Twenty years of children’s online privacy success provides blueprint for comprehensive public policy

In the wake of the Facebook/Cambridge Analytica scandal and other recent tech industry controversies, Congress finally appears ready to begin tackling comprehensive online privacy legislation. As this debate heats up, we also mark the 20^th anniversary of the Children’s Online Privacy Protection Act, which became law on October 21, 1998.

COPPA, as it is called, regulates websites and other digital services targeted at children under 13. Based on longstanding international privacy principles, COPPA limits the collection of personal information from children, establishing an “opt-in” model, which requires a parent or caregiver to provide informed and affirmative consent. COPPA also places obligations on companies for adequate disclosure, protection, and use of children’s data. To this date, COPPA is the only Federal Internet privacy law on the books.

We spearheaded the campaign that led to COPPA’s passage, and have been involved in efforts over the last two decades to ensure its effective and ongoing implementation.  We believe it is important to reflect on four key lessons learned that can help policymakers navigate today’s deliberations over Internet privacy legislation. 

The Internet’s business model requires government regulation to protect consumer privacy.

As early as the mid-1990s, online advertisers and publishers had already begun to develop a system known as “one-to-one marketing.” Its driving principle was, and remains, the harvesting and monetizing of growing amounts of personal information in order to track and target individuals.{mosads} 

From the beginning, the tech industry argued that self-regulation would effectively safeguard consumer privacy, devising dozens of guidelines and codes of content that promised “consumer choice” over their “privacy preferences.” But none of these various regimes has had any meaningful impact on the growth of what has become a complex and pervasive commercial surveillance system.

Consumers face substantially greater risks to their privacy today than ever before.

Children, by and large, have been shielded from this surveillance system. 

When we were campaigning for COPPA, Internet industry lobbyists and trade groups tried to ward off legislation by rolling out a succession of public education campaigns, good housekeeping-type seals, and blocking software designed to assure parents and policymakers that the industry could police itself.  Fortunately, Congress rejected these approaches and instead opted for a law. Because of this early legislative intervention, some of the most egregious data collection practices that have become state of the art throughout the digital ecosystem were curtailed in the children’s online marketplace.

Government regulation will not “break the Internet.” 

During the privacy debates of the 1990s, we were repeatedly warned – by both industry and government leaders – that any attempts to place limits on the nascent Internet commerce enterprise would thwart innovation and prevent the tech economy from growing.

In fact, when COPPA took effect, it coincided with the so-called dot.com crash, prompting a few people to blame the law for the financial troubles of an entire industry, while ignoring the many risky practices that caused the bubble to burst. But the online advertising business has rebounded and grown exponentially, and producers of children’s media have been able to abide by COPPA’s online “rules of the road,” incorporating its provisions into their everyday practices.

COPPA did not kill the golden goose of Internet commerce.  Nor will laws to protect consumer privacy today “break the Internet.” Rather, the tech industry, like many other industries in our economy, will and can adapt.

Even with the rapid pace of innovation in the tech industry, laws can be constructed with built-in adaptability.

Another warning we heard over and over in the 90s was that any law regulating the Internet would never be able to keep up with the extremely fast pace of change in the digital industry, and would be out of date before it took effect.

COPPA’s Congressional sponsors purposely designed the statute to adapt to changes in both technology and business practices. The law gave the Federal Trade Commission authority to develop regulations, along with explicit instructions to review and update the rules on a regular basis.

In 2012, consumer and privacy advocates successfully persuaded the FTC to add new protections, including safeguards to protect a child’s geolocation on mobile devices, as well as an expanded definition for “personally-identifiable information” that now encompasses photos, “cookies,” and other online tracking tools.

Privacy is a bi-partisan issue. 

Congress enacted COPPA with leadership from both sides of the aisle, including Representative (now Senator) Edward Markey (D-Mass), the late Senator John McCain (R-Ariz.), and others.  Protecting privacy – for children and for all consumers – continues to generate widespread public support. Surveys and opinion polls have consistently shown that a majority of the American public is concerned about their privacy online.

Increasingly Americans also support legislating the tech industry. Even some of Silicon Valley’s leading companies are finally acknowledging that they need government legislation to help restore public trust in an era of rampant data breaches, fake news, and foreign interference in our elections.

COPPA should be seen as a successful model for long-overdue federal legislation that would protect the privacy of all Americans. Such a law must be broad and robust enough to bring about meaningful changes in the corporate behavior of today’s tech giants. This means not only providing consumers with the ability to control their own information, but also placing limits on the collection and uses of consumer data, ensuring transparency and accountability, building adaptability into the rules, and equipping regulatory agencies with the powers and necessary tools to enforce the law.

Finally, while COPPA has established an important framework for children under 13, adolescents remain completely unprotected, even though they are among the most avid users of social media, mobile, and gaming platforms, and often lack the maturity, understanding of online business practices, and emotional skills to make decisions about their own privacy and safety. Today’s teens are being socialized into this new digital culture, which resonates so strongly with many of their fundamental developmental tasks, such as identity exploration, social interaction, and autonomy.  They should be able to reap the benefits of digital participation without jeopardizing their privacy, personal safety, or wellbeing. 

Kathryn C. Montgomery is Professor Emerita in the School of Communication at American University in Washington, D.C. and Jeff Chester is the Executive Director of the Center for Digital Democracy.