[Senate Hearing 111-968]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 111-968
 
    AN EXAMINATION OF CHILDREN'S PRIVACY: NEW TECHNOLOGIES AND THE 
                CHILDREN'S ONLINE PRIVACY PROTECTION ACT

=======================================================================

                                HEARING

                               before the

   SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, AND INSURANCE

                                 of the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 29, 2010

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation




                  U.S. GOVERNMENT PRINTING OFFICE
66-284                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]  

       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas, 
JOHN F. KERRY, Massachusetts             Ranking
BYRON L. DORGAN, North Dakota        OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California            JOHN ENSIGN, Nevada
BILL NELSON, Florida                 JIM DeMINT, South Carolina
MARIA CANTWELL, Washington           JOHN THUNE, South Dakota
FRANK R. LAUTENBERG, New Jersey      ROGER F. WICKER, Mississippi
MARK PRYOR, Arkansas                 GEORGE S. LeMIEUX, Florida
CLAIRE McCASKILL, Missouri           JOHNNY ISAKSON, Georgia
AMY KLOBUCHAR, Minnesota             DAVID VITTER, Louisiana
TOM UDALL, New Mexico                SAM BROWNBACK, Kansas
MARK WARNER, Virginia                MIKE JOHANNS, Nebraska
MARK BEGICH, Alaska
                    Ellen L. Doneski, Staff Director
                   James Reid, Deputy Staff Director
                   Bruce H. Andrews, General Counsel
                 Ann Begeman, Republican Staff Director
             Brian M. Hendricks, Republican General Counsel
                  Nick Rossi, Republican Chief Counsel
                                 ------                                

   SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, AND INSURANCE

MARK PRYOR, Arkansas, Chairman       ROGER F. WICKER, Mississippi, 
BYRON L. DORGAN, North Dakota            Ranking
BARBARA BOXER, California            OLYMPIA J. SNOWE, Maine
BILL NELSON, Florida                 JIM DeMINT, South Carolina
CLAIRE McCASKILL, Missouri           JOHN THUNE, South Dakota
AMY KLOBUCHAR, Minnesota             JOHNNY ISAKSON, Georgia
TOM UDALL, New Mexico                DAVID VITTER, Louisiana


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 24, 2010...................................     1
Statement of Senator Pryor.......................................     1
Statement of Senator Wicker......................................     2
Statement of Senator Rockefeller.................................     3
    Prepared statement...........................................     5
Statement of Senator Klobuchar...................................     5

                               Witnesses

Jessica Rich, Deputy Director, Bureau of Consumer Protection, 
  Federal Trade Commission.......................................     7
    Prepared statement...........................................     8
Timothy Sparapani, Director, Public Policy, Facebook.............    13
    Prepared statement...........................................    14
Michael D. Hintze, Associate General Counsel, Microsoft 
  Corporation....................................................    19
    Prepared statement...........................................    21
Kathryn C. Montgomery, Ph.D., Professor, School of Communication, 
  American University............................................    33
    Prepared statement...........................................    34
Marc Rotenberg, Executive Director, EPIC and Adjunct Professor, 
  Georgetown University Law Center...............................    40
    Prepared statement...........................................    42
Berin Szoka, Senior Fellow and Director, Center for Internet 
  Freedom, The Progress & Freedom Foundation.....................    47
    Prepared statement...........................................    49

                                Appendix

Response to written questions submitted by Hon. Mark Pryor to:
    Jessica Rich.................................................    99
    Timothy Sparapani............................................   102
    Michael D. Hintze............................................   104
    Kathryn C. Montgomery........................................   108
    Berin Szoka..................................................   112


    AN EXAMINATION OF CHILDREN'S PRIVACY: NEW TECHNOLOGIES AND THE 
                CHILDREN'S ONLINE PRIVACY PROTECTION ACT

                              ----------                              


                        THURSDAY, APRIL 29, 2010

                               U.S. Senate,
      Subcommittee on Consumer Protection, Product 
                             Safety, and Insurance,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:07 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Mark Pryor, 
Chairman of the Subcommittee, presiding.

             OPENING STATEMENT OF HON. MARK PRYOR, 
                   U.S. SENATOR FROM ARKANSAS

    Senator Pryor. I'll go ahead and call our hearing to order 
this morning.
    I want to welcome our witnesses, thank all of you all for 
being here.
    This morning, we'll examine children's privacy and how well 
the Children's Online Privacy Protection Act, or COPPA, is 
working.
    The Consumer Protection Subcommittee has jurisdiction over 
the Federal Trade Commission, which enforces this statute. The 
FTC is currently engaged in reexamining the implementation and 
effectiveness of COPPA. Protecting our children's online 
privacy and safety is a critical issue whose importance cannot 
be overstated. Online abuses, such as harassment, threats, and 
cyberbullying should never be tolerated.
    Today's discussion could not come at a more pivotal time, 
as technology developments and innovations, while greatly 
beneficial in many respects, contribute to the complexity of 
today's online space.
    I'm concerned about our kids' online safety, for a number 
of reasons:
    First, we know that, while some companies are making great 
strides to protect young people from predators and online 
dangers, the disclosure of personal information by young people 
is prevalent. Researchers are still unpacking the implications 
of this disclosure.
    Second, recent reports have suggested that location-based 
advertising is tied to social networking. It also appears that 
certain technologies, such as GPS tracking capabilities, could 
track children, without their knowledge. As more kids have 
access to phones, and as tracking devices and mobile 
technologies increase in sophistication, greater understanding 
of how children could be impacted is essential.
    Third, we know that our young children are using the 
Internet now more than ever before, and we know that they 
represent a large portion of total online activity. And, 
according to one report, in the last 5 years, we have seen the 
time spent online by kids ages 2 to 11--ages 2 to 11--increase 
by 63 percent. Children of that age make up almost 10 percent 
of online users.
    I'm interested in all the witnesses' thoughts regarding the 
appropriateness of the statute's age limits, what constitutes 
children's personal information, how parental consent is best 
achieved, and how operators maintain the confidentiality and 
security of the information that they do collect, when 
authorized, about children.
    I know that this FTC is considering both how to better 
prevent the authorized collection or the use of children's 
information, and how to educate parents and teachers about the 
importance of encouraging children to protect themselves 
online.
    And I look forward to hearing from all of our witnesses, 
especially FTC, on what they're doing. And I also want to thank 
all of our witnesses for being here today.
    Not all members of the business community were willing to 
present their views. Specifically, we had asked Apple and 
Google to come, but they declined. I think that's unfortunate, 
because they are major players in this area. And we're going to 
have a long and in-depth conversation that starts today, but 
this is going to go on into the future, and I think it's 
unfortunate that Apple and Google chose not to participate in 
this discussion.
    So, with that, I'd like to turn it over to my Ranking 
Member, Senator Wicker.

              STATEMENT OF HON. ROGER F. WICKER, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Wicker. Thank you, Mr. Chairman, for holding this 
important hearing to examine the Children's Online Privacy 
Protection Act, COPPA, and its application in today's ever-
changing technological world.
    We, as the Subcommittee responsible for consumer 
protection, are mindful that protecting our children is 
essential, and I applaud you, Mr. Chairman, for your commitment 
toward this goal.
    The Internet provides the opportunity to share information 
for both adults and children. This has led to our current 
revolution in the availability of information to almost anyone 
who has access to a computer.
    A flood of information, however, brings new challenges. One 
such challenge has been how to ensure the privacy of 
information for children when they use the Internet.
    COPPA was created to address the privacy concerns that 
arise with Internet users under the age of 13. This law has 
worked for many years to maintain the security of children's 
personal information when it is collected online. It also 
ensures that parents know what tools and resources are 
available to help them be more aware of, and have some control 
over, what their children are doing online.
    I commend the FTC for its continued efforts to enhance 
parents' involvement in children's online activities. I 
particularly want to highlight the consumer education efforts 
at the FTC. Making consumers and businesses aware of their 
rights and responsibilities is one of the most effective ways 
to ensure that the law achieves its goals.
    One of the best examples of this is the FTC's NetCetera 
guide, which teaches adults how to explain to children the 
risks that can be associated with online conduct. However, even 
with these efforts, there are still many challenges parents 
face in protecting their children's information online, and it 
is important that the law be equipped to meet those challenges 
as they develop.
    Keeping pace with technological changes is a difficulty 
that many industries face. It seems that, almost every day, a 
new service, a new application, or a new product is unveiled 
that is a little faster, a little better, and a little more 
complicated than we were using yesterday. This presents new and 
unique challenges in efforts to make sure that technologies are 
safe for consumers.
    I've been a parent for many years, and it is important to 
me to keep my children safe. I'm also a new grandparent, and 
I'm amazed to think about the opportunities that my 5-week-old 
granddaughter will have. Her generation will be able to access 
information and learn so much more than those of us in this 
room ever imagined. A significant portion of those 
opportunities will be available through online technology and 
innovations occurring today, tomorrow, and years into the 
future. These rapid and continued technological changes, 
however, can make it difficult to consider regulations for the 
Internet.
    Our first priority is to ensure safety, but we must also 
take care not to stifle innovation and business development 
that drives our economy and makes possible so many of the 
opportunities available to our children.
    There have been many suggestions about ways to improve 
COPPA and help it meet Congress's goals in today's world. 
However, there have also been many concerns expressed about the 
effect that these changes could have, not only on innovation, 
but also on the very goals that COPPA strives to achieve. I 
think it's important for us to take time to consider these 
conflicting concerns and better understand their ramifications 
in both children's online privacy and children's online 
experience.
    Thank you, Mr. Chairman.
    Senator Pryor. Thank you.
    Senator Rockefeller?

           STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
                U.S. SENATOR FROM WEST VIRGINIA

    The Chairman. Thank you, Mr. Chairman.
    And you've already pointed out the 60 million children who 
are availing themselves of these technologies, these days. And 
I listened to the good Senator from Mississippi, and I 
understand the need to encourage innovation. But, every time 
it's a choice between protecting children or protecting privacy 
and protecting innovation, we always seem to go with 
innovation, and we never go with privacy. So, that's what COPPA 
is all about.
    And I'm shocked--I'm absolutely shocked that children from 
2 to the age of 13--which is totally irrelevant, really; I 
mean, it ought to be ``children''--``children are children up 
until 25,'' or something like that, aren't they? I mean, 
they're just----
    [Laughter.]
    The Chairman. It's ridiculous. So, they get YouTube, 
Google, Facebook, and then two somewhat less decent terms that 
no parent would want their child searching for on the web. And, 
of course, that's the point.
    So, accessing these websites, whether they're well known or 
popular or outright illegal, have enormous privacy 
considerations. And this is not an innovation meeting; this is 
a privacy meeting. We do that in this committee; we protect 
people. And particularly, we protect children, because they are 
the most vulnerable of all.
    So, a lot of these companies are collecting personal 
information, and that's a benign term, until it becomes very 
unbenign and people are giving up all kinds of information 
that--they have no idea.
    So, we passed COPPA, as has been indicated. And the idea 
was to keep personal information private. But, then the whole 
world has changed since that happened, technologically. The 
entire world has changed. And so, the FTC began an important 
effort to review its rules. It actually probably should have 
done so--started somewhat earlier; and I want to talk about 
that, but at least they're doing it. And I really think that 
Congress has to take a very hard look at whether COPPA should 
be updated, if FTC isn't going to do it, to cover new kinds of 
information, new businesses.
    And I look forward to working with Senator Pryor. And I 
want to echo what he said. I appreciate the fact that Microsoft 
and Facebook are here. I also do not appreciate the fact that 
Apple and Google are not here. And I'm curious as to why 
they're not. Was it too expensive to send an associate or legal 
counsel? Was it a financial matter; they couldn't get the 
people here because they couldn't afford the plane tickets? 
Were they trying to avoid something? Were they trying to hide 
something? When people don't show up when we ask--I have this 
power of the subpoena, which I would absolutely love to use. I 
have not, to this point. But, what it all does, it increases 
our interest in what they're doing and why they didn't show up. 
So, they made a stupid mistake by not showing up today, and I 
say, ``Shame on them.''
    So, this is an introductory hearing. We're starting an 
important public discussion; all of us here, tremendously 
interested in this. And, you know, children's safety comes 
first, always.
    And so, we begin. And, as the Chairman has said, this is 
going to be the first of a number of hearings. Children are to 
be taken seriously. They're not. They're part of an age that 
we're not part of in technology, and it's dangerous for them. 
There are all kinds of horrible things that they can see; 
parents don't know about it. They don't know about it, they 
don't know what the rules are. And so, we have 
responsibilities.
    I thank the Chair.
    [The prepared statement of Senator Rockefeller follows:]

          Prepared Statement of Hon. John D. Rockefeller IV, 
                    U.S. Senator from West Virginia

    Thank you, Senator Pryor, for your outstanding work as Chairman of 
the Subcommittee on Consumer Protection.
    According to a recent study, children ages 2 through 11 make up 9.5 
percent of online users. That's nearly 16 million children, and the 
number is rapidly growing.
    A decade ago, going online meant accessing the Internet on a 
computer in your home. Today, it also includes iPhones, portable games, 
and interactive TVs. As powerful and exciting as these new developments 
are, a changing world brings new risks.
    For instance, a recent survey found that the top five Internet 
searches by children under 13 were for the terms: ``YouTube,'' 
``Google,'' ``Facebook,'' and two somewhat less decent terms that no 
parent would want their young child searching for on the web.
    Accessing these websites, whether they are well-known and popular 
or outright illegal, have enormous privacy implications that I fear 
parents are unaware of, and I know children do not understand.
    Many companies are collecting personal information and monetizing 
it. This commercial practice has a particular impact on our children.
    We have a responsibility to understand this rapidly changing 
digital landscape and to give parents the tools they need to protect 
their children's privacy.
    In 1988, we passed the Children's Online Privacy Protection Act, or 
``COPPA'', requiring websites to get parents' consent before collecting 
or using any personal information from children.
    Since then, the way children use the Internet has changed 
dramatically. Some online technologies that are nearly ubiquitous today 
did not even exist a few years ago.
    So in January, the FTC began an important effort to review its 
rules. But with such rapid change, I firmly believe Congress also must 
take a hard look at whether COPPA should be updated to cover new kinds 
of information and new businesses. I look forward to working with 
Senator Pryor in this examination.
    I very much want to thank Microsoft and Facebook for testifying. I 
have to say that I am disappointed Apple and Google have declined to 
participate today. These two companies are at the forefront of 
technological developments in the online world.
    With this introductory hearing, we are starting an important public 
discussion with direct implications on children's privacy. Apple and 
Google's refusal to take part does not speak well of their commitment 
to working with Congress on this issue going forward.
    I want to close by noting that children's privacy is strongly 
connected to children's safety, and I believe in my core that all 
children deserve special protections. Always. Period.
    It's important not to conflate the two issues, but privacy and 
safety most certainly overlap.
    To parents, nothing is more important than protecting our children. 
Nothing. I am enormously alarmed by the rise in criminal behavior 
targeting children online, from ``cyber-bullying'' to adult predators.
    These frightening trends are directly connected to the fact that 
our children's sensitive, personal information is being increasingly 
exposed to the public.
    I look forward to continuing this important discussion and working 
together--Congress, the FTC, and online stakeholders--to make sure 
nothing comes before the safety and security of our children.

