect data about children under the age of 13, notably those who lie about their age to gain access to the websites. We do not believe that the solution lies in better age detection. We think that efforts in this direction run counter to parental goals and will be met with new forms of resistance.

While gaining parental consent is clearly desirable and crucial for small children on websites where they are sharing information about themselves, it is also important to highlight the ways in which this backfires. Parents who are already engaged know what services their children are using online and are contributing to their efforts to circumvent restrictions. Parents who are not already engaged will not become so if forced to confirm participation, and children in such households will find other ways of circumventing restrictions. Forcing parental involvement through website-initiated confirmation is ineffective, both because data show that these restrictions are circumvented and because it doesn’t actually engage unengaged parents.

We should also highlight that age restrictions without parental consent are doing serious damage to efforts intended to help youth. Any social service – suicide hotlines, eating disorder clinics, or mental health services – that seeks to provide online services must also abide by COPPA. This means that they cannot begin communication with children under the age of 13 without parental consent. In many critical situations, parents are a part of the problem. Tying the hands of those with the professional expertise to help youth can be deadly.

Given this, our recommendation would be to amend COPPA to ensure that it meets five requirements that address the underlying goals:

     1) Limit how data about minors can be shared with third parties;
     2) Limit how commercial interests can target minors;
     3) Require that minors opt in to changes to privacy policies and sharing policies;
     4) Consider requirements to allow minors to prompt deletion of information about them; and,
     5) Provide mechanisms to allow users (and their parents, in the case of children) to know when their data is being shared and with whom, if they care to know.

To the extent that they serve children, websites should know how old their participants are. Participants should be encouraged to be honest about their age and not penalized for being truthful. But data use limitations are likely more important and more effective than “notice and consent” systems. Websites should be limited in what data they can make available to third parties and under what conditions. Websites should not be able to provide aggregate or individual data about minors to third parties, including commercial advertisers and marketing research firms, without an express opt-in that focuses clearly on explaining what the data will be used for.

As behavioral advertising has become increasingly common, it is crucial to better understand how advertisers can directly target participants on these websites. Although there should probably be limits on when and how behavioral advertising can target minors, this topic needs to be interrogated more deeply before a concrete recommendation is made.

As our research and the work of many others shows, websites continue to change their privacy policies and trick users into exposing more data than even users realize. Many websites feel as though they can opt users into the changes, either without seeking their permission or by tricking them into clicking through in a way that permission is granted unintentionally. Websites should be required to project minors from unintended exposures of data. To do so, minors’ data should never be made more public than it initially is without explicit opt-in.

Finally, websites should provide a mechanism where minors and their parents can obtain a report of who can access which protected data and which data is publicly accessible to third parties through search, APIs, or browsing.

Conclusion

The intentions behind COPPA are commendable, but the implementation has not been effective as the primary means to protect the privacy of children. The mechanisms set in place by COPPA do not help the public to understand the importance of privacy. Because implementations of COPPA are interpreted through the lens of safety, parents and children are unaware of how their decisions affect the use or misuse of their data. We believe that the Congress and the US FTC have an opportunity to amend COPPA so as to do much more to protect the privacy of our children in an online era in ways that will be effective. Data about children’s online data usage, and the practices of their parents, can point the way.

We appreciate the Subcommittee’s willingness to accept feedback from researchers and hope that our short statement sheds light on how the current implementation of COPPA is interpreted by the public.

About the Authors

Dr. danah boyd is a Researcher at Microsoft Research, a Fellow at Harvard’s Berkman Center for Internet and Society, and an Associate Fellow at the Tilburg Institute for Law, Technology, and Society. She received her PhD from the University of California-Berkeley in 2008. She is most well known for her groundbreaking ethnographic analysis of how American youth adopted and leveraged social network sites and other social media. From 2008-2009, Dr. boyd co-directed the Internet Safety Technical Task Force with Dena Sacco and Professor John Palfrey. In that role, she coordinated scholars working on online safety issues to catalogue and review research addressing safety concerns so that policy recommendations would be grounded in research. Currently, she is co-directing the Youth and Media Policy Working Group with Professors John Palfrey and Urs Gasser to dive deeper into the role that policy can play in shaping youth engagement with media. Dr. boyd is leading the Risky Behaviors and Online Safety track where she is coordinating both researchers and practitioners to develop a coherent set of interventions that address online safety issues. She publishes widely on topics related to youth and online practices, most notably co-authoring Hanging Out, Messing Around, and Geeking Out: Kids Living and Learning with New Media. This work came out of the Digital Kids project, a $3.5 million dollar research endeavor funded by the MacArthur Foundation that bridged University of California-Berkeley and University of Southern California. Dr. boyd regularly speaks about and writes on topics related to online safety and privacy, addressing large public audiences ranging from parents and teachers to teenagers to social workers and youth ministers. For more information on Dr. boyd, visit http://www.danah.org/

Dr. Urs Gasser is the Executive Director of the Berkman Center for Internet & Society at Harvard University. He is the co-author of Born Digital: Understanding the First Generation of Digital Natives (Basic Books, 2008), among other books. His research and teaching focuses on information law and policy and the interaction between law and innovation. Current research projects – several of them in collaboration with leading research institutions in the U.S., Europe, and Asia – explore policy and educational challenges for young Internet users, the regulation of digital media and technology (with emphasis on IP law), ICT interoperability, the institutional settings for fostering entrepreneurship, and the law’s impact on innovation and risk in the ICT space. Before joining Harvard, Dr. Gasser was Professor of Law at the University of St. Gallen, Switzerland, where he served as Faculty Director of the Research Center for Information Law.

John Palfrey is the Henry N. Ess III Professor of Law and Vice Dean for Library and Information Resources at Harvard Law School. He is the co-author of Born Digital: Understanding the First Generation of Digital Natives (Basic Books, 2008) and Access Denied: The Practice and Politics of Internet Filtering (MIT Press, 2008), among other books. His research and teaching is focused on Internet law, intellectual property, and international law. He practiced intellectual property and corporate law at the law firm of Ropes & Gray. He is a faculty co-director of the Berkman Center for Internet & Society at Harvard University. Outside of Harvard Law School, he is a Venture Executive at Highland Capital Partners and serves on the board of several technology non-profits. John served as a special assistant at the US EPA during the Clinton Administration. He is a graduate of Harvard College, the University of Cambridge, and Harvard Law School. He writes a blog at http://blogs.law.harvard.edu/palfrey/.

Last updated February 21, 2012

Join the Community

Follow us on Twitter, sign up for our mailing lists, contact us, explore our courses, or check out current job openings.

Projects