State of the Web: A parent’s guide to COPPA, and how kids are being tracked online

State of the Web: A parent's guide to kids' online privacy

Did you know that children under the age of 13-years-old are not actually allowed to use most websites – not just social networks, but even Google and every other website and mobile app that has advertising?

This rule has nothing to do with what kids might do online, but what going online might do to kids. Namely, the collection of massive amounts of information about them, which is then used for a slew of purposes, from serving up targeted ads, to building expansive user profiles that can then be sold to the highest bidder.

The no-preteens rule has officially been in place since the passage of the Children’s Online Privacy Protection Act (COPPA) back in 1998, when few of the things we think of as “the Web” existed – no Facebook, Twitter, YouTube. Not even the word “Wi-Fi” had been invented, and Google was only founded in September of that year. It was the stone age of the Internet.

The COPPA Rule stipulates that website operators are not allowed to collect information about pre-teens without expressed consent from parents or legal guardians. While COPPA was crafted to put parents in control of their children’s digital lives, privacy advocates – including the Federal Trade Commission – believe the law is now woefully out of date thanks to the explosion of social networks and mobile apps, and the data collection that goes along with them.

Young and online

Of course, the number of connected sites and services isn’t the only thing that has exploded in the past 15 years; Internet usage by children has skyrocketed. In 1998, only about 14 percent of children went on the Internet. Today, approximately 25 percent of children under the age of three go online every single day. More than two-thirds of eight-year-olds use the Internet on a daily basis. And that number jumps to 95 percent for kids ages 12 to 17, according to Pew Research. Of those, about 80 percent use social networks, and 31 percent ages 14 to 17 own a smartphone.

In short, children are online more than ever, making them prime targets for companies who hope to profit from their data.

Pervasive collection

On Monday, the FTC released a study (PDF) of 400 mobile apps geared toward children. Two hundred came from Apple’s App Store, another 200 from Google Play. Of these, 20 percent provided parents with notice about what kind of information was being collected. Sixty percent transmitted the device ID – a number that indicates which gadget the app is running on – back to the apps’ developers, advertising networks, or another third party. Fourteen (total, not percent) sent the users’ phone number, geographic location, or both.

“Staff did find a handful of app developers that were providing users with simple and short disclosures,” said the report. However, “most apps failed to provide basic information about what data would be collected from kids, how it would be used, and with whom it would be shared.”

Collecting data from children is not just limited to mobile apps, of course. And it’s not always entirely the fault of the app maker or website owner. As you can imagine, many kids are savvy enough to lie about their age when prompted by a website or app to clarify that they are over the age of 13. Facebook, for example, which expressly prohibits the registration of users under the age of 13, had as many as 20 million preteen profiles as of 2011, according to Consumer Reports. And 5 million of those were under the age of 10. Cybersecurity firm AVG estimates that, by the age of two, 90 percent of kids have an online history that is being collected by online data hoarders.

Why this is a problem

As adults, we have become disturbingly complacent about companies collecting our data in exchange for services (like Facebook), or advertisements and other content tailored just for us. The real problem is, the data doesn’t always stop with the companies we choose to share our information with; it is often bought and then sold by data brokers, shadowy businesses that make money off of the personal data we provide through online profiles, to anyone with a sweaty hand full of cash. While I would argue that this is detrimental to us grown ups, it’s clearly bad for our kids.

“One of the big consequences is that this data is rolled up in a hyper-detailed, personal profile that will really follow your kid everywhere they go, as they grow up,” says Sarah Downey, an attorney and privacy expert for online privacy firm Abine. “Now you have this Internet permanent record that’s invisible to you, that’s inaccessible to you, and that’s being used to make decisions about you.”

These decisions can include whether or not your child gets a job later in life, or even a car loan. In the near-term, it can even determine “whether [your kid] can get into a certain college,” says Downey. “Because that data that is being collected is increasingly looked at by admissions departments.”

Some of these companies even scrape data from social networks, online comments, and other repositories of our online activities to build precise estimates of who we are as people – machine-deduced assumptions that could follow your children for the rest of their lives. Algorithms decipher meaning from the types of words kids use online to find out things like whether a child is pessimistic or optimistic, or whether he is prone to anger or lashing out. This “emotional readout” is added to general profile information that can also say a lot about a person: what her hobbies are, whether she plays sports, who her friends are, and more. And that’s before we even get to embarrassing photos or YouTube videos.

On top of all this – yes, there’s more – these invisible permanent records can include specific contact information, email addresses, school information, and all types of other data that most parents would not be comfortable with strangers knowing about their kids, but which can be purchased for as little as $5 by anyone.

Obvious outrage

Unlike our comfortable attitude towards data collection of adults, a vast majority of us abhor the idea of tracking kids’ online activities. A survey released this month by the Center for Digital Democracy and Common Sense Media, two non-profits leading the fight for updates to COPPA, 80 percent of adults believe it is wrong for companies to collect data about what children do online, even if that information is anonymous. Ninety one percent of adults believe it is wrong to track kids’ location information. And 96 percent of parents and 91 percent of all adults surveyed reject the idea that it is “okay for a website to ask children for personal information about their friends.”

Internet backlash

Despite this, companies like Facebook continue to push for ways to collect data about children. In October, the social networking giant sent a letter to the FTC arguing that use of its “Like” button – which collects data about Web users, even if they don’t have a Facebook profile – should not be a violation of COPPA because a “Like” is tantamount to free speech, and limiting its use would be a violation of the U.S. Constitution.

Facebook is, of course, not alone in such efforts. A 2010 report from the Wall Street Journal found that websites geared towards kids actually contain 30 percent more tracking mechanisms – things like cookies and beacons – than the 50 most popular U.S. websites, most of which are marketed towards adults. And in general, website operators argue that the COPPA Rule inhibits competition and innovation.

Updating COPPA

In its set of proposed changes to COPPA (PDF), the FTC seeks to mitigate much of the online data collection that targets kids. To do this, COPPA would be altered to apply to all “online services” – not just websites – which includes mobile apps, online games, advertising networks, and social-sharing plugins. It would also limit the use of persistent identifiers (such as usernames), as well as tracking mechanisms, on sites or online services that are “directed to children” for reasons other than general analytics. It would also limit the collection of geographic location and IP addresses, and require updates to privacy polices that make it easier for parents to navigate the labyrinth that is online data collection.

What comes next

Even with these changes, the Internet – both the Web and mobile apps – will still pose challenges for parents. Both online services operators and privacy advocates find flaws in the FTC’s proposal, which, according to FTC Commissioner Edith Ramirez (PDF), is crafted to land in “a regulatory ‘sweet spot'” – meaning there are concessions for both sides.

The FTC is expected to vote on these updates to COPPA by the end of the year, and parents would do their kids a favor by supporting the changes.