    Senator Pryor. Thank you, Mr. Chairman.
    And I would note for the record that Chairman Rockefeller 
has a long and distinguished and successful career in 
protecting children.
    Senator Klobuchar.

               STATEMENT OF HON. AMY KLOBUCHAR, 
                  U.S. SENATOR FROM MINNESOTA

    Senator Klobuchar. Thank you very much, Mr. Chairman.
    And thank you, also, Senator Rockefeller, for all the work 
you've done in this area.
    It's remarkable, as my colleagues have noted, how quickly 
technology has changed over the last few years. The old joke--I 
still remember this--people would say, ``Well, if you want to 
program your VCR, ask your kid.'' But, now VCRs are a thing of 
the past. New technologies, devices, programs, and applications 
have completely changed the way we work and the way we 
communicate. From GPS and GeoLocation on Smartphones, to the 
ubiquity of text-messaging and Twitter, to posting our photos 
on social networking sites, the world is quickly changing.
    And no group adapts to new technology quicker than young 
people. And as was noted by my colleagues, nearly 16 million 
kids aged 2 through 11 are active online, and they make up, I 
think, 9.5 percent of online users. And these numbers are 
growing as more and more young people are logging on. The 
average young child spends more than 11 hours a month on the 
Internet, a 63-percent increase over 5 years ago. And this is 
one of the more sad facts. One survey found that the top five 
Internet searches for children under 13 are YouTube, Google, 
Facebook, sex, and porn.
    Clearly, the online world has changed dramatically. I think 
if you look back when these COPPA rules were adopted, 10 years 
ago, that wouldn't have been the case; you probably could have 
hardly even checked what kids were checking, and they probably 
weren't checking into any of these things. And so, it is very 
important that we examine this rule to ensure that it keeps up 
with the technology.
    I've just heard a lot of stories in our state, working with 
Senator Thune on the peer-to-peer legislation that we have, of 
changing technology that while it's so great in so many ways 
for innovation, has also severely hurt people's privacy rights. 
And when it comes to kids, we reach a whole new level.
    So, I'm looking forward to working with my colleagues to 
work on this rule and make changes that are in the best 
interest of everyone.
    Thank you very much.
    Senator Pryor. Thank you, Senator Klobuchar.
    And I would like to say that, for all of our witnesses--we 
have a very distinguished panel today, and that we could spend 
a lot of time introducing them and going through all their 
experiences and their degrees and all their backgrounds. And 
it's a very impressive group. But, that is all part of the 
record.
    And so, what I'm going to do is, I'm just going to go down 
the line, introduce each one, and ask each one to make a 5-
minute opening statement. And what I'd like for you all to do 
is just pay attention to the lights there in front of you, and 
when 5 minutes is over, we would love for you to, you know, 
wrap it up.
    First, I would like to introduce Jessica Rich; she's the 
Deputy Director of the Bureau of Consumer Protection at the 
Federal Trade Commission. Second is Timothy Sparapani, Director 
of Public Policy at Facebook. Next is Mike Hintze; he's the 
Associate General Counsel at Microsoft. Next is Kathryn 
Montgomery, Ph.D.; she's Professor of School of Communications 
at American University. Next is Marc Rotenberg; he's Executive 
Director of Electronic Privacy Information Center. And last, 
and certainly not least, at the children's table, here----
    [Laughter.]
    Senator Pryor.--we have--and I'm sorry that our table is 
only so long this morning--but, anyway, we have Berin Szoka; 
he's Senior Fellow, Director of the Center for Internet Freedom 
at The Progress & Freedom Foundation.
    So, thank all of you all for being here.
    And, Ms. Rich, if you could lead us off.

STATEMENT OF JESSICA RICH, DEPUTY DIRECTOR, BUREAU OF CONSUMER 
              PROTECTION, FEDERAL TRADE COMMISSION

    Ms. Rich. Mr. Chairman and members of the Committee, I'm 
Jessica Rich, Deputy Director of the Bureau of Consumer 
Protection at the Federal Trade Commission. I appreciate this 
opportunity to update you regarding the FTC's work to protect 
children's privacy and enforce the Children's Online Privacy 
Protection Act, or COPPA.
    We have submitted a written statement today which 
represents the views of the FTC. The views expressed orally, 
and my responses to questions, are my own and do not 
necessarily reflect the views of the Commission or any 
commissioner.
    The Federal Trade Commission is deeply committed to helping 
to create a safer, more secure online experience for children. 
The Commission's rule implementing COPPA became effective 10 
years ago. The statute and rule apply to operators of websites 
and online services directed to children under age 13 and to 
other website operators that have actual knowledge that they 
are collecting information from children.
    Covered website operators must provide notice of their 
information collection practices and, with limited exception, 
obtain verifiable parental consent prior to the collection, 
use, or disclosure of personal information from children. 
Operators also must give parents the opportunity to review and 
delete personal information that their children have provided.
    The Commission has taken a multipronged approach to rule 
compliance that includes enforcement, education, and 
implementation of the statutory mandated COPPA safe harbor 
program. On the enforcement side, the Commission has brought 14 
law enforcement actions alleging COPPA violations. The FTC's 
early COPPA cases focused on children's sites that collected 
extensive amounts of personal information without providing 
notice to parents and obtaining their consent.
    More recent enforcement actions have focused on operators 
of both general audience and child-directed social networking 
sites, and sites with interactive features that permit children 
to divulge their personal information online.
    A crucial complement to our law enforcement efforts is 
educating businesses about their responsibilities under the 
law. The FTC has published comprehensive compliance materials, 
which are available on our website. We also devote significant 
resources to answering individual requests from companies about 
rule compliance, and to conducting outreach to industry groups. 
Our goal in these efforts is to prevent COPPA violations before 
they occur.
    The Commission's consumer education materials aim to inform 
parents and children about the protections afforded by the 
rule, so they know what to expect and what to look for as they 
navigate online. These materials are available through the 
Commission's online safety portal, OnGuardOnline.gov. 
OnGuardOnline provides practical and plain-language information 
about COPPA and other privacy and safety topics, in a variety 
of formats, including articles, games, quizzes, and videos.
    Our most recent addition is the NetCetera guide, which 
Senator Wicker was kind enough to mention at the beginning.
    In light of significant changes to the online environment, 
including the explosive growth of social networking, mobile web 
technologies, and interactive gaming, the Commission recently 
initiated a review of the rule.
    On March 24 of this year, the Commission launched a public 
comment period aimed at gathering input on a wide range of 
issues, including whether the rule's definition of ``Internet'' 
adequately covers certain types of mobile communications and 
interactive media, whether the rule's definition of ``personal 
information'' has kept pace with technological developments--
that is, whether certain information that isn't named and 
listed in the rule, such as static IP address, could allow a 
website to contact a child; the effectiveness of mechanisms 
used to--and another topic is the effectiveness of mechanisms 
used authenticate parents who provide consent or seek access to 
their children's information.
    The comment period for these questions closes on June 30. 
On June 2, the Commission will host a public roundtable, here 
in Washington, to hear from stakeholders, including children's 
privacy advocates, website operators, businesses, academics, 
educators, parents, anyone who would like to come, on these 
important issues.
    The Commission takes seriously the challenge to ensure that 
COPPA continues to meet its originally stated goal, even as 
children's interactive media use moves from standalone PCs to 
other devices.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Rich follows:]

         Prepared Statement of Jessica Rich, Deputy Director, 
        Bureau of Consumer Protection, Federal Trade Commission

