from the well-meaning,-but-bad-policy dept
And, of course, the FTC wants to expand it even further.
They're asking for comments on the proposed changes in the rules, and if you develop websites or apps, you might want to speak up. CDT has put together a letter people can sign if they don't want to write up some comments themselves. They also have explained many of the problems with the new proposals. For example, it expands what COPPA applies to in very broad ways, potentially creating liability for developers without them even realizing it:
The FTC plans to put COPPA obligations on plugin developers if they “know or have reason to know” that their plugin has been installed on a children’s site. “Plugins” include analytics providers, advertising networks, social media plugins, embedded videos, or anyone else who provides third-party code for websites. Under the FTC's proposed change, if plugin developers receive a user’s IP address through a plugin that’s been installed on a children’s site, they could face legal liability for collecting children’s personal information.The end result would almost certainly involve those companies putting a lot more limits on their apps, and create a huge cost (and potential liability) for all sorts of plugin and app writers. But there's an even bigger problem. While COPPA was clearly limited at sites directed at children, the FTC seems to think this wasn't enough, because other sites not directed at children might still attract children... and so they want this problematic rule to expand to sites who don't even cater to children:
It’s unclear how a plugin or platform like Twitter is supposed to “know or have reason to know” that someone has cut and pasted a line of their code into a children’s site. The FTC says that plugin developers “will not be free to ignore credible information brought to their attention.” But the FTC doesn’t say what counts as “credible.” Would developers have to assume every random e-mail is a credible tip that could saddle them with legal liability? Even if the FTC did provide clarity, though, it would still be extraordinarily burdensome to place legal obligations on plugin developers based on the actions of others.
Things get worse with the FTC’s second major proposal: expanding the scope of sites deemed “directed to children” from sites aimed primarily at a very young audience to include sites and services that are “likely to attract an audience that includes a disproportionately large percentage of children under 13 as compared to the percentage of such children in the general population.”In fact, as CDT notes, this change almost certainly will do the exact opposite of what the rule intends. That is, it will make sites feel they need to collect more data about who is accessing their sites to make sure that they know if their audience includes kids, in which case they'll have to take steps. But that means they'll be... collecting more data about kids -- which is exactly what COPPA is supposed to stop.
This convoluted standard raises a number of serious issues. Not only is it difficult for site operators to gauge what proportions of their audience fall into arbitrary age buckets, but the FTC also gives operators no sense of what it means for an audience to be “disproportionately” composed of children in comparison to the general population. If a site’s audience is 20 percent children, is it disproportionately composed of children? What about at 30 percent? It’s not clear from the language, and it won’t be clear to website operators trying to run their sites while staying within the bounds of the law.
The FTC folks who support COPPA are certainly well meaning, but they seem to have little concern or interest about the real impact of the law and their specific rules around it, and how it not only fails to help protect children, but puts a serious damper on innovation as well.