Tag Archives: coppa

What If Social Media Becomes 16-Plus? New battles concerning age of consent emerge in Europe

At what age should children be allowed to access the internet without parental oversight? This is a hairy question that raises all sorts of issues about rights, freedoms, morality, skills, and cognitive capability. Cultural values also come into play full force on this one.

Consider, for example, that in the 1800s, the age of sexual (and marital) consent in the United States was between 10 and 12 (except Delaware, where it was seven). The age of consent in England was 12, and it’s still 14 in Germany. This is discomforting for many Western parents who can’t even fathom their 10- or 12-year-old being sexually mature. And so, over time, many countries have raised the age of sexual consent.

But the internet has raised new questions about consent. Is the internet more or less risky than sexual intercourse?
How can youth be protected from risks they cannot fully understand, such as the reputational risks associated with things going terribly awry? And what role should the state and parents have in protecting youth?

This ain’t a new battle. These issues have raged since the early days of the internet. In 1998, the United States passed a law known as the Children’s Online Privacy Protection Act (COPPA), which restricts the kinds of data companies can collect from children under 13 without parental permission. Most proponents of the law argue that this intervention has stopped countless sleazy companies from doing inappropriate things with children’s data.
I have a more cynical view.

Watching teens and parents navigate this issue — and then surveying parents about it — I came to the conclusion that the law prompted companies to restrict access to under-13s, which then prompted children (with parental knowledge) to lie about their age. Worse, I watched as companies stopped innovating for children or providing services that could really help them.

Proponents often push back, highlighting that companies could get parental permission rather than just restrict children. Liability issues aside, why would they? Most major companies aren’t interested in 12-year-olds, so it’s a lot easier to comply with the law by creating a wall than going through a hellacious process of parental consent.

So here we are, with a U.S. law that prompts companies to limit access to 13-plus, a law that has become the norm around the globe. Along comes the EU, proposing a new law to regulate the flow of personal data, including a provision that would allow individual countries to restrict children’s access to the internet at any age (with a cap at age 16).

Implicitly, this means the European standard is to become 16-plus, because how else are companies going to build a process that gives Spanish kids access at 14, German kids at 16, and Italian kids at 12?
Many in the EU are angry at how American companies treat people’s data and respond to values of privacy. We saw this loud and clear when the European Court of Justice invalidated the “safe harbor” and in earlier issues, such as “the right to be forgotten.” Honestly? The Europeans have a right to be angry. They’re so much more thoughtful on issues of privacy, and many U.S. companies pretty much roll their eyes and ignore them. But the problem is that this new law isn’t going to screw American companies, even if it makes them irritable. Instead, it’s going to screw kids. And that infuriates me.

Implicit in this new law — and COPPA more generally — is an assumption that parents can and should consent on behalf of their children. I take issue with both. While some educated parents have thought long and hard about the flows of data, the identity work that goes into reputation, and the legal mechanisms that do or don’t protect children, they are few and far between.

Most parents don’t have the foggiest clue what happens to their kids’ data, and giving them the power to consent sure doesn’t help them become more informed. Hell, most parents don’t have enough information to make responsible decisions for themselves, so why are we trusting them to know enough to protect their children?
We’re doing so because we believe they should have control, that they have the right to control and protect their children, and that no company or government should take this away.

The irony is that this runs completely counter to the treaty that most responsible countries signed at the UN Convention on the Rights of the Child. Every European country committed to making sure that children have the right to privacy — including a right to privacy from their parents. Psychotically individualistic and anti-government, the United States decided not to sign onto this empowering treaty because it was horrifying to U.S. sensibilities that the government would be able to give children rights in opposition to parents. But European countries understood that kids deserved rights. So why is the EU now suggesting that kids can’t consent to using the internet?

This legislation is shaped by a romanticization of parent-child relationships and an assumption of parental knowledge that is laughable.

But what really bothers me are the consequences to the least-empowered youth. While the EU at least made a carve-out for kids who are accessing counseling services, there’s no consideration of how many LGBTQ kids are accessing sites that might put them in danger if their parents knew. There’s no consideration for kids who are regularly abused and using technology and peer relations to get support. There’s no consideration for kids who are trying to get health information, privately. And so on. The UN Rights of the Child puts vulnerable youth front and center in protections. But somehow they’ve been forgotten by EU policymakers.