I. Introduction
    Chairman Pryor, Ranking Member Wicker, and members of the 
Subcommittee, my name is Jessica Rich, and I am the Deputy Director of 
the Bureau of Consumer Protection at the Federal Trade Commission 
(``Commission'').\1\ I appreciate the opportunity to appear before you 
today to discuss the Commission's implementation of the Children's 
Online Privacy Protection Act of 1998 (``COPPA'').\2\
---------------------------------------------------------------------------
    \1\ While the views expressed in this statement represent the views 
of the Commission, my oral presentation and responses to questions are 
my own and do not necessarily reflect the views of the Commission or 
any individual Commissioner.
    \2\See Children's Online Privacy Protection Act of 1998, 15 U.S.C. 
 6501-6508 (2009). The Commission's implementing regulations (the 
``COPPA Rule'') are found at 16 C.F.R. Part 312 (2009).
---------------------------------------------------------------------------
    The Federal Trade Commission is deeply committed to helping to 
create a safer, more secure, online experience for children. As such, 
the agency has actively engaged in law enforcement, consumer and 
business education, and rulemaking initiatives to ensure that knowledge 
of, and adherence to, COPPA is widespread. In the past 10 years, the 
Commission has brought fourteen law enforcement actions alleging COPPA 
violations and has collected more than $3.2 million in civil penalties. 
In addition, in light of significant changes to the online environment, 
including the explosion of social networking and the proliferation of 
mobile web technologies and interactive gaming, and the possibility of 
interactive television, the Commission has recently initiated an 
accelerated review of COPPA's effectiveness.
    This testimony first provides a brief legislative and regulatory 
overview of COPPA. It next summarizes the Commission's efforts to 
enforce COPPA and to educate businesses and consumers about the law. 
Finally, it discusses the Commission's current initiative to review its 
COPPA Rule in order to determine whether the Rule should be modified to 
address changes in technology that may affect children's privacy.
II. A Brief COPPA Overview
A. The Legislation
    Congress enacted COPPA in 1998 to address the unique privacy and 
safety risks created when young children--those under 13 years of age--
access the Internet. COPPA's legislative history reveals several 
critical goals: (1) to enhance parental involvement in children's 
online activities in order to protect children's privacy; (2) to 
protect children's safety when they visit and post information on 
public chat rooms and message boards; (3) to maintain the security of 
children's personal information collected online; and (4) to limit the 
collection of personal information from children without parental 
consent.\3\
---------------------------------------------------------------------------
    \3\ See 144 Cong. Rec. S12741 (Oct. 7, 1998) (statement of Sen. 
Bryan).
---------------------------------------------------------------------------
    COPPA applies to operators of websites and online services directed 
to children under age 13, and to other website operators that have 
actual knowledge that they are collecting personal information \4\ from 
such children (collectively, ``operators''). The statute generally 
mandates that operators covered by the Act provide notice of their 
information collection practices and, with only limited exceptions, 
obtain verifiable parental consent prior to the collection, use, or 
disclosure of personal information from children. Operators also must 
give parents the opportunity to review and delete personal information 
their children have provided. Operators are required to establish and 
maintain reasonable procedures to protect the security of personal 
information collected from children, and must not condition children's 
participation in website activities on the disclosure of more personal 
information than is reasonably necessary.\5\
---------------------------------------------------------------------------
    \4\ COPPA defines personal information as individually identifiable 
information about an individual collected online, including: a first 
and last name; a home or other physical address including street name 
and a name of a city or town; an e-mail address; a telephone number; a 
Social Security number; any other identifier that the Commission 
determines permits the physical or online contacting of a specific 
individual; or information concerning the child or the parents of that 
child that the website collects online from the child and combines with 
an identifier described in this paragraph. 15 U.S.C.  6501(8).
    \5\ 15 U.S.C.  6503(b)(1).
---------------------------------------------------------------------------
    COPPA contains a safe harbor provision enabling industry groups or 
others to submit to the Commission for approval self-regulatory 
guidelines to implement the statute's protections.\6\ The statute 
provides that operators who fully comply with an approved safe harbor 
program will be ``deemed to be in compliance'' with the Commission's 
COPPA Rule for purposes of enforcement.\7\
---------------------------------------------------------------------------
    \6\ 15 U.S.C.  6504. Since the Commission's COPPA Rule took effect 
on April 21, 2000, four groups have received Commission approval of 
their safe harbor programs: the Children's Advertising Review Unit of 
the National Advertising Division of the Council of Better Business 
Bureaus (``CARU''), the Entertainment Software Rating Board (``ESRB''), 
TRUSTe, and Privo, Inc. For information on the Commission's COPPA safe 
harbor process, see http://www.ftc.gov/privacy/privacyinitiatives/
childrens_shp.html.
    \7\ 15 U.S.C.  6504(b)(2).
---------------------------------------------------------------------------
B. The Commission's COPPA Rule
    COPPA mandated that the Commission promulgate and enforce 
regulations to implement the Act. The Commission published for public 
comment a proposed Rule in April 1999, and in November 1999 published 
its final Rule, which went into effect on April 21, 2000.\8\
---------------------------------------------------------------------------
    \8\ 16 C.F.R.  312 (2009).
---------------------------------------------------------------------------
    The Rule closely follows the statutory language, requiring 
operators to provide notice of their information practices to parents 
and, with limited exceptions, to obtain ``verifiable parental consent'' 
prior to collecting, using, or disclosing personal information from 
children under the age of 13. Verifiable parental consent, as set forth 
in the Rule, means that operators must use a consent method that is 
reasonably calculated, in light of available technology, to ensure that 
the person providing consent is the child's parent.\9\ The COPPA Rule 
sets forth a sliding scale approach to obtaining verifiable parental 
consent based upon the risks posed by the intended uses of the child's 
information.\10\ Under this approach, operators who keep children's 
information internal, and do not disclose it publicly or to third 
parties, may obtain parental consent by methods such as sending an e-
mail to the parent and then following up to confirm consent.\11\ By 
contrast, operators who disclose children's personal information to 
others must use a more reliable method of parental consent--either one 
of the methods outlined by the Commission, or an equivalent method 
designed to ensure that the operator is connecting with the child's 
parent.\12\
---------------------------------------------------------------------------
    \9\ 16 C.F.R.  312.5(b)(1).
    \10\ 16 C.F.R.  312.5(b)(2).
    \11\ The sliding scale mechanism, which initially was designed to 
expire in April 2002, was subsequently extended by the Commission. In 
2006, the Commission announced that it would extend the sliding scale 
approach indefinitely. See 71 Fed. Reg. 13247 (Mar. 15, 2006), 
available at www.ftc.gov/os/2006/03/P054505COPPARuleRetention.pdf.
    \12\ Such methods include, but are not limited to: using a print-
and-send form that can be faxed or mailed back to the operator; 
requiring a parent to use a credit card in connection with a 
transaction; having a parent call a toll-free telephone number staffed 
by trained personnel; using a digital certificate that uses public key 
technology; and using e-mail accompanied by a PIN or password obtained 
through one of the above methods. 16 C.F.R.  312.5(b)(2).
---------------------------------------------------------------------------
    COPPA authorizes the Commission to enforce the Rule in the same 
manner as it does rules promulgated under Section 18(a)(1)(B) of the 
Federal Trade Commission Act prohibiting unfair or deceptive acts or 
practices.\13\ This permits the Commission to obtain civil penalties 
against operators who violate the Rule. COPPA further authorizes state 
attorneys general to enforce compliance with the Rule by filing actions 
in Federal court with written notice to the Commission.\14\
---------------------------------------------------------------------------
    \13\ 15 U.S.C.  6503(c), 6506(a), (d); 15 U.S.C.  57a(a)(1)(B) 
(2009).
    \14\ 15 U.S.C.  6505. To date, only the state of Texas has filed 
law enforcement actions under the COPPA statute. See News Release, 
Office of Texas Attorney General Abbott Takes Action Against Web Sites 
That Illegally Collect Personal Information from Minors: Millions of 
Children Registered With The Popular Sites; Texas first state to take 
action under COPPA (Dec. 5, 2007), http://www.oag.state.tx.us/oagNews/
release.php?id=2288.
---------------------------------------------------------------------------
III. The Commission's COPPA Enforcement and Education Efforts
A. Enforcing COPPA
    In the 10-years since the Rule's enactment, the Commission has 
brought fourteen (14) COPPA enforcement actions that cut to the core of 
COPPA's goals--ensuring that parents are informed and have the right to 
say ``no'' before their young children divulge their personal 
information. These rights are especially important when, with the mere 
click of a mouse or the touch of a screen, a child's personal 
information can be viewed by anyone. Together, the Commission's actions 
have garnered more than $3.2 million in civil penalties.\15\
---------------------------------------------------------------------------
    \15\ News releases detailing each of the Commission's COPPA cases 
are available at www.ftc.gov/privacy/privacyinitiatives/
childrens_enf.html.
---------------------------------------------------------------------------
    In 2006, as social networking exploded onto the youth scene, the 
Commission redoubled its efforts to enforce COPPA. That year, the 
Commission obtained an order against Xanga.com, a then-popular social 
blogging site alleged to have knowingly collected personal information 
from, and created blog pages for, 1.7 million underage users--without 
obtaining their parents' permission. The Xanga.com settlement included 
a $1 million civil penalty.\16\
---------------------------------------------------------------------------
    \16\United States v. Xanga.com, Inc., No. 06-CIV-6853(SHS) 
(S.D.N.Y.) (final order Sept. 11, 2006).
---------------------------------------------------------------------------
    In 2008, the Commission obtained orders against two other operators 
of social networking sites. In January of that year, operators of the 
child-directed social networking site, Imbee.com, paid $130,000 to 
settle charges that they allegedly violated COPPA by collecting and 
maintaining personal information from over 10,500 children without 
first obtaining parental consent.\17\ Later that year, Sony BMG Music 
Entertainment paid a $1 million civil penalty to resolve allegations 
that the company knowingly and improperly collected a broad range of 
personal information from at least 30,000 underage children who 
registered on 196 of its general audience music fan sites.\18\
---------------------------------------------------------------------------
    \17\ United States v. Industrious Kid, Inc., No. 08-CV-0639 (N.D. 
Cal.) (filed Jan. 29, 2008).
    \18\ United States v. Sony BMG Music Entm't, No. 08-CV-10730 
(S.D.N.Y.) (final order Dec. 15, 2008).
---------------------------------------------------------------------------
    Most recently, the Commission charged Iconix Brand Group, Inc., the 
owner and marketer of several apparel brands popular with children and 
teens, with collecting and storing personal information from 
approximately 1,000 children without first notifying their parents or 
obtaining parental consent. The Commission's complaint further alleged 
that on one of its brand websites, Iconix enabled girls to share 
personal stories and photos publicly online. Iconix agreed to pay a 
$250,000 civil penalty to settle the Commission's charges.\19\
---------------------------------------------------------------------------
    \19\ United States v. Iconix Brand Group, Inc., No. 09-CV-8864 
(S.D.N.Y.) (final order Nov. 5, 2009).
---------------------------------------------------------------------------
B. Consumer and Business Education
    Although law enforcement is a critical part of the Commission's 
COPPA program, enforcement alone cannot accomplish all of the agency's 
goals in administering COPPA and the Rule. A crucial complement to the 
Commission's formal law enforcement efforts, therefore, is educating 
consumers and businesses about their rights and responsibilities under 
the law. By promoting business and consumer education, the Commission 
seeks to help the greater online community create a culture that 
protects children's privacy and security.
    The Commission's business outreach goals focus broadly on shaping 
prospective practices. The agency devotes significant resources to 
assisting website operators with Rule compliance, regularly updating 
business education materials and responding to inquiries from operators 
and their counsel.\20\
---------------------------------------------------------------------------
    \20\ To facilitate COPPA compliance, the Commission maintains a 
comprehensive children's privacy area on its website where businesses 
can find useful publications, including How to Comply with the 
Children's Online Privacy Protection Rule; You, Your Privacy Policy and 
COPPA; and How to Protect Kids' Privacy Online, as well as answers to 
Frequently Asked Questions (or ``FAQs''). See http://www.ftc.gov/
privacy/privacyinitiatives/childrens.html. Periodically, the Commission 
issues guidance on specific topics, like the Rule's requirements for 
the content of online privacy notices, and the COPPA ``actual 
knowledge'' standard for operators of general audience websites. In 
addition, the agency maintains a COPPA Hotline, where staff members 
offer fact-specific guidance in response to questions from website 
operators.
---------------------------------------------------------------------------
    The Commission's consumer education materials aim to inform parents 
and children about the protections afforded by the Rule and also 
provide them with general online privacy and safety information. The 
Commission's consumer online safety portal, OnGuardOnline.gov, provides 
practical and plain language information in a variety of formats--
including articles, games, quizzes, and videos--to help computer users 
guard against Internet fraud, secure their computers, and protect their 
personal information.\21\ The Commission's booklet, Net Cetera: 
Chatting With Kids About Being Online, is a recent addition to 
OnGuardOnline.gov. This guide gives practical tips on how parents, 
teachers, and other trusted adults can help children reduce the risks 
of inappropriate conduct, contact, and content that come with living 
life online. Net Cetera focuses on the importance of communicating with 
children about issues ranging from cyberbullying to sexting, social 
networking, mobile phone use, and online privacy.\22\ The Commission 
has partnered with schools, community groups, and local law enforcement 
to publicize Net Cetera, and has distributed more than 2.5 million 
copies of the guide since it was introduced in October 2009.
---------------------------------------------------------------------------
    \21\ The OnGuardOnline.gov website is the central component of the 
OnGuardOnline consumer education campaign, a partnership of the Federal 
Government and the technology community. Currently, 13 Federal agencies 
and a large number of safety organizations are partners on the website, 
contributing content and helping to promote and disseminate consistent 
messages.
    \22\ See OnGuardOnline, ``Net Cetera: Chatting With Kids About 
Being Online,'' available at http://www.onguardonline.gov/pdf/
tec04.pdf.
---------------------------------------------------------------------------
IV. The Current Regulatory Review
    In 2005, the Commission commenced a statutorily required review of 
its experience in enforcing COPPA.\23\ Specifically, Congress directed 
the Commission to evaluate: (1) operators' practices as they relate to 
the collection, use, and disclosure of children's information, (2) 
children's ability to obtain access to the online information of their 
choice; and (3) the availability of websites directed to children. At 
the same time, the Commission sought public comment on the costs and 
benefits of the Rule, including whether any modifications to the Rule 
were needed in light of changes in technology or in the marketplace.
---------------------------------------------------------------------------
    \23\ See 15 U.S.C.  6506(1).
---------------------------------------------------------------------------
    After completing that review, in 2007 the Commission reported to 
Congress that, in keeping with the legislative intent, the Rule: (1) 
played a role in improving operators' information collection practices 
and providing children with greater online protections than in the era 
prior to its implementation; (2) provided parents with a set of 
effective tools for becoming involved in and overseeing their 
children's interactions online; and (3) did not overly burden 
operators' abilities to provide interactive online content for 
children. Accordingly, the Commission concluded that there was a 
continuing need for those protections, and that the Rule should be 
retained without change.\24\ At that time, the Commission also 
acknowledged that children's growing embrace of mobile Internet 
technology and interactive general audience sites, including social 
networking sites, without the concomitant development of suitable age-
verification technologies, presented challenges for COPPA compliance 
and enforcement.\25\
---------------------------------------------------------------------------
    \24\ See Fed. Trade Comm'n, Implementing the Children's Online 
Privacy Protection Act: A Report to Congress (2007), available at 
http://www.ftc.gov/reports/coppa/07COPPA_Report
_to_Congress.pdf.
    \25\ See id. at 28-29.
---------------------------------------------------------------------------
    Although the Commission generally reviews its rules approximately 
every 10 years, the continued rapid-fire pace of technological change, 
including an explosion in children's use of mobile devices and 
participation in interactive gaming, and the possibility of interactive 
television, led the agency to accelerate its COPPA review by 5 years, 
to this year.\26\ Accordingly, on March 24, 2010, the Commission 
announced the start of a public comment period aimed at gathering input 
on a wide range of issues relating to the COPPA Rule, including:
---------------------------------------------------------------------------
    \26\ The Commission recently concluded a series of privacy 
roundtables exploring the challenges posed by the array of new 
technologies that collect and use consumer data. The Commission also 
sought public comment on these issues and currently is examining the 
comments and information developed at the roundtables. In addition, the 
Commission expects that information gathered during the course of the 
COPPA Rule review will help inform this broader privacy initiative. See 
Exploring Privacy: A Roundtable Series, http://www.ftc.gov/bcp/
workshops/privacyroundtables/index.shtml.

   The implications for COPPA enforcement raised by mobile 
        communications, interactive television, interactive gaming, and 
        other similar interactive media and whether the Rule's 
        definition of ``Internet'' adequately encompasses these 
---------------------------------------------------------------------------
        technologies;

   Whether operators have the ability, using persistent IP 
        addresses, mobile geolocation data, or information collected 
        from children online in connection with behavioral advertising, 
        to contact specific individuals, and whether the Rule's 
        definition of ``personal information'' should be expanded 
        accordingly;

   How the use of centralized authentication methods (such as 
        OpenId) will affect individual websites' COPPA compliance 
        efforts; \27\
---------------------------------------------------------------------------
    \27\ Centralized authentication methods offer a means for users to 
log on to different services using one digital identity. Services such 
as OpenId replace the common login process on individual websites with 
a single authenticated identification to gain access to multiple 
software systems. As a result, children who obtain an OpenId 
authentication might be able to gain back-door access to websites that 
otherwise would have provided them with COPPA protections or prevented 
their entry.

   Whether there are additional technological methods to obtain 
        verifiable parental consent that should be added to the COPPA 
        Rule, and whether any of the methods currently included should 
---------------------------------------------------------------------------
        be removed; and

   Whether parents are exercising their rights under the Rule 
        to review or delete personal information collected from their 
        children, and what challenges operators face in authenticating 
        parents.\28\
---------------------------------------------------------------------------
    \28\ See Request for Public Comment on the Federal Trade 
Commission's Implementation of the Children's Online Privacy Protection 
Rule, 75 Fed. Reg. 17089-93 (Apr. 5, 2010); see also News Release, Fed. 
Trade Comm'n, ``FTC Seeks Comment on Children's Online Privacy 
Protections; Questions Whether Changes to Technology Warrant Changes to 
Agency Rule'' (Mar. 24, 2010), http://www.ftc.gov/opa/2010/03/
coppa.shtm.

