COPPA celebrates 2nd birthday - a Q&A with a child privacy advocate

“Happy 2^nd Birthday, COPPA”, a Q&A with a child privacy advocate

On July 1, the updated US Children’s Online Privacy Protection Act (COPPA) Rule will have been in effect for 2 years, following a six month “grace period” and four years of committee discussion and public comment on the need to update the law to add mobile apps and behavioral advertising targeting to its focus.

I’ve blogged about technical issues and misconceptions related to COPPA for the past 18 months, but I thought it might be of interest to game developers to hear from someone who looks at COPPA from the “other” perspective – protecting children who don’t understand the value of their privacy. 

Greg Kudasz is the operator of the COPPANOW.COM website, and an eight year alum of Microsoft. CoppaNOW functions as a news and opinion aggregation site for all issues related to COPPA.  COPPANOW also tracks FTC enforcement activity related to COPPA, even counting the days since the last FTC action. He has been involved with COPPA since its update in 2012 and knows many of the key people and companies in the COPPA space personally. The opinions he expresses are his own, and I think his perspective should be very interesting to any game developer who is interested in the “bigger picture”.

Q. Greg, you have been a very close observer of COPPA and the FTC. How would you characterize the FTC's record on COPPA, especially since it was updated 2 years ago?

A. ‘I would characterize it as abysmal. Two years ago not only was the COPPA Rule changed, but the FTC division charged with enforcement switched from the Division of Advertising Practices to the Division of Privacy & Identity Protection. This makes sense, however when I interviewed the assistant director in this division back in March, he admitted that the pace of enforcement has not changed. In 13 years, there have only been 24 enforcement actions, which is less than 2 per year. ‘

‘The FTC tends to prosecute one or two cases per year and announce them at the same time. It has been more than 270 days since the last enforcement action, with none so far in 2015. This FTC director told me they originally focused on education over enforcement because of the Rule change but have not changed in enforcement frequency since 2013.’

‘There are plenty of companies standing by to make sure sites, apps, games and services are COPPA compliant but there is little motivation considering the chances of getting caught is so small but it is in their best interest to be so because no one knows when the FTC is going to step up enforcement. The Federal Trade Act allows for up to $16K in fines (and this is widely reported by COPPA watchers). However, the average fine per child where the FTC divulges the number of pre-teens involved is only $2.28.’

‘If the $16K number was applied to last year’s Yelp settlement it would mean only 28 kids were involved. These FTC actions are more like speedbumps and some bad P.R. and not very punitive. The law needs to be enforced and fines need to be large enough to get everyone into line.’

Q. Do you think a new administration in Washington DC might result in more enforcement or even less?

A. ‘I think the law is virtually invisible in Washington. We’ve had three Presidents since COPPA became law and there has been no change in the frequency of prosecutions. From Congress’ standpoint, there have been several bills announced to enhance COPPA to include changing the ages of children that would be covered, and introduce features such as an “eraser button” that would allow traces of a child to be removed from social media and other websites so they can undo any foolishness they created before they turned 18. ‘

‘These bills have been titled “Do Not Track Kids Act”. There have been three versions of this bill filed since 2011 and the first two never made it to committee. The third was introduced in mid-June and GovTrack gives it a 5% chance of passing.’

‘My question for the Congressmen involved (currently Senator Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas), Senator Mark Kirk (R-Ill.), Senator Richard Blumenthal (D-Conn.) and Rep. Bobby Rush (D-Ill.) would be “Do you know the current COPPA isn’t working?”. Whether they care or are just looking to impress their constituency I don’t know. I remain cynical.’

Q. Parents do not seem to be very active in seeking out apps and games that respect and protect child privacy, do you think that might change in the next few years?

A. ‘No. Not unless there is some real bad controversy or tragedy that draws a lot of media attention to child privacy. There are three types of parents. First are those that take a proactive approach - they already know or are open to learning about privacy and therefore safety. Second are parents that are laissez faire and don’t know or care about the issues. The third and worst type are parents that know better and help circumvent age gates and other measures  because they don’t think it’s anyone’s business to usurp them. These parents are actively teaching their children to lie.’

Q. You have been active in calling out YouTube and other websites for lack of followthrough on their published policies for protecting children from being "groomed" by pedophiles. Do you see that sort of thing coming for apps and games that have social chats or messageboards?

A. ‘YouTube was the #1 reason I started to follow COPPA. My idea was that if a kid was at risk, he should be bumped off a site for his own good.  I quickly realized the huge COPPA loopholes that large sites could use, the biggest being “actual knowledge” which means that if a site says it isn’t for preteens and they can avoid knowing there are preteens on their site, they don’t have to do anything about it.  Along these lines, Google offers no method to report underage YouTube users.  In my opinion, there isn’t any other site where kids shed PII more than YouTube as they produce videos and are accosted by pedophiles.’

‘A lot of the “grooming” I see has shifted to indirect “dares” that are very subtle. There is a high frequency of these dares that are fetish in nature. I’ve never seen anyone over 13 fall for these tricks.  This is a prime example of why there needs to be a “panic button” for underage users. YouTube for instance should at least allow a flag for when a kid reveals his age or grade.’

‘There has also been talk about YouTube releasing a live video chat service. There used to be a service that allowed 6 kids to video chat together and that was the most frightening thing I’ve ever seen. We can expect for that kind of app to flow down to devices and if it doesn’t right away we can expect others to jump on that bandwagon. If an app like Snapchat would allow chat with strangers then we could expect some serious problems. I’ve already seen examples on Instagram including a kid posting his report card that had his home address, age, grade and birthday. This is the kind of danger we see in apps now. Parents need to be the ones to check their children.’

Q. Any final thoughts?

‘I will say there are good things happening with COPPA. Apple’s App Store and Google’s Play have put down limits that have helped developers come up to snuff a bit though there is still a lot to do. The largest improvement in the online gaming website that I’ve seen is Mojang (publisher of Minecraft) replacing their previous COPPA statement which said they weren’t aiming Minecraft at children in the U.S. to now including an expansive privacy policy and full COPPA compliance thanks to Microsoft’s impeccable implementation of true verified parental consent. This was a huge win in my eyes over the past year. This is not easy to do and hopefully AgeCheq among others will help when other gaming applications seek to become compliant.

Although the current proposals for a “Do Not Track Kids Act” in Congress are likely to fail because they have crammed in too many changes at once, it is good to see Washington show that there is some appetite to make things better.’

‘Things are also getting better at the FTC. They are aware of what’s going on and their staff are responsive to inquiries. They do not have their head in the sand even without the prosecutions that I would like to see more of. They know their stats and a couple of big busts does seem to help a little. Hopefully they will realize the need to do more than educate. After all, right now it’s like fish in a barrel. There’s 100 million fish and even more water. We have got to get the fish to become compliant and not just realize the odds are in their favor as far as being picked out. ‘

If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions .  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl