By Angelique Carson, CIPP

Lawmakers at yesterday’s subcommittee hearing on proposed changes to the Children’s Online Privacy Protection Act (COPPA) rule weren’t shy about identifying their stake in the final outcome: their children and grandchildren are growing up online.

Six witnesses testified at The House Subcommittee on Commerce, Manufacturing and Trade hearing, “Protecting Children’s Privacy in an Electronic World,” which focused on whether COPPA’s age threshold should be raised, if Congress should revisit COPPA given advances in technology and whether proposals to expand COPPA’s definition of personal information are sufficient.

Lawmakers and industry advocates agreed that COPPA has been effective since its inception in 1998 and is necessary to protect children online. But some voiced concerns about the potential impact new rules may have on small businesses and the economy, the technical implementation of proposed changes--including new consent requirements--and what should be done to protect older children.

COPPA requires websites and online services to obtain parental consent before collecting data from children ages 13 and under. The Federal Trade Commission (FTC) initiated a review of the rule last year.

The proposed changes include updating COPPA’s definition of personal information to address concerns including geolocation information and identifiers such as online cookies. The changes would also revise parental consent requirements; clarify the direct notice operators must give parents prior to collecting children's personal information; provide for new methods of obtaining parental consent, including electronic scans of parent signatures and videoconferencing, and strengthen rules on third-party security provisions as well as on FTC oversight of self-regulatory “Safe Harbor” programs.

In her opening remarks, Chairwoman Mary Bono Mack (R-CA) advised parents to take a hands-on approach with their children. “Talk to them often, and make them more self-aware,” she said.

Rep. Henry Waxman (D-CA) said COPPA has been a legislative success and has withstood the test of time.

“One of the reasons for its success is that it was written to be flexible. It gives the FTC the authority and discretion to carry out several broad mandates,” he said. “The updates to the COPPA rule proposed by the FTC are appropriate, reasonable, well thought-out and true to the intent of the law.”

Rep. Ed Markey (D-MA), who has proposed legislation aimed at protecting children online, also said COPPA needs an update.

“The commission’s proposal is a much-needed step. Strong legal requirements and vigilant enforcement are needed to protect children from tracking and targeting on the Internet,” he said. “Children should be allowed to grow up in an online oasis…in a safe environment.”

The FTC did not propose raising the age threshold in its new rules, but Rep. Joe Barton (R-TX) indicated support for a measure that would apply to children over the age of 13, as did Rep. G.K. Butterfield (D-NC).

“Someone who is 12 today and 13 tomorrow has the same privacy concerns as someone who is 18 today and 19 tomorrow,” Butterfield said. “The same privacy protection measures should be applied to all Americans.”

For COPPA legislation to succeed at its intended purpose, to protect children, parents must be involved, noted Alan Simpson of Common Sense Media.  

 “This is not a question of whether kids will be online or offline, we all know that kids are online and will always be online,” he said, adding that a reasonable balance must be reached between maintaining online service’s operations and protecting children from “intensive tracking and behavioral advertising.”

Simpson promoted the idea of an “eraser” button and the concept that children have ownership of the data they post online as a matter of intellectual property.

Though unable to answer Bono Mack when she asked if such a concept is technologically feasible, Simpson said, “At what point do we have tools for parents and teens where something that belonged to me still belongs to me and is something I can take down?”

Simpson said child development is a complicated issue when it comes to determining age-appropriateness.

“Teens need something more than they have right now. There are a lot of 13-, 14- and 15- year-olds quite capable of making mistakes in this innovative space. And those mistakes can come back to haunt them.”

Hemanshu Nigam of privacy advisory firm SSP Blue acknowledged COPPA’s role in providing clear parameters for businesses at the outset but warned against extraneous changes that could adversely affect the online marketplace, saying, “If we were to accept the proposed changes in whole, expect an immediate impact on the marketplace. The largest companies will adjust where they can. The smaller and newer companies will find investors spooked by uncertainties.”

He urged legislators to resist the urge to protect children from what “sounds bad rather than what is bad. Solutions based on what sounds bad will fail,” he said.

Nigam said an easily forgotten concept is that “Industry has an incentive to do the right thing. Businesses lose when they violate children’s privacy rights; their brand reputation suffers; their customer loyalty drops, and they lose the trust of parents and guardians. “Without doing the right thing, an online business cannot succeed,” he said.

Rep. Adam Kinzinger (R-IL) noted the fragility of the U.S. economy and the importance of allowing technological innovation to flourish.

“There’s got to be a proper balance between where government is involved and what it does and also stamping down on the economy,” he said. “If we’re going to get out of this recession, it’s going to be through the free market.”

Bono Mack asked the FTC’s Mary Koelbel Engle if the amendment proposal that would eliminate COPPA’s “e-mail plus” provision--which requires companies collecting data for internal use only to obtain a parent’s e-mail consent plus another verification method--would leave businesses in a lurch.

Engle said the list of reliable consent methods is not exclusive, and companies “can use any method.”

Morgan Reed, executive director of the Association for Competitive Technology, said a complete abandonment of “e-mail plus” is a “bit of a Hail Mary,” adding that he’s not sure that those in the mobile space are “ready to magically create new technology.” Most app developers are small companies, often parents themselves, and “don’t have staffs of technologists ready to create their own version of parental consent.”

Simpson said, however, it’s time for technologists to step up.

“We’ve seen a lot of innovation on how to collect and not enough on how to protect,” he said.

Public comments on the proposed changes will be accepted until November 28.