Child advocates are responding critically. I’m also hearing from countless scholars who are befuddled by and unsure of why this is happening. And it doesn’t seem as though the EU process even engaged the public or experts on these issues before moving forward. So my hope is that some magical outcry will stymie this proposal sooner rather than later. But I’m often clueless when it comes to how lawmakers work.

What baffles me the most is the logic of this proposal given the likely outcomes. We know from the dynamics around COPPA that, if given the chance, kids will lie about their age. And parents will help them. But even if we start getting parental permission, this means we’ll be collecting lots more information about youth, going against the efforts to minimize information. Still, most intriguing is what I expect this will do to the corporate ecosystem.

Big multinationals like Facebook and Twitter, which operate in the EU, will be required to follow this law. All companies based in the EU will be required to comply with this law. But what about small non-EU companies that do not store data in the EU or work with EU vendors and advertisers? It’s unclear if they’ll have to comply because they aren’t within the EU’s reach. Will this mean that EU youth will jump from non-EU service to non-EU service to gain access? Will this actually end up benefiting non-EU startups who are trying to challenge the big multinationals? But doesn’t this completely undermine the EU’s efforts to build EU companies and services?

I don’t know, but that’s my gut feeling when reading the new law.
While I’m not a lawyer, one thing I’ve learned in studying young people and technology is that when there’s a will, there’s a way. And good luck trying to stop a 15-year-old from sharing photos with her best friend when her popularity is on the line.

I don’t know what will come from this law, but it seems completely misguided. It won’t protect kids’ data. It won’t empower parents. It won’t enhance privacy. It won’t make people more knowledgeable about data abuses. It will irritate but not fundamentally harm U.S. companies. It will help vendors that offer age verification become rich. It will hinder EU companies’ ability to compete. But above all else, it will make teenagers’ lives more difficult, make vulnerable youth more vulnerable, and invite kids to be more deceptive. Is that really what we want?

(This was originally posted on Bright on Medium.)

Are Librarians Encouraging Public Libraries to Abide by COPPA?

The Children’s Online Privacy Protection Act (COPPA) was created to prevent corporations from collecting data about children without parental permission. This law explicitly does not apply to public institutions, non-profits, and government agencies. Yet, many public institutions not only choose not to collect data about children; they forbid children from accessing information without parental permission. Much to my surprise, this includes many public libraries.

Dear Librarians… Will you help explain something to me?

Last week, I went to the Boston Public Library’s website to obtain digital access. In creating my account, I was surprised to encounter this clause:

“Anyone individual who lives, works, attends school, or owns property in the Commonwealth of Massachusetts and is at least 13 years of age may register for an eCard. Library cards for corporations, businesses, libraries, institutions, and children under the age of 13 must be obtained in person at one of our locations.”

Surprised by finding the age restriction – and particularly curious about the fact that it’s 13 – I decided to write to the administrators about why they chose to restrict access to children. What I received in response made my heart sink:

The age restriction on eCard registration is required so that we comply with the Children’s Online Privacy Protection Act (COPPA), a federal law enacted in 1998. The law requires all web sites that collect personally-identifiable information from visitors (name, address, phone, etc.) to restrict registration to individuals of age 13 or older. It’s the same reason Facebook states that users must be 13 or older.

I wrote back to explain that COPPA does not apply to the Boston Public Library because of its non-profit, municipality-driven status. I pointed them to the FTC’s website that explains the rule and asked them for further clarification on why they were restricting access to children. I received the following in response:

I assure you that our intention is not to restrict access to children. However, in addition to staying on the safest side of COPPA, we also require a parent’s signature before issuing library cards to children under the age of 13. Please see http://www.bpl.org/general/circulation/whocard.htm for more information about borrower eligibility.

