In the early days of the internet, the U.S. government passed The Children’s Online Privacy Protection Act (COPPA). Its flaws–the ease with which children can fake their age, and no protection against ads–have only become more glaring over 20 years later, with 98% of U.S. households now owning a mobile device accessible to kids, and 42% of children having their own device.
Jim Steyer, CEO and founder of Common Sense and a children’s advocate, says data on kids, including their activities, hobbies, and social networks, is often for sale from the child’s first years of life. Kids are often early adopters of apps, like Snapchat and TikTok, or even watched over by Internet of Things devices, like baby monitors, which a hacker recently took over to watch a child and threaten the parents. And these days, education is also a battleground in child data privacy, as learning is increasingly done on a school’s devices and networks. Meanwhile, connected toys have exposed the sensitive data of kids and their parents, and 59% of connected devices don’t provide proper information on how they collect, use, and disclose users’ personal information.
Recently, Steyer testified at the U.S. Senate Committee on Consumer Perspectives for Data Privacy, where he argued for updates to COPPA.
In COPPA 2.0, Steyer and Common Sense envision parents with children under 13, and teens being given control and choice over online tracking. They would like to see an “eraser button” and a right to delete content they post about themselves online. But Common Sense doesn’t want to stop with these provisions. They want to prohibit companies from targeting ads at children, and prevent sites from claiming children aren’t on their sites to evade COPPA requirements.
Steyer would also like to see children’s and teens’ connected devices be outfitted with a “privacy dashboard” on the product packaging, which would detail data-collection practices and security provisions. And in COPPA 2.0, sale of insecure connected devices to children and teens would be prohibited. Steyer says a Youth Privacy and Marketing Division should be created at the FTC, which would focus entirely on children’s privacy and marketing.
“Historically, data brokers are very protective about how they go about their services,” Steyer explains. “Data brokers can acquire data in a variety of ways, including when a parent posts information on photo sharing sites and event scheduling apps, if a parent purchases products online, or if a soon-to-be-mom starts a baby registry. Some states post public records online, like in Virginia. Most of the time, a data broker can acquire data by other means that have nothing to do with what people post.”
In early 2018, University of California, Berkeley researchers found that over half of Android’s 6,000 free children’s apps may serve kids ads that violate COPPA. Kids under 8 lack the cognitive ability to understand the persuasive intent of advertisement, and 75% of kids from ages 8 to 11 are unable to distinguish an ad from some other form of content. When most adults are unable to make sense of tech companies’ byzantine privacy policies, it is absurd to assume that kids could even begin to understand them.
“All this data makes kids uniquely valuable to companies and adds to their digital footprint, which can extend beyond parents’ control,” Steyer says. “Kids’ information will live on for longer than we know and could impact education and employment opportunities, healthcare access, and exposure to identity theft.”
“As kids’ brains are still developing, they lag behind adults in conceptualizing privacy, comprehending online data ecosystems, understanding terms of service, and recognizing ads,” he says. “Both young children and teens are prone to overshare, albeit for different reasons.”
Industry standards in child data privacy are also sorely lacking. COPPA includes a Safe Harbor Program that allows industry groups to submit self-regulatory guidelines. Federal Trade Commissioner Rohit Chopra, speaking at a Truth About Tech Conference last month in Washington, D.C. (organized by Common Sense), said the provision has given rise to “privatized privacy policing regimes” and third-party examination of tech company policy, both of which have led to lax oversight.
The Student Privacy Pledge, introduced by the Future of Privacy Form and The Software and Information Industry Association to safeguard student privacy regarding the collection and handling of student data, hasn’t been effective, either. Several tech companies have been found in violation of the pledge, including Google, which is currently being sued by the Mississippi attorney general for violating the state’s student data privacy law.
“Without strong protections, lines drawn on what companies can and cannot do, and focused efforts by federal regulators, these businesses will continue to collect and monetize kids’ data,” says Steyer. “A comprehensive children’s online privacy bill is crucial to ensuring that our future generations are adequately protected from potential abuses online.
“By expanding and enhancing the current COPPA rules about the collection, use and disclosure of children’s information, including providing important rights and protections to teenagers, this legislation would strengthen online safeguards for all young people,” he adds. “We are hopeful that the bipartisan bill will have strong support and Congress passes it as written.”
Common Sense sees progress in The DETOUR Act, a bipartisan effort by Mark Warner (D-VA) and Deb Fischer (R-NE), that would hold tech companies accountable for how data is used to target users. The largest online platforms (those with over 100 million monthly active users) would no longer be able to design user interfaces that intentionally impair user autonomy, decision making, or choice. Among its many provisions, DETOUR would prohibit user design that creates compulsive usage among children under the age of 13 years old.