How COPPA Fails Parents, Educators, Youth

Ever wonder why youth have to be over 13 to create an account on Facebook or Gmail or Skype? It has nothing to do with safety.

In 1998, the U.S. Congress enacted the Children’s Online Privacy Protection Act (COPPA) with the best of intentions. They wanted to make certain that corporations could not collect or sell data about children under the age of 13 without parental permission, so they created a requirement to check age and get parental permission for those under 13. Most companies took one look at COPPA and decided that the process of getting parental consent was far too onerous so they simply required all participants to be at least 13 years of age. The notifications that say “You must be 13 years or older to use this service” and the pull-down menus that don’t allow you to indicate that you’re under 13 have nothing to do with whether or not a website is appropriate for a child; it has to do with whether or not the company thinks that it’s worth the effort to seek parental permission.

COPPA is currently being discussed by the Federal Trade Commission and the US Senate. Most of the conversation focuses on whether or not companies are abiding by the ruling and whether or not the age should be upped to 18. What is not being discussed is the effectiveness of this legislation or what it means to American families (let alone families in other countries who are affected by it). In trying to understand COPPA’s impact, my research led me conclude four things:

  1. Parents and youth believe that age requirements are designed to protect their safety, rather than their privacy.
  2. Parents want their children to have access to social media service to communicate with extended family members.
  3. Parents teach children to lie about their age to circumvent age limitations.
  4. Parents believe that age restrictions take away their parental choice.

How the Public Interprets COPPA-Prompted Age Restrictions

Most parents and youth believe that the age requirements that they encounter when signing up to various websites are equivalent to a safety warning. They interpret this limitation as: “This site is not suitable for children under the age of 13.” While this might be true, that’s not actually what the age restriction is about. Not only does COPPA fail to inform parents about the appropriateness of a particular site, but parental misinterpretations of the age restrictions mean that few are aware that this stems from an attempt to protect privacy.

While many parents do not believe that social network sites like Facebook and MySpace are suitable for young children, they often want their children to have access to other services that have age restrictions (email, instant messaging, video services, etc.). Often, parents cite that these tools enable children to connect with extended family; Skype is especially important to immigrant parents who have extended family outside of the US. Grandparents were most frequently cited as the reason why parents created accounts for their young children. Many parents will create accounts for children even before they are literate because the value of connecting children to family outweighs the age restriction. When parents encourage their children to use these services, they send a conflicting message that their kids eventually learn: ignore some age limitations but not others.

By middle school, communication tools and social network sites are quite popular among tweens who pressure their parents for permission to get access to accounts on these services because they want to communicate with their classmates, church friends, and friends who have moved away. Although parents in the wealthiest and most educated segments of society often forbid their children from signing up to social network sites until they turn 13, most parents support their children’s desires to acquire email and IM, precisely because of familial use. To join, tweens consistently lie about their age when asked to provide it. When I interviewed teens about who taught them to lie, the overwhelming answer was parents. I interviewed parents who consistently admitted to helping their children circumvent the age restriction by teaching them that they needed to choose a birth year that would make them over 13. Even in households where an older sibling or friend was the educator, parents knew their children had email and IM and social network sites accounts. Interestingly, in households where parents forbid Facebook but allow email, kids have started noting the hypocritical stance of their parents. That’s not a good outcome of this misinterpretation.

When I asked parents about how they felt about the age restrictions presented by social websites, parents had one of two responses. When referencing social network sites, parents stated that they felt that the restrictions were justified because younger children were too immature to handle the challenges of social network sites. Yet, when discussing sites and services that they did not believe were risky environments or that they felt were important for family communication, parents often felt as though the limitations were unnecessarily restrictive. Those who interpreted the restriction as a maturity rating did not understand why the sites required age confirmation. Some other parents felt as though the websites were trying to tell them how to parent. Some were particularly outraged by what they felt was a paternal attitude by websites, making statements like: “Who are they to tell me how to be a good parent?”

Across the board, parents and youth misinterpret the age requirements that emerged from the implementation of COPPA. Except for the most educated and technologically savvy, they are completely unaware that these restrictions have anything to do with privacy. More problematically, parents’ conflicting ways in which they address some age restrictions and not others sends a dangerous message.

Policy Literacy and the Future of COPPA

There’s another issue here that’s not regularly addressed. COPPA affects educators and social services in counterintuitive ways. While non-commercial services are not required to abide by COPPA, there are plenty of commercial education and health services out there who are seeking to help youth. Parental permission might be viable for an organization working to help kids learn arithmetic through online tutoring, but it is completely untenable when we’re thinking about suicide hotlines, LGBT programs, and mental health programs. (Keep in mind that many hospitals are for-profit even if their free websites are out there for general help.)

COPPA is well-intended but its implementation and cultural uptake have been a failure. The key to making COPPA work is not to making it stricter or to force the technology companies to be better at confirming that the kids on their site are not underage. Not only is this technologically infeasible without violating privacy at an even greater level, doing so would fail to recognize what’s actually happening on the ground. Parents want to be able to parent, to be able to decide what services are appropriate for their children. At the same time, we shouldn’t forget that not all parents are present and we don’t want to shut teens out of crucial media spaces because their parents are absent, as would often be the case if we upped the age to 18. The key to improving COPPA is to go back to the table and think about how children’s data is being used, whether it’s collected implicitly or explicitly.