Amidst this, an amazing Harvard Law School librarian Meg Kibble sent John Palfrey a long note, indicating that BPL was indeed a non-profit and thus probably not required to follow COPPA. Still, she noted that many librarians used COPPA as a starting point:

BPL may be choosing to err on the side of caution. A number of library-related materials I found urge libraries to be aware of COPPA and one suggested adhering to COPPA even though it is not required:

  • A CLE on Legal Issues in Museum Administration (attached) by Hope O’Keefe, OGC at Library of Congress, includes creating an online privacy policy as part of best practices and suggests in it “Follow COPPA and document compliance (parental notice & consent to any information collection from children) even if COPPA doesn’t apply.”
  • ALA’s Privacy Tool Kit discusses COPPA in relation to school media centers: “The Children’s Online Privacy Protection Act (COPPA) directly affects commercial Web sites targeted to children, as well as those sites that know they are collecting personally identifiable information from children 12 and under. . . .Although libraries are not directly impacted by COPPA, children using the Internet in a library may need help understanding the law and getting consent from their parents.”
  • ALA Introduction to COPPA states “Although COPPA does not impose any specific requirements on libraries, in order to provide the best possible service to families, librarians must be aware of the rules governing children’s privacy on the Internet if their libraries provide Internet access.”

BPL still seems to be going further than similar institutions. Some other privacy policies that discuss children/COPPA and seem to be complying with some elements of it (15 USC 6502B suggests regulations) by providing notice about how they collect/delete/otherwise handle children’s information, but mostly don’t prevent children from using their sites:

  • Library of Congress: Not copied because it’s long, but it’s very specific and mentions COPPA
  • Guggenheim Museum – Children 12 Years Old and Under: “Please note that the Site is not specifically dedicated to children and the Guggenheim does not actively solicit information from children. Children under the age of 12 are required to obtain permission from an adult before submitting information to the Site.”
  • Metropolitan Museum – Children Under Thirteen Years of Age: “The Museum takes special care to protect the safety and privacy of children. We do not knowingly collect personally identifiable information from children under thirteen years of age.”
  • NYPL – Children’s Privacy: Another long one that doesn’t mention COPPA, but goes into detail about children not revealing personal info.
  • White House – Children and Privacy on WhiteHouse.gov: “We believe in the importance of protecting the privacy of children online and do not knowingly contact or collect personal information from children under 13. Our site is not intended to solicit information of any kind from children under 13. To notify us of our receipt of information by children under 13, please contact us through the Privacy Feedback form.”

I have the warmest of fuzzy feelings about libraries and librarians so this surprises me to no end. I recognize that librarians are deeply committed to privacy, for which I am deeply deeply deeply grateful. But I’ve always been under the impression that librarians are also committed to making sure that children have access to information, even information that might upset their parents. In other words, I thought that librarians recognized children’s privacy from adults as well as people’s privacy from institutions. I remember being absolutely delighted when I found out that parents could not get access to their children’s book borrowing history. I like to think of the library as a safe place. Even for children. And especially for children for whom home is not a safe space.

I find it seriously disconcerting that this is all framed around COPPA, as though 13 is a universal magic number. Public institutions like the library aren’t required to follow COPPA. And folks keep telling me that there’s no reason to worry about COPPA when it comes to public institutions because they’re not required to follow it. But, once again, it looks like they are following it, just to be on the safe side. And, more often than not, they’re doing it to restrict access rather than to be conscientious about the types of data that are collected or the usage of that data. Why? Why? Why?

And that’s my question back to librarians: Why are some libraries choosing to restrict children’s access to public information? I get why many adults who live in communities where the kids are AOK want to make sure that parents are involved in their children’s lives and activities. But not all kids are lucky enough to be in households where parent permission to access information is viable. Most of the librarians that I’ve met totally get that. They’ve seen abused children. They’ve seen kids who’ve struggled with their sexuality. They’ve seen children for whom access to information is critical to combating oppression. I wish that parents were always in the right. I wish that parents were always good actors. But they aren’t. And I thought librarians understood that.

So why are librarians implicitly accepting COPPA as the status quo even when you’re not required to abide by it? Why are they trying to pretend like they aren’t seeing under-13s rather than providing services that are especially helpful to under-13s? We don’t have many public sources of information available, let alone information sources that are so carefully and conscientiously curated. I hate to think that children are written out of public information spaces, including libraries and government sites. Just to be on the safe side.