    The period for comment on these questions will close on June 30, 
2010. On June 2, before the comment period closes, the Commission will 
host a public roundtable at its Washington, DC Conference Center to 
hear from stakeholders--children's privacy advocates, website 
operators, businesses, academics, and educators and parents--on these 
important issues.\29\
---------------------------------------------------------------------------
    \29\ See News Release, Fed. Trade Comm'n, ``Protecting Kids' 
Privacy Online: Reviewing the COPPA Rule'' (Apr. 19, 2010), http://
www.ftc.gov/opa/2010/04/coppa.shtm.
---------------------------------------------------------------------------
V. Conclusion
    The Commission takes seriously the challenge to ensure that COPPA 
continues to meet its originally stated goals, even as children's 
interactive media use moves from stand-alone PCs, to handheld devices, 
and potentially beyond.
    Thank you for this opportunity to discuss the Commission's COPPA 
program. I look forward to your questions.

    Senator Pryor. Thank you.
    Mr. Sparapani?

           STATEMENT OF TIMOTHY SPARAPANI, DIRECTOR, 
                    PUBLIC POLICY, FACEBOOK

    Mr. Sparapani. Chairman Pryor and Rockefeller, Ranking 
Member Wicker, and other Subcommittee members, thank you for 
your leadership and for inviting me to share Facebook's 
perspective on child safety, and how Facebook's innovations 
promote a safer online environment for teens.
    From our inception, Facebook sought to provide a safer 
environment for all its users than was generally available on 
the Web. Facebook is not directed at children less than 13 
years of age residing in the U.S., and does not knowingly 
collect information from any children under 13 in the U.S. 
Nevertheless, we take seriously our responsibilities to protect 
children under 13 and enhance teen users' online safety.
    Accordingly, Facebook was built with COPPA's requirements 
in mind. Our commitment to keeping children off the site starts 
by requiring those trying to establish an account to enter 
their age on the very first screen. This birth date field 
prohibits children under 13 from establishing an account. This 
age-gate technology places a persistent cookie on the device 
used to attempt to establish an underage account, preventing 
the user from attempting to modify their birth date. When 
Facebook becomes aware of accounts established by children 
under 13, we terminate those accounts and delete all 
information.
    We emphasize two points today. First, Facebook's real-name 
culture and innovative technologies and policies enhance online 
safety and privacy for teens. And, two, Congress should not 
overhaul COPPA, but, rather, support and encourage, not 
discourage or prohibit, companies' innovations to advance child 
and teen online safety, security, and privacy.
    Facebook's approach to providing online safety leadership 
begins with the recognition that no existing system today can 
verify age of users online. As a result, Facebook developed an 
innovative, multilayer system to act as technological proxies 
for age verification. These layers are enhanced by Facebook's 
real-name culture, which helps us identify fake accounts.
    Before Facebook, Internet users were warned to avoid 
sharing their real names and information online. Facebook was 
the first major Internet site that required people to build 
their profiles and networks using real names. This made 
Facebook less attractive to predators and other bad actors, who 
prefer not to use their real names and identities. People are 
also less likely to engage in negative, dangerous, or criminal 
behavior when their friends can see their name, their speech, 
and their information that they're sharing. This real-name 
culture, therefore, creates accountability and deters bad 
behavior.
    Since Facebook users understand that their actions are 
recorded digitally, when users violate our site rules or the 
law, we can pinpoint corrective action to the specific account 
involved.
    Our real-name culture also empowers users to become 
community police and report violations. Facebook's users click 
our report button, found throughout the service, when they see 
inappropriate behavior. This substantially multiplies the 
number of people reviewing content and behavior, which we think 
greatly enhances teen safety.
    Further, Facebook's innovative privacy tools allow users to 
exercise direct control and share what they want with whom they 
want and when they want. This empowers users of all ages to 
protect themselves online. If a user feels uncomfortable 
connecting with a particular person, she may decline that 
friend request. If a user feels that a friend is annoying, 
harassing, or dangerous, she may block or de-friend that 
person, which terminates the user's connection and prevents 
further contact.
    Further, Facebook's proprietary technologies allow us to 
continuously improve online safety and combat emerging online 
threats. Although we do not generally discuss these matters 
publicly, for fear that they may be circumvented or 
compromised, these technologies allow Facebook to perform 
ongoing authentication checks. We look for behavior that does 
not fit the patterns created by the aggregate data from our 400 
million users. Let me tell you that suspicious behavior does 
stand out, which initiates a Facebook inquiry and immediate 
remedial actions.
    Facebook employs additional age-gating technologies to 
limit the contact and sharing between minors and adults; thus, 
reducing the opportunities for adults to pose as minors.
    Additionally, while those over 18 on Facebook can share 
information with everyone, Facebook automatically limits minor 
sharing to a much smaller subset of users, such as the minor's 
friends, friends of friends, and those in their verified 
networks, typically in their schools. This substantially 
reduces the visibility of minors to nonminors whom they do not 
know.
    Further, Facebook recognizes the importance of 
collaborating with others to innovate in this area. We're proud 
of our relationships with child and safety security experts and 
with law enforcement. We are particularly proud of our 
relationships with the attorneys general.
    In conclusion, although Facebook is not a service that is 
directed at children under 13, we've built our service, 
policies, and tools with COPPA in mind. Our experience tells us 
that Congress need not amend COPPA, at this time. In fact, any 
amendments might undo many of our innovative privacy and safety 
tools. Congress can, however, assist companies like us in 
advancing online child and teen safety by eliminating 
disincentives for child safety innovation. Congress should 
ensure regulators are not discouraging technological and policy 
safety advances when reviewing privacy and security policies 
and technologies at companies, like ours, that are trying to do 
the right thing.
    Thank you.
    [The prepared statement of Mr. Sparapani follows:]

          Prepared Statement of Timothy Sparapani, Director, 
                        Public Policy, Facebook

    Thank you Chairman Pryor, Ranking Member Wicker and Subcommittee 
Members. My name is Tim Sparapani and I am Director, Public Policy for 
Facebook. Thank you for inviting me to testify today concerning 
Facebook's perspective on online child safety. We are pleased to 
discuss some of our innovations that lead to a safer online 
environment. We believe these innovations--some of which are obvious to 
users and others that are not--are a key to providing a positive online 
experience.
    Facebook started in 2004 as a social networking site for college 
and university students and from inception, Facebook sought to provide 
a safer environment for all its users than was generally available on 
the web. Although Facebook is not directed to young children--you must 
be 13 years of age or older to join Facebook--the Company takes special 
steps to insure that users under 18 have a safer experience.\1\
---------------------------------------------------------------------------
    \1\ Facebook is not directed at children less than 13 years of age 
residing in the United States and does not knowingly collect 
information from any children under 13 in the United States. 
Nevertheless we recognize and take seriously our responsibilities as a 
corporation to protect children and enhance the online safety of 
children 13 years of age and older who are our users. Accordingly, 
Facebook was built with the requirements of the Child Online Privacy 
Protection Act (COPPA) in mind. When Facebook becomes aware of accounts 
established by children under the age of 13 we terminate those accounts 
and delete all the information uploaded by that account.
---------------------------------------------------------------------------
    Facebook has been involved with many online safety initiatives 
around the world, such as the U.S. State Attorneys General Internet 
Technical Task Force, the UK Home Office Task Force on Child Safety, 
the EU Safer Internet initiative, the Australia Attorney General's 
Online Safety Working Group and others. Today, I would like to discuss 
the important ways that Facebook innovation helps promote a safer 
online environment. We also encourage Congress to encourage, not 
discourage or prohibit, companies' innovation in policies and 
technologies to promote child online safety, security and privacy. We 
believe that our innovations in teen online safety, security and 
privacy advance the cause of online safety for children.
Summary of Key Points and Request for Congressional Action
    We wish to emphasize four points today and enlist Congress' 
assistance to advance child online safety.

   Facebook's real name culture and innovative technologies and 
        policies enhance online safety and privacy for teens.

   Facebook expends extensive effort on key teen safety issues 
        that further reduce teen risks.

   Facebook collaborates with experts, law enforcement, and 
        government agencies to develop a safer Internet.

   Congress has a role to play to support and encourage, not 
        discourage or prohibit companies' innovations to advance child 
        and teen online safety, security and privacy.

    We request, therefore, that Congress not overhaul COPPA, but 
instead provide legislative and regulatory incentives to companies to 
innovate on child safety and privacy technologies, and prevent 
regulators from foreclosing innovation and experimentation in this 
area.
    Our testimony lays out in brief a number of the key innovations 
employed by Facebook to promote safety for teens and others online.
Facebook Innovation 1: A Real Name Culture Promotes Online Safety
    Facebook's approach to providing online safety leadership begins 
with the recognition that there is no existing system today that can 
verify the age of a child online. As a result, Facebook developed and 
implemented an innovative, multi-layer system to act as technological 
proxies for age. These layers are discussed in greater detail below and 
are enhanced by Facebook's innovation of using a ``real name'' culture, 
which allows us to better filter out fake accounts and identify 
inappropriate contact.
    Before Facebook, the common wisdom was that Internet users should 
avoid using their real names and sharing information online. Facebook 
was the first major web service that required people to build their 
profiles and networks using real names, and provided them with privacy 
tools to enable them to decide who could access that information. This 
important policy and technical architecture decision not only allowed 
Facebook users to become more connected, but also made the site safer. 
A culture of authentic identity made Facebook less attractive to 
predators and other bad actors who generally do not like to use their 
real names or e-mail addresses.
    Facebook's real name culture also attracts users who are more 
likely to adhere to our Statement of Rights and Responsibilities (SRR, 
or what other companies call Terms of Service) and keep their behavior 
consistent with the standards of their communities. People are less 
likely to engage in negative, dangerous or criminal behavior online 
when their friends can see their name, their speech and the information 
they share. The real name culture creates accountability and deters bad 
behavior since Facebook users understand that their actions on our 
service create a record of their behavior. When users actions violate 
our SRR or the law, we can pinpoint corrective action--usually account 
termination and/or referral to law enforcement in potential criminal 
matters--to the specific account involved. Similarly Facebook is often 
able to detect fakes because of the types of connections made by a fake 
user account. And, of course, it's difficult to connect to friends 
using a fake account, since they are more likely to reject friend 
requests from people they do not know. Facebook also routinely blocks 
the registration of accounts under common fake names.
    Our real name culture also empowers users to become ``community 
policemen,'' and report those whose behavior violates Facebook's SRR. 
Facebook's users regularly use our report button, found throughout the 
service. This substantially multiplies the number of people reviewing 
content and behavior on Facebook and greatly enhances safety of teens 
on Facebook. At the same time, user actions often appear in the 
newsfeeds of his or her friends. If a friend learns of inappropriate 
behavior, he or she can intervene with a user to determine whether 
something is wrong.

Facebook Innovation 2: User Control on Facebook Enhances Privacy and 
        Safety
    Since its inception, Facebook has built innovative privacy tools 
for users to exercise direct control and share what they want, with 
whom they want, and when they want. This user control model supplements 
the protections designed into our service and empowers our users of all 
ages to protect themselves online.
    Perhaps more importantly for this hearing, Facebook's user control 
model also allows users to determine whom they are connected with on 
Facebook. Facebook users must accept a request from another user to be 
connected--Facebook never makes that choice. If a user feels 
uncomfortable connecting with a particular person, she may decline that 
friend request. Further, if a user begins to feel that a friend on 
Facebook is annoying, spamming, harassing, and/or dangerous, she may 
de-friend that person at any time. This action of de-friending 
terminates the connection between the users and prevents further 
contact.\2\ A user may also ``block'' another user in order to prevent 
any contact between the two. And, any user may at any time use our 
ubiquitous report button to draw Facebook's attention to inappropriate 
behavior.
---------------------------------------------------------------------------
    \2\ It should be noted that the de-friending and blocking occurs 
without notification, so the connection is simply, elegantly, 
electronically severed without drawing attention to the ending of the 
connection.
---------------------------------------------------------------------------
    Facebook takes its commitment to innovating to advance user privacy 
seriously. When new users sign up, they are introduced to our privacy 
help center, which explains how they may set a privacy setting for each 
piece of content the user shares. In December 2009, we introduced an 
unprecedented privacy dialog, which required every Facebook user, 
worldwide, to stop and consider their privacy settings before they 
could use the service further. As a result of that process, an 
additional one-third of our users customized their privacy settings.

Facebook Innovation 3: Hidden Security Systems and Safety Tools Advance 
        Facebook Users Online Safety
    Facebook's safety innovations extend to the development and use of 
proprietary technologies that allow us to continuously improve online 
safety and combat emerging online threats. Although we do not generally 
discuss these publicly for fear that they maybe compromised or 
circumvented, these technologies allow Facebook to perform ongoing 
authentication checks, including technical and community verifications 
of users' accounts. We look for anomalous behavior in the aggregate 
data produced by our 400 million users. For example, if an adult sends 
an unusual number of friend requests to unrelated minors which are 
ignored or rejected, our systems could be triggered, sending up a red 
flag and initiating a Facebook inquiry and remedial actions.
Facebook Innovation 4: Facebook Employs Age Gates to Limit Sharing and 
        Connections Between Minors and Adults
    As stated earlier, Facebook is neither directed at children less 
than 13 years of age nor does Facebook knowingly collect information of 
those under 13. Our privacy policy is explicit in this regard:

        If you are under age 13, please do not attempt to register for 
        Facebook or provide any personal information about yourself to 
        us. If we learn that we have collected personal information 
        from a child under age 13, we will delete that information as 
        quickly as possible. If you believe that we might have any 
        information from a child under age 13, please contact us 
        through this help page.

