Do Not Track Kids Act: Good Idea Raises Real Challenges
Last Friday, Reps. Ed Markey (D-MA) and Joe Barton (R-TX) introduced House Bill 1895, the Do Not Track Kids Act of 2011, which would amend the Children's Online Privacy Protection Act (COPPA) and introduce additional provisions to govern the collection and use of teens' personal information. (You can find CDT's unofficial redline, reflecting the changes the DNT Kids Act makes to COPPA, here.) This bill is motivated by sincere concerns for the fate of children and teens' personal information online, and we appreciate the Representatives' bipartisan attention to the important issue of online privacy. We strongly agree that users' personal information warrants legal protection, and CDT remains committed to passing baseline privacy legislation that protects all users, regardless of their age. Unfortunately, the DNT Kids Act suffers from familiar problems common to proposals targeting minors' data: The Act could lead us down a path of mandatory age verification and increased collection of personal information from all users, and could infringe the rights of teenagers to access completely appropriate, lawful speech online.
First, the Act makes a few subtle modifications of COPPA that appear to drastically expand the scope of that statute. One of these is a change to the entities covered by COPPA from sites that know they are collecting information "from a [specific] child" to sites that know they collect information "from children" generally. While the amendment from "a child" to "children" may appear to be a minor change in wording, this particular tweak has a very precise meaning in the context of the perennial debate (including the FTC's ongoing COPPA Rule review) over whether and how to modify COPPA: It could effectively expand COPPA to apply to most general-interest websites that have a general idea that children sometimes use their sites (but that do not know which of their millions of users are in fact children). Currently, general-interest sites only have to obtain verified parental consent before collecting a child's information if they know that a particular user is a child (because the user, for example, has indicated their age or date-of-birth). But the universe of sites that are aware that some of their users are probably children includes every search engine, social networking site, and popular content-hosting site on the web. These sites would be faced with the choice: they can either risk near-certain violations of COPPA, or they can adopt a radically more invasive screening system that validate the age and identity of every user, in order to obtain appropriate parental consent from child users.
Compounding this problem is the Act's addition of IP address to COPPA's list of "personal information." Although CDT believes that IP addresses should appropriately be included as potentially personally identifiable information in broader privacy regulations, including IP addresses in the COPPA scheme would cause significant problems. COPPA restricts operators from collecting, using, or disclosing personal information from a child prior to getting parental consent. If a site "directed to children" is prohibited from collecting a child's IP address prior to getting parental consent, the site has no way of interacting with the child or his parent in order to obtain that consent, making it effectively impossible to operate a child-oriented site. What this change means is that any site that is "directed to children" violates COPPA the very first time a child visits the site (before the child or the parent even has a chance to learn that parental consent is required). This surely is not what the bill sponsors intend, but it would in fact be the result of the bill text.
Beyond the COPPA amendments, the DNT Kids Act would create a new prohibition on "targeted marketing" to children and "minors" (teens age 13 to 17). The Act defines "targeted marketing" in a way that is overbroad and sweeps in significant amounts of protected speech. It would, for example, prohibit teens from signing up for email alerts about the popular video game Portal 2, subscribing to newsletters from private colleges they are applying to, requesting text message reminders to take their asthma medication, or getting alerts from their favorite band about upcoming concert dates. From the mundane to the potentially life-saving, information with any connection to commercial activity would be off-limits for teens to request to receive, in direct violation of their First Amendment rights.
The DNT Kids Act also introduces the "Eraser Button" concept. Loosely defined, the "eraser button" or "right to be forgotten" (as it is called in Europe) stands for the idea that users should be able to remove information about themselves from the Internet. While CDT certainly supports a user right to remove data the user has posted online in a space under their control -- in a social networking profile, for example, or on a blog the user operates -- the broad notion of an "eraser button" is too simplistic to deal with the realities and complexities of online data flows. The implementation proposed in the Act is not workable (read literally, it would, for example, permit any user to demand that NYTimes.com remove any article that refers to Sasha or Malia Obama), and any proposal covering a user's right to delete information must, at the very least, focus on information and content the user himself has provided, in recognition of other users' free speech rights to quote and discuss publicly disclosed information.
Another section of the Act would require any site, online service, or application directed to teens to adopt a set of Fair Information Practice Principles (FIPPs) to govern their collection and use of teens' data. CDT has long advocated that the FIPPs should guide the development of flexible, substantive protections for user privacy, and it is heartening to see legislators turning to the FIPPs when they contemplate privacy rules. But creating a special set of rules to apply only to teen-oriented sites may have the unintended consequence of discouraging operators from tailoring their sites and services for teen audiences, and could even lead some sites to try to prevent teens from accessing the site (thereby reducing teens' access to safe and appropriate content). And carving out strong privacy protections for minors only on certain sites could lead to significant, perhaps dangerous, confusion among teens and adults about whether and how their data is protected as they navigate among various sites, services, and applications. CDT believes that every Internet user -- child, teen, and adult -- would benefit from the privacy protections afforded by the FIPPs, just as every user would benefit from the type of notice and control over geolocation data that the Act provides to users under 18.
The Do Not Track Kids Act of 2011 includes some good ideas about how to protect Internet users' privacy but also raises some real challenges. The concerns discussed above demonstrate the care and deliberation needed when legislating about online privacy. It is not enough to want to protect children and teens in a general sense; legislators must carefully consider the full range of constitutional, policy, and technical implications of any regulations they propose. Otherwise, they risk introducing "protections for children and teens" that could violate minors' own rights and actually increase the amount of personal information every user has to disclose.