I don’t know how popular online library access is with under-13s, but it depresses me to no end that libraries aren’t going out of their way to welcome children to their communities. I think it’s super important that children are free to be accessing library information, with or without their parent’s permission. What they can get through their public library is so much richer, so much better curated, so much better contextualized than generic online information. Why aren’t libraries actively inviting and encouraging children to join them? Why aren’t they targeting young people directly?

I don’t get it. Please… if you’re a librarian out there, can you explain to me what I’m missing?

Why Parents Help Children Violate Facebook’s 13+ Rule

Announcing new journal article: “Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the ‘Children’s Online Privacy Protection Act'” by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey, First Monday.

“At what age should I let my child join Facebook?” This is a question that countless parents have asked my collaborators and me. Often, it’s followed by the following: “I know that 13 is the minimum age to join Facebook, but is it really so bad that my 12-year-old is on the site?”

While parents are struggling to determine what social media sites are appropriate for their children, government tries to help parents by regulating what data internet companies can collect about children without parental permission. Yet, as has been the case for the last decade, this often backfires. Many general-purpose communication platforms and social media sites restrict access to only those 13+ in response to a law meant to empower parents: the Children’s Online Privacy Protection Act (COPPA). This forces parents to make a difficult choice: help uphold the minimum age requirements and limit their children’s access to services that let kids connect with family and friends OR help their children lie about their age to circumvent the age-based restrictions and eschew the protections that COPPA is meant to provide.

In order to understand how parents were approaching this dilemma, my collaborators — Eszter Hargittai (Northwestern University), Jason Schultz (University of California, Berkeley), John Palfrey (Harvard University) — and I decided to survey parents. In many ways, we were responding to a flurry of studies (e.g. Pew’s) that revealed that millions of U.S. children have violated Facebook’s Terms of Service and joined the site underage. These findings prompted outrage back in May as politicians blamed Facebook for failing to curb underage usage. Embedded in this furor was an assumption that by not strictly guarding its doors and keeping children out, Facebook was undermining parental authority and thumbing its nose at the law. Facebook responded by defending its practices — and highlighting how it regularly ejects children from its site. More controversially, Facebook’s founder Mark Zuckerberg openly questioned the value of COPPA in the first place.

While Facebook has often sparked anger over its cavalier attitudes towards user privacy, Zuckerberg’s challenge with regard to COPPA has merit. It’s imperative that we question the assumptions embedded in this policy. All too often, the public takes COPPA at face-value and politicians angle to build new laws based on it without examining its efficacy.

Eszter, Jason, John, and I decided to focus on one core question: Does COPPA actually empower parents? In order to do so, we surveyed parents about their household practices with respect to social media and their attitudes towards age restrictions online. We are proud to release our findings today, in a new paper published at First Monday called “Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’.” From a national sample of 1,007 U.S. parents who have children living with them between the ages of 10-14 conducted July 5-14, 2011, we found:

  • Although Facebook’s minimum age is 13, parents of 13- and 14-year-olds report that, on average, their child joined Facebook at age 12.
  • Half (55%) of parents of 12-year-olds report their child has a Facebook account, and most (82%) of these parents knew when their child signed up. Most (76%) also assisted their 12-year old in creating the account.
  • A third (36%) of all parents surveyed reported that their child joined Facebook before the age of 13, and two-thirds of them (68%) helped their child create the account.
  • Half (53%) of parents surveyed think Facebook has a minimum age and a third (35%) of these parents think that this is a recommendation and not a requirement.
  • Most (78%) parents think it is acceptable for their child to violate minimum age restrictions on online services.

The status quo is not working if large numbers of parents are helping their children lie to get access to online services. Parents do appear to be having conversations with their children, as COPPA intended. Yet, what does it mean if they’re doing so in order to violate the restrictions that COPPA engendered?

One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this challenge, but often by excluding children whose parents lack resources to pay for the service, those who lack credit cards, and those who refuse to provide extra data about their children in order to offer permission. The situation is even more complicated for children who are in abusive households, have absentee parents, or regularly experience shifts in guardianship. General-purpose sites, including communication platforms like Gmail and Skype and social media services like Facebook and Twitter, generally prefer to avoid the social, technical, economic, and free speech complications involved.