    Accordingly, Facebook is not required to comply with many of 
COPPA's requirements. However, Facebook actively removes accounts once 
discovered, of anyone it learns is under 13. It also employs a number 
of age gating technologies to limit the contact, sharing and 
connections between minors and adults. Facebook limits minors' access 
to the service by requiring those entering Facebook.com to type in 
their age on the very first screen.\3\ This birth date field prohibits 
children under the age of 13 from establishing an account. The age gate 
technology places a persistent cookie on the device used to establish 
an account, preventing the user from attempting to modify their birth 
date.
---------------------------------------------------------------------------
    \3\ The Subcommittee should note that many other leading online 
companies and social networks never even attempt to collect users' date 
of birth, and, therefore, never even attempt to block minors from using 
their sites and services.
---------------------------------------------------------------------------
    Facebook further employs a separate set of age restrictions to 
further limit contact between minors and adults. These restrictions are 
intended to limit opportunities for adults to pose as minors. Facebook 
engages in what we call social verification to ask minors that are new 
to our service to consider the source of a new friend request. Along 
with the friend request we may interpose a question to the minor prior 
to the minor being able to confirm that they wish to accept that 
request. Typical representative questions asked of the minor: (i) Is 
this someone whom you know from your school?; or (ii) Is this someone 
whom you or your parents know from your community? We also limit the 
number of friend requests that anyone can send in a set period of time 
to further reduce unwanted contacts between unrelated users.
    Additional limitations further limit the sharing of data between 
minors and adults on Facebook. While those over 18 on Facebook can 
share information with everyone, Facebook automatically restricts users 
under 18 from doing so. Facebook automatically limits their sharing to 
a much smaller subset of users, such as the minor's friends, friends of 
those friends, and their verified networks, generally associated with 
their schools. This limitation substantially reduces the visibility of 
minors to non-minors whom they do not know.

Face Book Innovation 5: Facebook Engages in Extensive Additional Safety 
        Efforts to Combat Specific Threats to Teens Online
    Facebook innovations also combat specific threats to teens on our 
service and the company cooperates closely with law enforcement on 
these issues, upon receipt of appropriate legal process.
Suicide and Self-Harm
    Facebook regularly delivers information to each user's networks of 
friends. As a result, Facebook stands in a special position to help 
reduce teen suicides and other forms of self-harm. Users who witness 
changes in their friends' behavior, reflected in their Facebook 
postings, can intervene to prevent friends from harming themselves. The 
promotion of self-harm, including eating disorders, cutting, etc., is a 
violation of Facebook's Statement of Rights and Responsibilities, and 
we encourage users to report this information. Our dedicated team of 
User Operations analysts reviews these reports and removes content such 
as photos, groups, and events. When we receive a report of someone who 
has posted suicidal content on Facebook, we alert the National Suicide 
Prevention Lifeline and encourage the user to contact his or her local 
authorities/law enforcement immediately. We've also posted an FAQ to 
the privacy and safety page in our Help Center with information and 
links to suicide help resources. Facebook saves lives on a regular 
basis by helping to prevent this kind of behavior. Our real name 
culture helps people identify those who are truly in need and respond 
in real time to a cry for help.

Cyberbullying and Harassment of Teens Online
    Facebook has led efforts around the world to help combat 
cyberbullying. In the U.S., Facebook was a founding member of the Stop 
Cyberbullying Coalition. Our robust reporting infrastructure leverages 
Facebook's 400 million users to monitor and report offensive or 
potentially dangerous content. This infrastructure includes, systems to 
prioritize the most serious reports, and a trained team of reviewers 
who respond to reports and escalate them to law enforcement as needed. 
The team treats reports of harassing messages as a priority, reviewing 
and acting on most within 24 hours. We also prioritize serious reports 
submitted through the contact forms in our Safety Center. With 
assistance from our outside experts on our Safety Advisory Board we 
have produced new materials on our Safety Center that specifically 
address how to prevent or respond to cyberbullying. We have also 
partnered with other organizations like MTV on their ``A Thin Line'' 
campaign to educate young people about the dangers of digital abuse; 
with the BBC on their ``bullyproof'' campaign, and regularly invite 
experts, such as the National Crime Prevention Council to address 
cyberbullying on the Facebook Blog, which reaches over 8 million 
people.

Missing Children and Runaways
    Facebook has also been successful in helping to locate missing 
teens. Law enforcement has generously praised Facebook for prioritizing 
law enforcement requests for IP location information that might help 
locate a missing child, which we provide on receipt of appropriate 
legal process. In just 1 week last February, we helped authorities in 
Fairfax, Virginia and Menlo Park, California find and return two 
missing kids. Last July, we received a request for IP data and basic 
user information for a minor who had gone missing. Over the course of 
the next week, we worked closely with law enforcement over e-mail and 
by telephone. Ultimately, the minor was found using the exact IP data 
we had provided. Similarly, a Facebook user went missing in Canada, and 
a demand for ransom was made. The Royal Canadian Mounted Police 
contacted us, and we followed our procedure for imminent threats. When 
a message was sent to a friend from the missing person's account, we 
provided the necessary data, enabling the RCMP to locate and return the 
person to safety.
    Preface: only a tiny fraction of a single percent of users will 
ever encounter the following two kinds of behaviors on Facebook. We 
focus on these areas because we take any threat to our users' safety 
very seriously.

Registered Sex Offenders Attempting to Establish Accounts
    Although it is not required to do so by law, Facebook prohibits 
access to Facebook by Registered Sex Offenders (RSOs). Facebook employs 
an outside contractor--at our own expense--to collect a list of RSOs 
from all of the states periodically throughout each year. Every state 
and locality keeps their list of RSOs in a different file format with 
different information and different character fonts. etc. We 
periodically compare that compilation of names to our user list; we do 
not wait for law enforcement to request that we do so. Our internal 
team of investigation professionals evaluates any potential matches 
more fully. If we find that someone on a sex offender registry is a 
likely match to a user on Facebook, we notify law enforcement and 
disable the account. On occasion, law enforcement has asked us to leave 
the accounts active so that they may investigate the user further.
    We have worked proactively to establish a publicly available 
national database of registered sex offenders that enables real-time 
checks and includes important information like e-mail addresses and IM 
handles.

Child Pornography
    Facebook takes substantial steps to stop any trafficking of child 
sexual exploitation materials, commonly referred to as child 
pornography. We use automated tools to automatically prohibit any 
sharing of known links (i.e., URLs) containing these materials so that 
these links cannot be distributed across our service. Facebook has a 
highly trained team dedicated to responding to the rare occasions when 
child pornography is detected on the service. That team sends incident 
reports to the National Center for Missing and Exploited Children 
(NCMEC) and the U.S. Department of Justice for potential prosecution. 
When we encounter what we believe are new offending URLs, we deploy a 
new technology we have developed that enables us to pull down any URL 
shared throughout our service even though it has been distributed.

Facebook Innovation 6: Facebook Has Made a Commitment to Collaborate on 
        the Advancement of Safety Online
    Although Facebook has important responsibilities in advancing 
safety online, Facebook recognized the importance of collaborating with 
others to innovate in this area. Facebook has developed deep, ongoing 
relationships with child safety and security experts. In December, 
Facebook formalized these relationships by creating a Safety Advisory 
Board of outside experts who advise us, and, on occasion, our users 
about how to keep teens safe online. Facebook also continues to work 
closely with law enforcement agencies around the country, and around 
the world. We are particularly proud of our work with the States' 
Attorneys General. In 2008, Facebook actively participated in the 
Internet Safety Technical Task Force at the behest of the Attorneys 
General to examine these issues. In April, we launched our new Safety 
Center to provide our users, parents and educators with updated 
educational materials and information about how to utilize our 
innovative privacy and security tools to enhance online safety.

Conclusion: Facebook Will Continue to Innovate but Congress must Help
    Although we are not a service that is directed at children less 
than 13 years of age, we have built our service, policies, and tools 
with COPPA in mind. Our experience tells us that Congress need not 
amend COPPA at this time. In fact, any amendments might undo many of 
our innovative privacy and safety tools. Congress can, however, assist 
Facebook and companies like us in advancing online child and teen 
safety by providing incentives, not disincentives, for child safety 
innovation online. If COPPA is amended, Congress could consider 
permitting companies to explore innovative approaches to obtaining 
parental consent online. Congress should ensure regulators are not 
discouraging technological and policy innovation in this area when 
reviewing privacy and security policies of companies that are trying to 
do the right thing.
    We thank this subcommittee for its leadership and call on Congress 
to take these actions to enhance child online safety. Thank you for 
your consideration.

    Senator Pryor. Thank you.
    Mr. Hintze?

  STATEMENT OF MICHAEL D. HINTZE, ASSOCIATE GENERAL COUNSEL, 
                     MICROSOFT CORPORATION

    Mr. Hintze. Chairman Rockefeller, Chairman Pryor, Ranking 
Member Wicker, thank you for the opportunity to share 
Microsoft's views on the Children's Online Privacy Protection 
Act.
    Microsoft has a deep and long-standing commitment to 
protecting the privacy of consumers, including children, who 
use our software and services. I want to begin by discussing 
Microsoft's comprehensive approach to protecting children's 
privacy online. I will then identify those areas where COPPA 
has made progress over the last decade, and highlight a couple 
of key challenges that remain.
    This hearing is timely. Ten years ago, this month, the 
Federal Trade Commission's COPPA rule took effect. COPPA's 
stated goal is to preserve the interactivity of children's 
experience on the Internet, while protecting their privacy. 
That goal remains essential today. Research has found that 
children gain important educational and social benefits, such 
as increased opportunities for learning and creativity, by 
engaging in interactive activities online. And children are 
realizing these benefits as they increasingly use new 
technologies to access the Internet, including mobile phones, 
videogame consoles, and portable media players. But, as we all 
recognize, these interactive technologies often enable 
consumers to disclose personal information online, and children 
may not fully understand the terms or the tradeoffs involved.
    COPPA was designed to address this issue. Microsoft fully 
supports COPPA's objectives of enhancing parental involvement 
and protecting children's privacy.
    While children's use of the Internet has evolved over the 
last decade, these objectives remain just as, if not more, 
important today. Privacy failures can have a real impact on 
children's safety.
    Therefore, Microsoft takes a number of steps to help 
protect children's privacy and safety through our own products 
and services, educational initiatives, and partnerships.
    First, Microsoft requires parental consent and offers 
parental controls for a number of our products and services, 
including Xbox, Hotmail, and our Instant Messenger Service. For 
example, our Windows Live Family Safety tool enables parents to 
limit their children's searches, block or allow websites based 
on the type of content, restrict with whom the child can 
communicate, and access detailed activity reports that show the 
websites their children visited, and the games and applications 
they used.
    Second, Microsoft engages in educational efforts around the 
world to help parents and caregivers make informed decisions 
about children's Internet use.
    Third, Microsoft partners with government officials, 
industry members, law enforcement agencies, and child 
advocates, to address children's privacy and safety issues.
    The attachment to my written testimony provides more 
details on these initiatives.
    Now I'd like to spend a few minutes talking about COPPA.
    In the past decade, COPPA has made important progress in 
raising awareness of children's privacy issues. For example, 
many website operators now limit the amounts and types of 
information they collect from children, and provide parents and 
children with educational resources to foster conversations 
about online privacy and safety. Also, by encouraging website 
operators to be more transparent about their privacy practices, 
and encouraging them to implement parental consent mechanisms, 
COPPA has enabled parents to take a more active and informed 
role in deciding how their children can take advantage of the 
Internet's many benefits.
    We believe COPPA provides a flexible notice-and-consent 
framework that can accommodate children's evolving use of new 
technologies. Therefore, we do not believe that a legislative 
amendment is necessary at this time. Rather, the statute 
enables the FTC to update its rule. And we appreciate the FTC's 
efforts to review its implementation of COPPA in light of new 
business models and new technologies.
    I'd like to highlight two aspects of the FTC's rule that we 
urge the Commission to consider as part of its review.
    First, the Commission should provide clear guidance on how 
companies can better meet, not only the letter, but the spirit 
of the law. Microsoft goes beyond the letter of the law by 
proactively requesting age information and seeking parental 
consent for children's use of many of its services, even when 
those services are not specifically targeted to children. We 
take this approach to encourage parental involvement in 
children's online activities, and enable children to 
participate in, and benefit from, interactive activities 
online. Other companies take different approaches. We encourage 
the Commission to use its COPPA rule-review process as an 
opportunity to help website operators and online services 
understand how they can honor the spirit of COPPA, especially 
in light of new technologies.
    Second, we urge the Commission to work with technology 
companies and consumer advocates to develop more consumer-
friendly, effective, and scalable methods for obtaining 
parental consent. The FTC has explicitly approved five parental 
consent methods for the disclosure of children's information 
online. However, these methods can be cumbersome for parents, 
do not scale for widely used services, and rely on children's 
self-reporting of age. These issues become more pronounced as 
children increasingly access services through mobile devices, 
where providing notice and obtaining parental consent raise 
additional challenges.
    Microsoft recognizes that the task of improving the 
parental consent process is not easy, and there's no silver-
bullet solution. The FTC's ongoing COPPA rule review provides a 
good opportunity for productive dialogue on alternative 
parental consent methods. We are committed to working, both in 
the short and long term, with Congress, the Commission, and 
other stakeholders to address privacy challenges raised by new 
technologies.
    Thank you for the opportunity to testify today.
    [The prepared statement of Mr. Hintze follows:]

  Prepared Statement of Michael D. Hintze, Associate General Counsel, 
                         Microsoft Corporation

