Friday, January 12, 2007

Casestudy in Legal Linearity: The Children's Online Privacy Protection Act (COPPA)

As discussed previously, developmental psychology has moved toward a nonlinear paradigm driven by studying individuals in social context. The Children's Online Privacy Protection Act framework, however, presents a static framework that does not take into account the nonlinear nature of development.

COPPA requires that websites targeting children under age 13 provide notice of privacy practices and obtain verifiable parental consent prior to collecting data from the child. The statute also empowers the Federal Trade Commission to promulgate additional regulations to require the operator of a website subject to COPPA to establish and maintain reasonable procedures “to protect the confidentiality, security, and integrity of personal information collected from children.” Specifically, COPPA stipulates that prior to collection of data from a child under 13, a website “operator” must obtain obtain “verifiable parental consent”. The preferred medium for this verifiable parental consent is receipt of a fax from the parent, however an email exception was originally crafted as an interim measure for limited amount of time. This email exception evolved into a “sliding scale approach” which is still applied by the FTC in COPPA inquiries. Depending on the character of the data collection and the intended use, the FTC’s analysis varies.

During the first six years of its effectiveness, COPPA has received mixed reviews at best. The deterrent effect of prosecutions appears to have been limited. As a practical matter, a large number of websites which are governed by COPPA are simply noncompliant, willingly risking prosecution rather than investing effort in attempting to comply. As demonstrated by several studies, compliance level is generally under 60%, and even those websites which attempt compliance on their face, are frequently easily circumventable in their age verification process. From the perspective of the child user, COPPA has been viewed to only protect the data of the children who wish to have their data protected. For children who simply wish content access, in many instances immediate workarounds are readily available. Often the child merely needs to log in again and provide a false birthdate to gain access to the material to which s/he was denied access.

COPPA makes linear developmental assumptions. First, COPPA is predicated on the idea that an adult parent’s development and proficiency with technology surpasses that of her child, an assumption research demonstrates is unsustainable. Technology learning and development do not always cleanly map on to chronological age. Parents frequently feel their ability to monitor their children’s activities online is limited.

Second, the age of capacity to consent to data gathering stipulated in COPPA, age 13, appears to have been selected arbitrarily. During early adolescence, large divergences in development are visible, perhaps even more so than in later life. Particularly since the issue at hand relates to data security contracting, a more logical age of consent might mirror contractual capacity generally. The usual age of contractual capacity is 18.

Third, COPPA takes into account only one computing context, the home, and presumes a parent’s being available during the child’s internet time. However, children frequently access the internet and give away information about themselves using computers at school, at friends’ houses and in the library. Therefore, a regulatory paradigm presuming parental presence does not reflect the reality of children’s situated learning in multiple contexts.

Fourth, both technology use and development are emergent phenomena. COPPA did not take into account the norms of corporate conduct that would arise to circumvent its restrictions. Because COPPA grants no private rights of action to parents, enforcement of COPPA is the sole province of the FTC, which is an understaffed and overburdened agency. As demonstrated by widespread noncompliance, companies frequently run a risk-benefit calculus regarding the likelihood of prosecution and decide to risk regulatory action rather than invest in compliance structure.

Finally, COPPA presents a technology-focused regulatory design; the focus is on each website that chooses to collect children’s data. However, as technology evolves, a website-centric approach is destined for obsolescence. A more promising regulatory design would be constructed in a human-centric manner, focusing on the child and the child’s information. Such an approach would not only demonstrate greater versatility and regulatory longevity, but systemic efficiencies would also result. In lieu of each website needing to institute a separate age verification process for each child, and each parent approving each website, a child-focused approach could be constructed in such a manner to allow for a single parental approval and a single website registration. In this way, economies of scale could be created through a child data protection structure focused on the child rather than on the website operator. Such an approach would also acknowledge that parents may be less knowledgeable and need more protection than their children, suboptimally suited for a role of gatekeeper.

No comments:

Post a Comment