While there is merit to thinking about how to strengthen parent permission structures, focusing on this obscures the issues that COPPA is intended to address: data privacy and online safety. COPPA predates the rise of social media. Its architects never imagined a world where people would share massive quantities of data as a central part of participation. It no longer makes sense to focus on how data are collected; we must instead question how those data are used. Furthermore, while children may be an especially vulnerable population, they are not the only vulnerable population. Most adults have little sense of how their data are being stored, shared, and sold.

COPPA is a well-intentioned piece of legislation with unintended consequences for parents, educators, and the public writ large. It has stifled innovation for sites focused on children and its implementations have made parenting more challenging. Our data clearly show that parents are concerned about privacy and online safety. Many want the government to help, but they don’t want solutions that unintentionally restrict their children’s access. Instead, they want guidance and recommendations to help them make informed decisions. Parents often want their children to learn how to be responsible digital citizens. Allowing them access is often the first step.

Educators face a different set of issues. Those who want to help youth navigate commercial tools often encounter the complexities of age restrictions. Consider the 7th grade teacher whose students are heavy Facebook users. Should she admonish her students for being on Facebook underage? Or should she make sure that they understand how privacy settings work? Where does digital literacy fit in when what children are doing is in violation of websites’ Terms of Service?

At first blush, the issues surrounding COPPA may seem to only apply to technology companies and the government, but their implications extend much further. COPPA affects parenting, education, and issues surrounding youth rights. It affects those who care about free speech and those who are concerned about how violence shapes home life. It’s important that all who care about youth pay attention to these issues. They’re complex and messy, full of good intention and unintended consequences. But rather than reinforcing or extending a legal regime that produces age-based restrictions which parents actively circumvent, we need to step back and rethink the underlying goals behind COPPA and develop new ways of achieving them. This begins with a public conversation.

We are excited to release our new study in the hopes that it will contribute to that conversation. To read our complete findings and learn more about their implications for policy makers, see “Why Parents Help Their Children Lie to Facebook About Age: Unintended Consequences of the ‘Children’s Online Privacy Protection Act'” by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey, published in First Monday.

To learn more about the Children’s Online Privacy Protection Act (COPPA), make sure to check out the Federal Trade Commission’s website.

(Versions of this post were originally written for the Huffington Post and for the Digital Media and Learning Blog.)

Image Credit: Tim Roe

How COPPA Fails Parents, Educators, Youth

Ever wonder why youth have to be over 13 to create an account on Facebook or Gmail or Skype? It has nothing to do with safety.

In 1998, the U.S. Congress enacted the Children’s Online Privacy Protection Act (COPPA) with the best of intentions. They wanted to make certain that corporations could not collect or sell data about children under the age of 13 without parental permission, so they created a requirement to check age and get parental permission for those under 13. Most companies took one look at COPPA and decided that the process of getting parental consent was far too onerous so they simply required all participants to be at least 13 years of age. The notifications that say “You must be 13 years or older to use this service” and the pull-down menus that don’t allow you to indicate that you’re under 13 have nothing to do with whether or not a website is appropriate for a child; it has to do with whether or not the company thinks that it’s worth the effort to seek parental permission.

COPPA is currently being discussed by the Federal Trade Commission and the US Senate. Most of the conversation focuses on whether or not companies are abiding by the ruling and whether or not the age should be upped to 18. What is not being discussed is the effectiveness of this legislation or what it means to American families (let alone families in other countries who are affected by it). In trying to understand COPPA’s impact, my research led me conclude four things:

  1. Parents and youth believe that age requirements are designed to protect their safety, rather than their privacy.
  2. Parents want their children to have access to social media service to communicate with extended family members.
  3. Parents teach children to lie about their age to circumvent age limitations.
  4. Parents believe that age restrictions take away their parental choice.

How the Public Interprets COPPA-Prompted Age Restrictions

Most parents and youth believe that the age requirements that they encounter when signing up to various websites are equivalent to a safety warning. They interpret this limitation as: “This site is not suitable for children under the age of 13.” While this might be true, that’s not actually what the age restriction is about. Not only does COPPA fail to inform parents about the appropriateness of a particular site, but parental misinterpretations of the age restrictions mean that few are aware that this stems from an attempt to protect privacy.