    Chairman Pryor, Ranking Member Wicker, and honorable members of the 
Subcommittee, thank you for the opportunity to share Microsoft's views 
on children's privacy issues raised by new technologies and the 
Children's Online Privacy Protection Act (COPPA). Microsoft has a deep 
and long-standing commitment to protecting the privacy of consumers, 
including children, who use our software and services. We appreciate 
your initiative in holding this hearing today.
    This hearing is timely. Ten years ago this month the Federal Trade 
Commission's COPPA Rule took effect. At the time, COPPA's stated goal 
was to preserve ``the interactivity of children's experience on the 
Internet.'' \1\ That goal remains essential today. Research has found 
that children gain important educational and social benefits, such as 
increased opportunities for learning and creativity, by engaging in 
interactive activities online.\2\ And children are realizing these 
benefits as they increasingly use new technologies to access the 
Internet, including mobile phones, video game consoles, and portable 
media players.\3\
---------------------------------------------------------------------------
    \1\ 144 Cong. Rec. S12787 (1998) (statement of Sen. Bryan); see 
also 64 Fed. Reg. 59888, 59889 (1999) (``In drafting this final rule, 
the Commission has taken very seriously the concerns expressed about 
maintaining children's access to the Internet.'').
    \2\ See, e.g., Carly Shuler, Joan Ganz Cooney Center at Sesame 
Workshop, Pockets of Potential: Using Mobile Technologies To Promote 
Children's Learning 13-14, App. A, B (2009), http://
www.joanganzcooneycenter.org/pdf/pocketsofpotential.pdf; National 
School Boards Association, Creating & Connecting: Research and 
Guidelines on Online Social--and Educational--Networking 1 (July 2007), 
http://www.nsba.org/SecondaryMenu/TLN/CreatingandConnecting
.aspx.
    \3\ According to the Henry J. Kaiser Family Foundation, children 8- 
to 10-years old spend about 30 minutes each day browsing websites, 
posting to social networking sites, and sending instant messages and e-
mails to friends and family. This number more than doubles for older 
children. See Henry J. Kaiser Family Foundation, Generation 
M2: Media in the Lives of 8- to 18-year-olds 20 (2010), 
http://www.kff.org/entmedia/upload/8010.pdf.
---------------------------------------------------------------------------
    But, as we all recognize, these interactive technologies often 
enable consumers to disclose personal information online, and children 
may not fully understand the terms or the trade-offs involved. COPPA 
was designed to address this issue. Microsoft fully supports COPPA's 
objectives of enhancing ``parental involvement in a child's 
activities'' and protecting ``children's privacy by limiting the 
collection, [use, and disclosure] of personal information from children 
without parental consent.'' \4\ While children's use of the Internet 
has evolved over the last decade, these objectives remain just as--if 
not more--important today. Privacy failures can have a real impact on 
children's safety. Therefore, Microsoft has developed strong privacy 
practices regarding how children's personal information is collected, 
used, and disclosed online.
---------------------------------------------------------------------------
    \4\ 144 Cong. Rec. S12787 (1998) (statement of Sen. Bryan).
---------------------------------------------------------------------------
    Today, I want to begin by discussing Microsoft's comprehensive 
approach to protecting children's privacy online. I then will identify 
those areas where the COPPA Rule has made progress over the last decade 
and highlight a couple of key challenges that remain. My testimony 
concludes by describing promising identity management and privacy 
enhancing tools that can help address these challenges.
Microsoft's Comprehensive Approach to Addressing Children's Privacy
    Microsoft takes a number of steps to help protect children's 
privacy and safety through our own products and services, educational 
initiatives, and partnerships.
    First, Microsoft requires parental consent and offers parental 
controls for a number of our products and services. For example, our 
Xbox Live, Spaces, Messenger, and Hotmail services request age 
information in a neutral manner during the registration process. If a 
child indicates he or she is under the age of 13, we seek and obtain 
parental consent before the child is permitted to participate in 
interactive activities offered by these services.
    In addition, our parental controls for Windows 7, Windows Live, 
Xbox 360, Zune, and other services help parents make granular choices 
about how their children may share personal information online. For 
example, our Windows Live Family Safety tool enables parents to limit 
their children's searches; block (or allow) websites based on the type 
of content; restrict whom their children can communicate with in 
Windows Live Spaces, Messenger, or Hotmail; and access detailed 
activity reports that show the websites their children visited and the 
games and applications they used.\5\ Importantly, we have designed our 
family safety settings such that the settings can roam across different 
types of devices through which children may access these online 
services.
---------------------------------------------------------------------------
    \5\ See Attachment. Because we believe that consumers should be 
notified that they are being monitored to prevent abuse, children are 
provided on-screen notice where these tools provide parents with 
monitoring capabilities and these capabilities are engaged.
---------------------------------------------------------------------------
    Second, Microsoft engages in educational efforts around the world 
to encourage parents and caregivers to talk to their children about 
online privacy and to assist them in making informed decisions about 
their children's Internet use. For example, Microsoft provides parents 
with a number of educational resources to help them preserve their 
children's privacy and protect their children from inappropriate 
content, conduct, and contact online.\6\ And Microsoft works to raise 
awareness of children's privacy and safety issues by sponsoring 
roundtables with local and regional policymakers, academics, the media, 
and other thought leaders.
---------------------------------------------------------------------------
    \6\ See, e.g., http://www.microsoft.com/protect/family.
---------------------------------------------------------------------------
    Third, Microsoft partners with government officials, industry 
members, law enforcement agencies, and child advocates to address 
children's privacy and safety issues. For example, we support 
GetNetWise.org, which offers parents and children resources for making 
informed decisions about Internet use. We also are an active 
participant in the National Cyber Security Alliance and its online 
website Stay Safe Online, which encourages children and parents to 
discuss topics such as disclosing personal information through Internet 
chat rooms, e-mail, and websites. In addition, Microsoft works closely 
with the International Center for Missing and Exploited Children, 
Interpol, the National Center for Missing and Exploited Children, and 
many other organizations on child protection issues.\7\
---------------------------------------------------------------------------
    \7\ See, e.g., http://www.microsoft.com/protect/community.aspx; 
Microsoft Corp., PhotoDNA: Putting Microsoft Technology To Work 
Ensuring a Childhood for Every Child (2009), http://
www.microsoftphotodna.com/.
---------------------------------------------------------------------------
The COPPA Rule 10 Years Later
    In the past 10 years, the FTC's COPPA Rule has made important 
progress in raising awareness of children's online privacy issues. For 
example, many website operators now limit the amounts and types of 
personal information they collect from children online and provide 
parents and children with educational resources to foster conversations 
about online privacy and safety. Also, by encouraging website operators 
to be more transparent about the types of personal information that 
they collect from children online and about the use and disclosure of 
this information, the COPPA Rule has enabled parents to take a more 
active and informed role in deciding how their children can take 
advantage of the Internet's many benefits.
    We appreciate the FTC's efforts to review its implementation of 
COPPA in light of changes in technology, and Microsoft looks forward to 
participating in this process. While we recognize that changes to the 
COPPA Rule may be warranted, we do not believe that a legislative 
amendment is necessary at this time. COPPA provides a flexible notice 
and consent framework for the collection, use and disclosure of 
children's personal information, and we believe the statute enables the 
FTC to update its Rule as technologies and children's use of new 
technologies evolve over time.
    Today, I want to highlight two key aspects of the FTC's Rule that 
we believe the Commission should consider as it reviews its Rule in 
light of new technologies.
    First, we hope that the Commission will provide clear guidance on 
how companies can better meet not only the letter, but also the spirit, 
of the law in light of changing technologies and the evolving ways in 
which children are consuming online services. As expected, website 
operators and online services have adopted different approaches to 
complying with the COPPA Rule.\8\ For example, Microsoft proactively 
requests age information and seeks parental consent for children's use 
of many of its services even when those services are not specifically 
targeted to children. We take this approach in order to encourage 
parental involvement in children's online activities and enable 
children to participate in and benefit from interactive activities 
online. Other companies take different approaches. While flexibility in 
implementing the requirements of COPPA is desirable given the diverse 
array of websites and online services available, new technologies 
challenge COPPA's goal of promoting opportunities for discussions 
between parents and children about the disclosure of personal 
information online. We encourage the Commission to use its COPPA Rule 
review process as an opportunity to help website operators and online 
services understand how they can honor the spirit of COPPA, especially 
in light of new technologies.
---------------------------------------------------------------------------
    \8\ Microsoft supports, for example, the FTC's approach of treating 
operators of general audience sites differently from operators whose 
sites are directed to children.
---------------------------------------------------------------------------
    Second, we urge the Commission to work with technology companies 
and consumer advocates to develop more consumer-friendly, effective, 
and scalable methods for obtaining parental consent. The COPPA Rule 
generally requires that website operators and online services obtain 
verifiable parental consent before knowingly collecting, using, or 
disclosing children's personal information online.\9\ The FTC has 
appropriately adopted a ``sliding scale'' approach to parental consent. 
However, the FTC has only explicitly approved five parental consent 
methods for the disclosure of a child's personal information online: 
(1) providing a form for the parent to print, sign, and mail or fax 
back to the company; (2) requiring the parent to use a credit card in 
connection with a transaction; (3) maintaining a toll-free telephone 
number staffed by trained personnel for parents to call; (4) obtaining 
a digital certificate using public key technology; and (5) requiring an 
e-mail accompanied by a PIN or password obtained through one of the 
first four verification methods. These methods can be cumbersome for 
parents, do not scale for large organizations, and rely on children's 
self-reporting rather than an online age verification system.\10\ These 
issues become more pronounced as children increasingly access online 
services through mobile devices, where providing notice and obtaining 
parental consent raises additional challenges.
---------------------------------------------------------------------------
    \9\ 16 C.F.R.  312.5.
    \10\ Children in the upper age range covered by COPPA may be 
sophisticated enough to provide false age information in order to 
access online sites and services that screen for age.
---------------------------------------------------------------------------
    For this reason, Microsoft recommends that the Commission expand 
its list of approved parental consent methods to include other reliable 
approaches that minimize burdens on parents, leverage existing 
technologies, and scale for millions of users. In addition, as more 
online services are made available on mobile phones and other mobile 
devices, the Commission should consider the types of parental consent 
mechanisms appropriate for these devices.
    Microsoft recognizes that the task of improving the parental 
consent process is not easy and that there is no ``silver bullet'' 
solution. But the FTC's ongoing COPPA Rule review provides a good 
opportunity to begin a productive dialogue on how to take advantage of 
existing services and new technologies to develop alternative parental 
consent methods.
    For example, Microsoft and others in the industry have been working 
on new technologies for authentication and identity management 
generally, and these technologies could be used to help streamline and 
make more effective parental consent processes.\11\ Digital identity 
cards are one of these technologies. They could be issued through 
existing offline processes where in-person identity verification of a 
parent-child relationship already occurs. Once a digital identity card 
has been issued, website operators and online service providers could 
obtain parental consent by requesting that parents and children provide 
their digital identity cards before accessing interactive services and 
features.
---------------------------------------------------------------------------
    \11\ See Microsoft Corp., Digital Playgrounds: Creating Safer 
Online Environments for Children (2008), http://download.microsoft.com/
download/2/8/4/284093f4-5058-4a32-bf13-c12e2320cd
73/Digital%20Playground.pdf; Scott Charney, Vice President Trustworthy 
Computing, Microsoft, ``The Evolution of Online Identity,'' 7 IEEE 
Security and Privacy 56-59 (2009).
---------------------------------------------------------------------------
    Microsoft appreciates that these stronger authentication and online 
identity technologies can themselves impact privacy. For this reason, 
we believe that these systems should work in tandem with technologies 
that enable users to limit the personal information they disclose. For 
instance, Microsoft is working on technology that relies on 
cryptographic protocols and tokens to enable parents and children to 
better manage their identities online in a privacy enhancing way. When 
combined with the use of digital identity cards, these technologies 
could allow parents and children to disclose only that information that 
is necessary (such as parental status or age, but not name or other 
personal information) to enable children's access to and use of 
websites and online services.\12\
---------------------------------------------------------------------------
    \12\ Microsoft Corp., Microsoft U-Prove Technology Release: Open 
Standards and Community Technology Preview (2010), http://
www.microsoft.com/mscorp/twc/endtoendtrust/vision/uprove.aspx.
---------------------------------------------------------------------------
    These identity management technologies offer exciting prospects for 
creating a broader range of meaningful parental consent methods 
tailored to the use of children's information online. Microsoft looks 
forward to working in close collaboration with the public sector and 
other industry members to evaluate and implement these technology tools 
as part of a comprehensive approach to protecting children's privacy 
online.

Conclusion
    Thank you for the opportunity to testify today. We take our privacy 
obligations seriously, and we are committed to working in both the 
short and long term with Congress, the Commission and other 
stakeholders to address privacy challenges raised by new technologies.

                               Attachment

Family Safety
Helping to Protect Children in the Online World
    This white paper is for informational purposes only. Microsoft 
Makes No Warranties, Express or Implied, in this 
Document. 2008 Microsoft Corp. All rights 
reserved

Introduction
    For children, the Internet is both a classroom and a virtual 
playground--a place to learn, connect with friends and have fun. But as 
kids explore and interact online, they might encounter content their 
parents would not want them to see, or they might come into contact 
with people who pose a threat to them. Just as there are places and 
activities in the physical world that are unsafe or inappropriate for 
children, there are places and activities online that can pose a risk 
to children's privacy and personal safety.
    In the United States, 71 percent of teens with online access have a 
social networking profile.\1\ Half of all British children aged 12 to 
18 use instant messaging.\2\ Among Australian children who use the 
Internet, 75 percent visit video-sharing websites and 95 percent play 
games online.\3\ In Brazil, 98 percent of children with online access 
download music.\4\ Children don't always apply the common-sense 
personal boundaries and social mores of the offline world to their 
online experiences. In this context, today's parents consider the 
Internet the greatest risk to their children among all types of media, 
according to one study.\5\
---------------------------------------------------------------------------
    \1\ Cox Communications Teen Internet Safety Survey, Wave II--in 
Partnership with the National Center for Missing & Exploited Children 
(NCMEC) and John Walsh, March 2007. http://www.cox.com/TakeCharge/
includes/docs/survey_results_2007.ppt. A social networking profile is a 
user's personal page on a social networking website. Profiles often 
include information about the person, photos, videos, personal blogs 
and contact information.
    \2\ ``A European Research Project: The Appropriation of New Media 
by Youth.'' Mediappro, 2006. http://www.mediappro.org/publications/
finalreport.pdf.
    \3\ ``Norton Online Living Report. Symantec, 2008. http://
www.symantec.com/content/en/us/home_homeoffice/media/pdf/nolr/
080214_aus_norton_online_living_report_nolr-final.pdf.
    \4\ Ibid.
    \5\ Common Sense Media Parents Study, Insight Research Group, May 
19, 2006. http://www.commonsensemedia.org/news/CS-Parent-Study.PPT.
---------------------------------------------------------------------------
    Parents and caregivers are in the best position to make decisions 
about what is appropriate for children and to talk to them about online 
safety. But they need help, particularly through tools and guidance. 
Microsoft has invested significantly in family safety online, 
incorporating family safety features into a broad range of Microsoft 
products and services that are available for consumer use. At the same 
time, we have made extensive efforts--often in collaboration with child 
development experts and non-profit partners--to provide guidance and 
education for teachers, parents and children. We also work with law 
enforcement, industry partners and governments to combat Internet crime 
and to strengthen legislation that protects children from online 
exploitation.
    Making the Internet safer for children aligns with Microsoft's 
overall commitment to increasing trust and safety online and to 
protecting consumer security and privacy. (See sidebar on page 2.) Our 
efforts to promote family safety in the digital world fall into three 
key areas:

   Tools and technology. Microsoft offers family safety 
        settings and parental controls in Windows Vista, Windows 
        LiveTM, Xbox 360, Xbox LIVE, Zune and other 
        products and services. We are also an industry leader in 
        developing interoperable technologies for identity management 
        and tools that independent software vendors can use to extend 
        the safety capabilities of the Windows Vista platform.
    Guidance and education. Microsoft works with governments, 
nonprofits and community organizations to help parents and children 
better understand online risks and how to reduce them. These efforts 
range from informational websites and Internet safety curricula to 
public-information campaigns.
    Law enforcement and public policy. Microsoft works with law 
enforcement agencies and other partners to offer tools and training 
that aid law enforcement efforts to apprehend and prosecute criminals 
who use the Internet to harm children. We also support government 
efforts to craft and enact effective public policies that help protect 
Internet users and penalize online criminals.

