Children's online privacy

While there is significantly more to be done to protect our data, consumers have never been better apprised of the imperiled state of their privacy. That said, it’s still an acute problem. The air travel equivalent would be when the cabin depressurizes and oxygen masks drop. In the dramatic destabilization that has occurred to our collective privacy over the past 15 years, the trigger event–a mixture of Facebook arrogance and the Equifax breach–has come and gone, but kids have not yet received the crucial attention needed to protect their data.

A recent study shows that nearly 40% of Amazon Prime Day shoppers have actively avoided Alexa-enabled products because they are concerned about the possibility of eavesdropping. Mozilla Firefox now features enhanced tracking protection as a default behavior. And, Apple CEO Tim Cook memorably doubled (if not tripled) down on prioritizing user privacy as the parade of Facebook stories rattled consumers to the core. More recently, New York State introduced legislation to update its data protection and privacy laws, and California’s new privacy law, modeled on the EU’s GDPR, goes into effect January 1, 2020.

Even with all the positive news from the frontlines of protecting consumer information, the safeguarding of children’s data still has a long way to go.

Consider just one recent story. Video-sharing giant YouTube is currently being investigated for the illegal collection of data from users under the age of 13 (competitor service TikTok recently paid $5.7 million in fines for similar practices), and’s Dot Echo is the focus of a class action suit for illegally recording children. A recent study from UC-Berkeley found that 57% of apps listed under Google Play’s “Designed for Families” section collected data on children under the age of 13 in direct violation of COPPA, the Children’s Online Privacy Protection Act.

How Did We Get Here?

Unless you have been living in an upside-down chowder bowl on the bottom of Cape Cod Bay, tracking and trafficking in the online browsing habits of children should come as no surprise. While there’s a massive industry for all user data, from online quizzes to browsing habits to online purchases, kids online worlds make them easy prey for pretty much every monetized online behavior out there.

ISPs, mobile carriers, social media providers, and web browsers are currently making a very healthy profit from the data associated with your day-to-day life, both on- and offline. Children are the Holy Grail for advertisers, and represent a sizable chunk of the consumer market. Their data is just as valuable as those of adults, if not more so.

While children are supposed to be protected under COPPA, the regulations have gone largely unchanged since it was passed in the late 90s, and became the law of the land in 2000. File under: “Man plans, God laughs.” Meanwhile, the Internet made Las Vegas look like a sad, poorly planned desert boom town gone bust. The surveillance economy didn’t exist when COPPA was conceived, and it needs to be updated to address our new world of constant, persistent, near-total exposure.

What is COPPA and Why Is it Failing?

The broad strokes of COPPA are straightforward: Websites aren’t allowed to collect information associated with children under the age of 13 without the express consent of a parent or guardian.

While this sounds reasonable, it also contains a major and easily exploited loophole: Namely that there is no liability for non-compliance, for just one instance, if a company or provider is not aware of that this or that information belongs to an underage user. In short, if they don’t ask for the age of the user, they’re off the hook.

When COPPA went into effect, the internet had roughly 361 million users worldwide. For context, Facebook alone currently has 2.38 billion monthly active users. Only 3% of households in 2000 had broadband Internet access, with roughly a third of households being on dial-up internet.

We’ve come a long way (for better and worse). Currently 80% of pre-teens use social media, despite the fact that the most widely-used platforms all prohibit accounts for anyone under 13.

COPPA’s idea of children requiring permission from a parent made more sense when Internet access was mainly accomplished using a land line phone connection. The law neither allowed for nor expected multi-device households, with children able to connect to the Internet via IoT devices, tablets and mobile devices via continuous wireless connection. It didn’t anticipate the rise of “free” apps that would track the activity of every user in exquisite detail. Had the framers of COPPA forseen the advent of the surveillance economy, chances are pretty good they would have been busy chasing seed money in the late ’90s.

Connected devices are designed to be as user friendly as possible, which makes them child accessible. When Disney acquired Fox, that consolidation gave the new larger entity access to giant portfolios of underage-user data. It probably should have been COPPA’s Equifax moment, but if we’re going to keep it real, Equifax probably should have had a Home Depot moment. We live in a time when the profitability of a privacy depredation makes progress hard to come by.

Since it’s no mean feat to determine the age of a user, maybe it’s time to assume users are underage, and be more restrictive with captured data. Whatever happens next, the protection of children’s data is a problem in sore need of solutions as quickly as possible. There is too much at stake.