In order for the underlying intentions of COPPA to work, we need both information literacy and policy literacy. We need to find ways to help digital citizens understand how their information is being used, what rights they have, and how the policies that exist affect their lives. If parents and educators don’t understand that the 13 limitation is about privacy, COPPA will continue to fail. It’s time that parents and educators learned more about COPPA and start sharing their own perspective, asking Congress to do a better job of addressing the privacy issues without taking away their rights to parent and educate. And without marginalizing those who aren’t fortunate enough to have engaged parents by their side.

John Palfrey, Urs Gasser, and I submitted a statement to the FTC and Senate called “How COPPA, as Implemented, is Misinterpreted by the Public: A Research Perspective. To learn more about COPPA or submit your own letter to the FTC and Senate, go to the FTC website.

This post was originally posted at the DML Central blog.

Image Credit: WarzauWynn

Print Friendly, PDF & Email

7 thoughts on “How COPPA Fails Parents, Educators, Youth

  1. LMT

    This seems very related to the ways in which research IRBs are structured in order to protect academic institutions from liabilities. Not until recently, after learning about the ways in which one research institution was faced with a gigantic lawsuit by a Native American community whose data was misappropriated. The impact of the use of this data was part principle, but largely the fact that the results collected would violate and negate the community’s cultural history, code, and practices.
    On the other side of the coin, for participatory action research, whereby researchers are directly interested in collaborating with, serving, and properly crediting the very community they work (this could be parents, children, teachers), privacy protections via IRB can make this challenging.
    It would nice to see researchers and businesses also writing policies that protect their researched communities from the motivations and underlying desires of the researchers themselves. But maybe that doesn’t fit widely accepted common research philosophies?

  2. Alison

    Interesting. My son (and from what I can see, his entire school year) got on Facebook last year at 12. I think they basically tell each other how to set up their accounts – they often change names a little, so as to be harder to find, and their profiles are very locked down. I wasn’t aware that he was on, for a while, and by the time I was, it seemed wholly inappropriate to come down on him like a ton of bricks.

    But you’re right: I assumed that membership policies were to do with the appropriateness of the content. 13 for Facebook seemed reasonable; an 18 limit would seem completely over-the-top (and be entirely unenforceable). I value having some age restriction guidelines, but I always assume it’s about maturity and content.

  3. Mark

    Although many websites mention age restrictions there is no way to actually verify the age of the children creating profiles. Because of this many children under 13 have profiles that say the are 18+ just so they can have all the benefits of the adults.

  4. Jeff Chester

    COPPA has played a important role limiting the data collection practices of online advertisers targeting children under 13. It has been a very effective safeguard. Anyone who actually researches the online ad business recognizes that: once you are 13, online marketers treat everyone the same in terms of behavioral targeting and other applications that threaten privacy. But if you are under 13, because of COPPA–you don’t see the same kind of targeted online marketing. Berkman should do a better job in its research providing its readers a more informed assessment of how online marketers have created what the industry calls a digital advertising “ecosystem.” The system is designed to collect tremendous amounts of data on individual users, track them everywhere [including merging online and offline databases instantly, so a user can be auctioned off to the highest bidder]and also deeply influence our behaviors. Companies involved with Berkman or Berkman staff are even using the latest advances in neuromarketing to create digital ad campaigns designed-in their own words–to influence our subconscious. When Berkman writes about COPPA and other online marketing issues, it should always prominently disclose [page 1] that it is funded by many leading advertisers–including Google and Microsoft [http://cyber.law.harvard.edu/about/support]. Mr. Palfrey should also ensure his work as a venture investor–including with online marketing companies–is part of that disclosure–especially to Congress and the FTC: http://www.hcp.com/john_palfrey
    I hope Ms. Boyd will also address the extensive work done by her employer on online marketing–including its targeting of youth (for such things as junk food). See, for example:http://advertising.microsoft.com/research/Doritos-Xbox; She should also examine its efforts on neuromarketing:http://www.emsense.com/press/game-advertising.php
    This is a brief comment.

  5. Andrew

    Is it so bad to train children to lie about their age on web sites? I never use my real age or birthday on sites. I think it’s simply good practice.

  6. Lindsay

    Thanks danah! I’m trying to help a client redesign the registration process which is solely intended for adults on this particular family-oriented web property, but since they advertise this web property on their children’s games, they have to abide by COPPA. It’s a tricky interaction, and I’m trying to figure out what the minimum interaction should be for a child (to persuade them to move away from the registration process, or invite their parents to use the site).

    My client is convinced they have to ask for the specific age or birthday to funnel the user in the correct interaction, but I think we have to persuade the under 13 to follow one process and the over 13 to follow another.

    Anyway, won’t get into the design problem here.

Comments are closed.