Security and Privacy at Microsoft
    Consumer security and safety are a top priority for Microsoft. Six 
years ago, the company launched its Trustworthy Computing Initiative, a 
company-wide top-to-bottom commitment to delivering secure, private and 
reliable computing experiences for everyone. In addition to improved 
software development practices, Trustworthy Computing includes support 
for strong laws addressing criminal online conduct; support for law 
enforcement training, investigations, coordination and prosecutions; 
and guidance for customers on adopting security and privacy best 
practices.
    Our corporate privacy policies--including a set of privacy 
principles released in 2007 related to search and online advertising--
reflect our long-held commitment that consumers should have the ability 
to control the collection, use and disclosure of their personal 
information.\6\ This is nowhere more crucial than in the area of young 
people's Internet use. From social networking sites to e-mail to online 
gaming, responsible user practices and technology safeguards must be 
applied to help keep young Internet users--and their personal 
information--safe.
---------------------------------------------------------------------------
    \6\ Details on Microsoft's privacy policies are available at http:/
/privacy.microsoft.com/.
---------------------------------------------------------------------------
Technology
    When it comes to children's safety online, there is no 
technological silver bullet that can substitute for parental 
involvement, supervision and guidance. But Microsoft is committed to 
developing tools and technologies that can help parents in this 
important task. Family safety tools and features have been built into a 
wide range of Microsoft products and services, including Windows Vista, 
Windows Live, Xbox 360, Xbox LIVE, Zune and MediaroomTM.\7\ 
These include tools that give parents greater control over what their 
children can access and how they can interact via the Web and elsewhere 
online--from Web content filtering and e-mail contact management to 
social networking restrictions.
---------------------------------------------------------------------------
    \7\ More information on these and other family safety technologies 
can be found at www.microsoft.com/protect.
---------------------------------------------------------------------------
Windows Vista
    In all home editions of Windows Vista, Microsoft's next-generation 
client operating system, separate accounts can be created for each 
member of the family.\8\ And using the centralized Parental Controls 
panel, parents can specify when their children can use the computer, 
which websites they can visit and which software applications they can 
use. Parents can also restrict access to PC software games based on 
title, content or rating. They can even view detailed reports about a 
child's computer use to look for potentially inappropriate sites that 
the child might be visiting.
---------------------------------------------------------------------------
    \8\ The Starter, Home Basic, Home Premium and Ultimate editions.
---------------------------------------------------------------------------
    Monitoring children's computer use not only helps parents keep 
track of what their kids are seeing, hearing and doing, but it enables 
them to refine and modify restrictions based on actual feedback and 
offers a basis for informed discussion with their kids about Internet 
use and online habits. The Parental Controls icon in the system tray is 
always visible to let children know that the Parental Controls feature 
is on.
    For Web content filtering, parents can create customized settings 
that block sites by type of content (such as mature content, 
pornography or sex education) or specifically allow only certain sites. 
Parents can also enable a setting that prevents children from 
downloading software.



    To restrict the amount of time kids spend using the computer, 
parents can use a simple point-and-click grid to indicate ``blocked'' 
and ``allowed'' days of the week and hours of the day. As the end of an 
approved time period approaches, the child receives a 15-minute and a 
1-minute notification. If the allotted time ends before the child logs 
off, Windows Vista suspends the session and saves all of the child's 
work.
    From the Windows Vista Parental Controls panel, users can also 
enable safety features--such as content filters--that are built into 
third-party software and services.\9\ Microsoft also offers application 
programming interfaces (APIs) so third-party developers can build to 
the Windows Vista platform.
---------------------------------------------------------------------------
    \9\ Windows Vista Parental Controls are configured to turn 
themselves off to prevent conflicts with third-party family safety 
applications.



Windows Media Center
    Windows Media Center in Windows Vista Home Premium and Ultimate 
editions is a feature that allows you to watch and record live TV on 
your computer. It includes Parental Controls that let parents restrict 
viewing of digital entertainment by industry ratings (including the 
Motion Picture Association of America). Parents can:

   Set a maximum allowed rating for television and movie 
        content (such as PG-13 or TV-14)

   Restrict access to unrated programming

   Block access to programming based on category: fantasy 
        violence, suggestive dialogue, offensive language, sexual 
        content or violence

Windows Live
    Windows Live (http://get.live.com) is a set of free Web services 
and PC applications that help people stay better connected and get the 
most out of their Windows experience. It includes the Windows Live 
Hotmail e-mail client, social networking with Windows Live Spaces, 
instant messaging with Windows Live Messenger and other services.



    A key offering of Windows Live is Windows Live OneCareTM 
Family Safety, a service that seamlessly integrates family safety 
options for Windows Live services. Family Safety offers adjustable 
content filtering, activity reports for each user in the family, and 
contact management features to help prevent children from interacting 
with unknown individuals. Parents can monitor online activity and 
update settings from any Internet-connected computer.
    Family Safety also includes expert guidance for parents on age-
appropriate settings. For certain markets, this guidance is country-
specific. For example, the U.S. version of Family Safety includes 
guidance from the American Academy of Pediatrics; in Germany, the 
guidance is from Deutsches Kinderhilfswerk.
    Family Safety can be used with Windows XP SP2 and later versions of 
the Windows operating system, and it supports Windows Internet 
Explorer 6 and later versions, as well as other browsers. Key elements 
of the service include:

    Contact management. Online contact with strangers is a significant 
concern for parents because of the potential for harassment, 
inappropriate online interaction and contact with predators. Parents 
can specify that their approval be required before their child can 
communicate with a new person using Windows Live services such as 
Windows Live Hotmail and Messenger or before a new person is allowed to 
see the child's social networking page or blog on Spaces. The contact-
management settings apply even when a child logs on to Windows Live 
from a computer outside the home.

   Content filtering. Parents can specify unique filtering 
        settings for each member of the family. These settings allow, 
        block or display a warning for a range of content categories, 
        which apply to all Web content viewing. Filtering guidance 
        helps parents determine age-appropriate settings and online 
        activities as well as how to talk to children about safe Web 
        browsing practices.

    In addition, abuse reporting is available throughout Windows Live 
and the MSN* network of Internet services so users can report 
inappropriate behavior or content.\10\
---------------------------------------------------------------------------
    \10\ For example, there is a Report Abuse button at the bottom of 
every Windows Live Space so customers can easily report issues.
---------------------------------------------------------------------------
    Other major Windows Live services also have their own specific 
safeguards and privacy tools. They allow users to do the following:
Live Search
   Filter search results for sexually explicit images and text
Windows Live Messenger
   Create a manually selected list of allowed instant messaging 
        contacts

   Be notified whenever someone tries to add you to their 
        Messenger Contacts list

   Block a person from contacting you or seeing if you are 
        online

Windows Live Hotmail
   Set your personal account filters so Windows Live Hotmail 
        will deliver mail only from people on your Contacts list and 
        trusted senders

   Block all e-mail from a particular e-mail address

   Identify, based on color-coded alerts, whether an incoming 
        message might be malicious or fraudulent
Windows Live Spaces
   Make your Windows Live Space completely private, available 
        only to selected people, or public

   Access safety information from any Spaces page

Xbox 360 and Xbox LIVE
    Xbox 360 and Xbox LIVE--Microsoft's gaming platform and online 
gaming environment, respectively--are designed to provide secure gaming 
and age-appropriate content for all users. The easy-to-use Family 
Settings console in Xbox 360 allows parents to set restrictions that 
apply to both offline and online play.



    The console recognizes game and video rating systems from countries 
around the world, allowing parents to specify categories of games and 
movies their children can access.\11\ It also has a Family Timer 
feature that parents can use to limit the duration of game play within 
each 24-hour period.
---------------------------------------------------------------------------
    \11\ Systems for rating age-appropriateness of video and game 
content vary by country or by region. They include the Entertainment 
Software Rating Board (www.esrb.org) in the United States and Canada, 
the British Board of Film Classification (www.bbfc.co.uk) in the UK, 
the Game Rating Board (www.grb.or.k) in Korea, Unterhaltungssoftware 
Selbstkontrolle (www.usk.de) in Germany, and Pan-European Game 
Information (www.pegi.info) in much of Europe.
---------------------------------------------------------------------------
    For Xbox LIVE, the console can be configured to allow online gaming 
and communication only with approved friends and to require parental 
approval for new friends. It also allows users to report inappropriate 
use of the service.
    Specifically, the Xbox 360 Family Settings console allows parents 
to:

   Customize each child's playing environment

   Specify how much time a child can spend playing games each 
        day or each week

   Specify which games a child can play, based on game rating

   Override parental restrictions on a case-by-case basis

   Create personal Xbox LIVE settings for a child that will 
        apply to that account no matter what machine is used to access 
        the account

   Require parental approval of each child's list of online 
        friends

   Specify which types of online communication are allowed 
        (i.e., text and voice, video)

   Limit exposure to content created by other members of the 
        Xbox LIVE community

   Limit sharing of personal profile information to friends 
        only, or block all sharing of personal profile information

Mediaroom
    Microsoft Mediaroom, the latest version of Microsoft's Internet 
Protocol Television (IPTV) software platform, allows cable operators 
and telecommunication companies to deliver content and services such as 
standard and high-definition TV channels, digital video recordings and 
video on demand.
    Mediaroom includes parental control features for managing 
children's access to channels, shows and services. Using a PIN or 
multiple PINs, parents can restrict:

   Access to programming by rating (with special functionality 
        for blocking adult-rated programming)

   Access to unrated programming

   Access to individual channels

   The ability to purchase video-on-demand and other content

Zune
    Parents can use Family Settings to restrict their children's access 
to and ability to purchase content from the Zune Marketplace online 
music store for use on their Zune portable media player. Specifically, 
parents can:

   Specify whether a child can make purchases from Zune 
        Marketplace.

   Restrict a child's access to explicit content available 
        through Zune Marketplace.

   Specify who can send messages to a child in the Zune Social 
        online community. (Children 12 and under are prohibited from 
        joining the community.)

   Specify whether a child can accept friend requests in the 
        Zune Social online community.

   Specify whether a child can share favorite artists and songs 
        with the Zune community.

   Specify who can see a child's friends list.

Guidance and Education
    While Microsoft continues to create tools and technologies to help 
promote child safety on the Internet, we believe that educating parents 
and children is the most effective way to respond to online risks. To 
this end we support numerous family safety educational organizations 
and outreach efforts, including:

   Ad Council's Internet Safety Coalition (ISC). Microsoft is a 
        member of the ISC, which is working to help kids understand 
        that the Internet is a public place and to explain the risks of 
        ill-considered Internet posting.

   Bad Guy Patrol. As part of Microsoft Canada's and the 
        Government of Alberta Children's Services shared commitment to 
        preventing child sexual exploitation, www.badguypatrol.ca 
        teaches children ages 5-10 critical Internet safety skills 
        through a series of games. A section for adults provides 
        additional tips on how to keep kids safe and the program is 
        being offered to other provinces across Canada.

   GetNetWise. Microsoft supports this public education 
        organization and website (www.getnetwise.org), which offer 
        Internet users resources for making informed decisions about 
        safer Internet use.

   Get Safe Online. Microsoft is a founding sponsor, along with 
        the UK government and other leading companies, of this campaign 
        and website (www.getsafeonline.org) devoted to teaching 
        consumers and businesses about Internet security and safety.

   i-SAFE America's i-LEARN. Microsoft is a sponsor of this 
        free online curriculum for educators, parents, teens and law 
        enforcement, which is available at www.ilearn.isafe.org.

   National Cyber Security Alliance (NCSA). Microsoft is part 
        of this nonprofit public-private partnership that offers online 
        safety and security information to the public on the 
        www.staysafeonline.org website and through educational efforts 
        such as National Cyber Security Awareness Month.

   NCMEC Netsmartz. Microsoft has provided video production 
        resources for the National Center for Missing and Exploited 
        Children's Netsmartz website (www.netsmartz.org), which helps 
        educate parents, kids, teachers and law enforcement about 
        online security and safety issues.

   NetSafe. NetSafe and Microsoft New Zealand developed this 
        online safety site (www.hectorsworld.com), which offers 
        Internet safety curricula for teachers as well as a range of 
        fun activities for children that teach them about safer 
        Internet use.

