Agencies should obey children's privacy law
Don't confuse COPPA with the Child Online Protection Act. The 3rd Circuit of Appeals recently upheld a ruling that barred enforcement of COPA, not COPPA.
COPPA applies to Web site operators with certain knowledge that a user is under the age of 13 and to sites intentionally directed to minors. Covered Web sites must have clear privacy policies with specified wording and prominent links to the policies.
The law also requires site operators to obtain verifiable parental consent before they collect personal information from kids.
Before obtaining consent, a site can only collect name and e-mail address sufficient to contact the parent.
What are federal agencies doing to comply with COPPA? The answer is nothing. They don't have to comply. COPPA only applies to commercial sites.
Why would Congress restrict the ability of commercial Web sites to collect personal information about children but let government and nonprofits to engage in the same conduct unfettered? The answer lies in the politics of privacy.One view
When kids' privacy legislation was proposed, Congress viewed the Federal Trade Commission as the natural regulatory agency. No one really disagreed. But the FTC's general jurisdiction is over commerce, and governments fall outside of FTC's purview.
Congress simply trimmed COPPA to fit FTC's jurisdiction. The broader lesson here is that FTC cannot be much of a privacy regulatory agency because of its jurisdictional limitations.
I have a second point. So what if COPPA does not apply to federal agencies. Why aren't they complying with the law's provisions anyway? Make no mistake; numerous agency Web sites include pages expressly targeted at children. Examples include www.hhs.gov/kids
I reviewed these sites recently and found that the White House did as well as it could in sensitivity to kids' privacy. It accepts e-mail from minors, but it tells them to ask for parental consent first. That may not be enough to fully satisfy COPPA, but the White House has other legal and constitutional obligations.
Kids presumably have a constitutional right to petition government just like anyone else. Because of the Presidential Records Act, the White House cannot discard e-mail from minors, which is one way to comply with COPPA.
The other agencies I looked at did not do so well. The Housing and Urban Development Department asks kids to share information about what they did to help the homeless. The site only asks for first names, but one of the stories I saw included a last name as well. Collection and disclosure of a kid's full name or e-mail address would violate COPPA if the law applied to HUD.
At the Health and Human Services Department, things are worse. In one place, kids are offered copies of an antismoking poster. To get it, they are asked to provide a name and address. This might be OK under one of COPPA's parental consent exceptions as long as the information is discarded after the response. It isn't clear whether HHS does that. Regardless, the page also asks for a telephone number and e-mail address. Collection of that data is probably prohibited by COPPA.
At another page, accessible through the HHS kid's site, webmasters can download a public service announcement to put on their own sites. Nothing wrong with that, but to get the announcement, you must first provide a lot of unnecessary personal information. Collecting all that information on a Web site directed at kids is a clear violation of COPPA, and might violate the Privacy Act.
I suspect that there is more of this sort of activity on other federal sites. I don't think anything sinister is happening, but no one is paying attention either.
A late June order from the Office of Management and Budget finally addressed the kids' privacy issue on federal Web sites by directing agencies to act as if they are subject to COPPA. It's about time.Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is firstname.lastname@example.org.