While many parents do not believe that social network sites like Facebook and MySpace are suitable for young children, they often want their children to have access to other services that have age restrictions (email, instant messaging, video services, etc.). Often, parents cite that these tools enable children to connect with extended family; Skype is especially important to immigrant parents who have extended family outside of the US. Grandparents were most frequently cited as the reason why parents created accounts for their young children. Many parents will create accounts for children even before they are literate because the value of connecting children to family outweighs the age restriction. When parents encourage their children to use these services, they send a conflicting message that their kids eventually learn: ignore some age limitations but not others.

By middle school, communication tools and social network sites are quite popular among tweens who pressure their parents for permission to get access to accounts on these services because they want to communicate with their classmates, church friends, and friends who have moved away. Although parents in the wealthiest and most educated segments of society often forbid their children from signing up to social network sites until they turn 13, most parents support their children’s desires to acquire email and IM, precisely because of familial use. To join, tweens consistently lie about their age when asked to provide it. When I interviewed teens about who taught them to lie, the overwhelming answer was parents. I interviewed parents who consistently admitted to helping their children circumvent the age restriction by teaching them that they needed to choose a birth year that would make them over 13. Even in households where an older sibling or friend was the educator, parents knew their children had email and IM and social network sites accounts. Interestingly, in households where parents forbid Facebook but allow email, kids have started noting the hypocritical stance of their parents. That’s not a good outcome of this misinterpretation.

When I asked parents about how they felt about the age restrictions presented by social websites, parents had one of two responses. When referencing social network sites, parents stated that they felt that the restrictions were justified because younger children were too immature to handle the challenges of social network sites. Yet, when discussing sites and services that they did not believe were risky environments or that they felt were important for family communication, parents often felt as though the limitations were unnecessarily restrictive. Those who interpreted the restriction as a maturity rating did not understand why the sites required age confirmation. Some other parents felt as though the websites were trying to tell them how to parent. Some were particularly outraged by what they felt was a paternal attitude by websites, making statements like: “Who are they to tell me how to be a good parent?”

Across the board, parents and youth misinterpret the age requirements that emerged from the implementation of COPPA. Except for the most educated and technologically savvy, they are completely unaware that these restrictions have anything to do with privacy. More problematically, parents’ conflicting ways in which they address some age restrictions and not others sends a dangerous message.

Policy Literacy and the Future of COPPA

There’s another issue here that’s not regularly addressed. COPPA affects educators and social services in counterintuitive ways. While non-commercial services are not required to abide by COPPA, there are plenty of commercial education and health services out there who are seeking to help youth. Parental permission might be viable for an organization working to help kids learn arithmetic through online tutoring, but it is completely untenable when we’re thinking about suicide hotlines, LGBT programs, and mental health programs. (Keep in mind that many hospitals are for-profit even if their free websites are out there for general help.)

COPPA is well-intended but its implementation and cultural uptake have been a failure. The key to making COPPA work is not to making it stricter or to force the technology companies to be better at confirming that the kids on their site are not underage. Not only is this technologically infeasible without violating privacy at an even greater level, doing so would fail to recognize what’s actually happening on the ground. Parents want to be able to parent, to be able to decide what services are appropriate for their children. At the same time, we shouldn’t forget that not all parents are present and we don’t want to shut teens out of crucial media spaces because their parents are absent, as would often be the case if we upped the age to 18. The key to improving COPPA is to go back to the table and think about how children’s data is being used, whether it’s collected implicitly or explicitly.

In order for the underlying intentions of COPPA to work, we need both information literacy and policy literacy. We need to find ways to help digital citizens understand how their information is being used, what rights they have, and how the policies that exist affect their lives. If parents and educators don’t understand that the 13 limitation is about privacy, COPPA will continue to fail. It’s time that parents and educators learned more about COPPA and start sharing their own perspective, asking Congress to do a better job of addressing the privacy issues without taking away their rights to parent and educate. And without marginalizing those who aren’t fortunate enough to have engaged parents by their side.

John Palfrey, Urs Gasser, and I submitted a statement to the FTC and Senate called “How COPPA, as Implemented, is Misinterpreted by the Public: A Research Perspective. To learn more about COPPA or submit your own letter to the FTC and Senate, go to the FTC website.

This post was originally posted at the DML Central blog.

Image Credit: WarzauWynn