   OnGuard Online. Microsoft helped develop the U.S. Federal 
        Trade Commission's website at www.onguardonline.gov, which 
        offers consumers tips, articles, videos and interactive 
        activities related to online safety and security.

   ``Safety is no game. Is your family set?'' Tour. Microsoft, 
        Boys & Girls Clubs of America and Best Buy cosponsored a 20-
        city campaign to promote safer and age-appropriate gaming and 
        to teach kids and parents about the Xbox 360 family safety 
        features.\12\
---------------------------------------------------------------------------
    \12\ Educational materials from the campaign, including a parent-
child gaming pact that families can fill out, are available at http://
www.xbox.com/en-US/support/familysettings/isyourfamilyset/default.htm.

   Staysafe.org. Microsoft sponsors and finances a website at 
        www.staysafe.org that offers guidance and news about online 
        security and safety issues. In 2006, Microsoft joined with the 
        Federal Trade Commission, AARP, U.S. Chamber of Commerce, Best 
        Buy and other partners to sponsor Staysafe.org's Get Net Safe 
        Tour of 12 U.S. cities to raise awareness about Internet 
---------------------------------------------------------------------------
        security and safety.

   Wired Safety. Microsoft is helping to support Wired Safety's 
        first international conference on cyberbullying, at which 
        representatives from government, education, the media, the 
        technology industry and others will help raise awareness of 
        this important issue and spur appropriate action.

    In addition to these partnerships, at our www.microsoft.com/
protect/family website we offer our own broader information about 
consumer online safety in three key areas:

   Family Safety--With young people online in record numbers we 
        provide families with guidance to help promote personal safety 
        and privacy. Just as parents teach their children to look both 
        ways before they cross the street, Microsoft is working to help 
        parents engage with their children to apply similar safety 
        rules to protect kids online.

   Protect Your PC--Helping users protect their PCs from 
        threats like viruses and spyware is another key area of 
        continued focus.

   Protect Yourself--ID Theft is a significant concern for 
        consumers. Microsoft is actively addressing ways to help people 
        better protect themselves when online.

Law Enforcement and Public Policy
    Microsoft is committed to helping make the Internet safer for all 
users, especially children and families, but we can't do it alone. 
Partnerships with law enforcement agencies, governments, nonprofit 
organizations and other industry leaders are essential to combating 
cybercrime. Microsoft has also worked with governments to strengthen 
online safety and privacy laws and to develop mandatory Internet safety 
education programs in schools. These efforts address not only 
individual children's use of the Web but also broader criminal issues 
like online child pornography.
    One highly successful effort is the Child Exploitation Tracking 
System (CETS), a system jointly developed by Microsoft and Canadian law 
enforcement to manage investigations of child exploitation cases. CETS 
allows investigators to import, organize, analyze and search large 
volumes of information while conducting investigations and share 
information across law enforcement agencies. To date, CETS has been 
deployed in Canada, Brazil, Chile, Indonesia, Australia, Italy, Romania 
and the United Kingdom.
    In June 2006, Microsoft, AOL, Earthlink, United Online and Yahoo! 
announced a partnership with the National Center for Missing and 
Exploited Children (NCMEC) to fund a new Technology Coalition within 
NCMEC to develop and deploy technology solutions that disrupt the 
ability of online predators to exploit children or traffic in child 
pornography. The participating companies pledged US$1 million in 
combined initial funding as well as technical support and expertise.
    Microsoft has worked with Interpol and the International Centre for 
Missing & Exploited Children (ICMEC) to sponsor worldwide training 
sessions for law enforcement personnel on computer-facilitated crimes 
against children. As of February 2008, more than 2,600 law enforcement 
officers from more than 100 countries have been trained in methods of 
identifying suspects, investigating offenses and dealing with victims 
of online child predators.
    In 2006, Microsoft joined ICMEC, NCMEC, leading financial 
institutions and Internet industry leaders to form the Financial 
Coalition Against Child Pornography, which provides a forum for members 
to collaborate on strategies to cutoff funding for child pornographers 
and eradicate child pornography.
    Microsoft works extensively with the U.S. Department of Justice's 
Internet Crimes Against Children Task Force and is a member of the 
Virtual Global Taskforce, a public-private partnership that combats 
online child abuse worldwide.
    In 2008, Microsoft joined the Internet Safety Technical Task Force, 
a coalition of academics, industry, advocacy groups and others that 
examines issues related to Internet safety, online authentication and 
children's age verification.
    Microsoft includes tools in its online services that can help 
detect and prevent child pornography and exploitation, and it is 
continually developing new tools both independently and in conjunction 
with its partners. MSN uses a filtering tool to review images uploaded 
to Windows Live Spaces and MSN Groups. Microsoft reports any images 
identified as apparent child pornography to NCMEC and closes the site. 
Microsoft also has a complaint center where users can report incidents 
of abuse on our sites.
    Microsoft has worked with state attorneys general in Alabama, 
Colorado, Georgia, Kansas, Massachusetts, New Hampshire, New Mexico, 
South Carolina and Utah to provide comprehensive training for law 
enforcement on computer-facilitated crimes.\13\
---------------------------------------------------------------------------
    \13\ In the United States, the attorney general is the state 
government's chief legal advisor and law enforcement officer.
---------------------------------------------------------------------------
    In April 2006, Microsoft joined ICMEC in announcing ICMEC's model 
legislation on child pornography. This legislation seeks to modernize 
child pornography laws for the 184 member countries of Interpol; 
Microsoft has pledged to support efforts worldwide to develop and 
enforce these laws.
    Microsoft has joined industry partners to encourage countries to 
adopt and ratify the Council of Europe Convention on Cybercrime, which 
requires signatories to adopt and update laws and procedures to address 
crime in the online environment.

Conclusion
    Microsoft has long been committed to helping protect children 
online. We take a comprehensive approach to online safety that includes 
the development of family safety technologies, guidance and education 
for families and children, and partnerships with industry and law 
enforcement to combat online crime.
    Online child safety is directly in line with Microsoft's overall 
commitment to promoting greater trust online and to offering products 
and services built with consumer safety in mind. Microsoft will 
continue to invest in programs, technologies and partnerships that 
advance the goals of safe computing for children and families.
    [The information contained in this document represents the current 
view of Microsoft Corp. on the issues discussed as of the date of 
publication. Because Microsoft must respond to changing market 
conditions, it should not be interpreted to be a commitment on the part 
of Microsoft, and Microsoft cannot guarantee the accuracy of any 
information presented after the date of publication.
    Complying with all applicable copyright laws is the responsibility 
of the user. Without limiting the rights under copyright, no part of 
this document may be reproduced, stored in or introduced into a 
retrieval system, or transmitted in any form or by any means 
(electronic, mechanical, photocopying, recording or otherwise), or for 
any purpose, without the express written permission of Microsoft.
    Microsoft may have patents, patent applications, trademarks, 
copyrights or other intellectual property rights covering subject 
matter in this document. Except as expressly provided in any written 
license agreement from Microsoft, the furnishing of this document does 
not give you any license to these patents, trademarks, copyrights or 
other intellectual property.
    Microsoft, Internet Explorer, Mediaroom, MSN, OneCare, Xbox 360, 
Xbox LIVE, Windows, Windows Live, Windows Vista and Zune are either 
registered trademarks or trademarks of Microsoft Corp. in the United 
States and/or other countries. The names of actual companies and 
products mentioned herein may be the trademarks of their respective 
owners.]

    Senator Pryor. Thank you.
    Dr. Montgomery?

           STATEMENT OF KATHRYN C. MONTGOMERY, Ph.D.,

              PROFESSOR, SCHOOL OF COMMUNICATION,

                      AMERICAN UNIVERSITY

    Dr. Montgomery. Chairman Rockefeller, Chairman Pryor, 
Ranking Member Wicker, and members of the Committee--the 
Subcommittee, thanks so much for inviting me to testify about 
COPPA. It's a law I care very deeply about.
    During the 1990s, while President of the nonprofit Center 
for Media Education, I played a leadership role in passage of 
COPPA, working with Members of Congress on both sides of the 
aisle, as well as a coalition of prominent education, health, 
and consumer groups.
    And I think we need to remember that, in the early days of 
the World Wide Web, which was really a kind of Wild West 
period, the business model of one-to-one marketing, combined 
with the increasing value of children as a target market for 
advertisers, created, really, a ``perfect storm'' for marketers 
who wanted to use the Internet to take advantage of young 
people. We and others documented many of those practices. And 
if we need to remind ourselves of where we were, we can 
remember sites like the Young Investors site that asked for 
reams of personal financial information from children, or one 
of my favorites, which was the Batman site, which asked 
children to be good members of Gotham and fill out the census. 
That's what we were looking at, at the time. That's where the 
Internet was headed.
    My colleagues and I consulted with a broad spectrum of 
stakeholders, including industry groups, to craft a set of 
regulations that would successfully balance our collective 
interest in nurturing the growth of e-commerce while protecting 
the privacy of our children.
    And I think COPPA has served us all very well. It has 
created a level playing field by creating a law that applied to 
every online commercial player, from the largest children's 
media companies to the smallest startups, and it sends a signal 
to the industry, ``If you're going to do business with our 
Nation's children, you will have to follow some rules.'' And 
because it was passed during the early stages of e-commerce, it 
has created rules of the road that have helped to guide the 
development of the digital marketplace and, really, curtail 
many of the egregious practices that were coming into place.
    And I also think the Safe Harbor mechanism is very 
important, because it permits self-regulation, but within the 
context of clear government rules and enforcement authority by 
the FTC.
    But, as others have pointed out, recent developments in 
online marketing really warrant renewed attention by the FTC 
and the Congress. Today's children are growing up in an 
immersive and ubiquitous digital media environment, 24/7, and 
many of the practices we identified in the 1990s have been 
eclipsed by an entirely new generation of tracking and 
targeting technologies. Briefly, I'll highlight two.
    One is behavioral targeting, which is an invisible process 
and a covert process that tracks individual users, through 
cookies and other data files, to collect information about 
them, and to design personalized advertising to target them, 
based on their psychological profiles and their behavioral 
profiles. And this also raises the question of what constitutes 
``personally identifiable information.'' It's not just a matter 
of your giving your name. The marketers are able to know who 
you are, and get to you and target you.
    And the second is mobile marketing, which people have 
mentioned. And one of the important things is that it combines 
behavioral targeting with location targeting. And the research 
that I've done on children's food marketing and the obesity 
crisis has found fast-food companies creating discount coupons 
that will be sent to people's and children's cell phones when 
they get near a fast-food restaurant.
    So, what we need to do is to ensure the FTC--and I'm 
working with the agency to update the law, update the rules, as 
it was intended to do, as it was designed to do.
    Finally, I do want to say that, while COPPA has established 
important safeguards for the youngest consumers in the digital 
marketplace, adolescents have no such protections. We know 
they're avid users of social networks, like Facebook and 
MySpace and others. In many ways, they're living their lives 
online, and they're increasingly relying on these social 
networks and on search for personal information and for 
handling sensitive personal issues that they're coping with in 
their lives.
    So, I would argue, we--I'm not arguing for a parental 
verification system, like COPPA, but I do think we need a set 
of fair information and marketing practices that are tailored 
to the unique needs and vulnerabilities of adolescents.
    So, I hope the Committee will send a message to the FTC 
that COPPA remains important, but needs to be updated, and 
also, that the FTC should develop specific recommendations for 
protecting the privacy of adolescents as part of its broad new 
initiative on online privacy.
    Thank you.
    [The prepared statement of Dr. Montgomery follows:]

    Prepared Statement of Kathryn C. Montgomery, Ph.D., Professor, 
              School of Communication, American University

    Chairman Pryor, Senator Wicker, and members of the Subcommittee. My 
name is Kathryn Montgomery, and I am a Professor in the School of 
Communication at American University. I appreciate the opportunity to 
testify before you today about the Children's Online Privacy Protection 
Act (COPPA). During the 1990s, while president of the nonprofit Center 
for Media Education (CME), I played a leadership role in the passage of 
COPPA, working with a coalition of education, health, and consumer 
groups that included the National PTA, the Consumer Federation of 
America, the National Education Association, and the American Academy 
of Pediatrics. As you know, Congress passed the law in 1998 through the 
strong bi-partisan leadership of Sen. John McCain (R-Ariz.), Rep. Ed 
Markey (D-Mass), and then-Sen. Richard Bryan of Nevada. I worked 
closely with these Congressional leaders and with other members, as 
well as with the Federal Trade Commission and the White House, on the 
legislation. I also collaborated with a broad spectrum of industry 
stakeholders--including advertising trade groups, online content 
providers, and children's media companies--to craft a statute and a set 
of regulations that would successfully balance our collective interests 
in nurturing the growth of e-commerce, while protecting the privacy of 
our children.
    For the past decade, COPPA has served as an effective safeguard for 
young consumers under the age of 13 in the online marketing 
environment. Though the law took effect in the early formative period 
of Internet marketing, it was purposely designed to adapt to changes in 
both technology and business practices, with periodic reviews by the 
FTC to ensure its continued effectiveness. With the current expansion 
of digital media platforms and the growing sophistication of online 
data collection and profiling, however, it is now critically important 
that the intent of COPPA be fully implemented to protect young people 
from new commercial practices in today's digital media environment.
    As I document in my book, Generation Digital: Politics, Commerce 
and Childhood in the Age of the Internet, the emergence of the World 
Wide Web ushered in a host of online marketing and data collection 
practices that raised fundamental privacy concerns for children. The 
business model of one-to-one marketing, combined with the increasing 
value of children as a target market for advertisers, created a perfect 
storm for marketers who wanted to use the Internet to take advantage of 
young people. Numerous commercial websites offered prizes and other 
incentives to encourage children to supply personal information about 
themselves. For example, one site targeted at ``young investors,'' 
urged children to provide an astonishing amount of financial 
information, including any gifts they might have received in the form 
of stocks, cash, savings bonds, mutual funds or certificates of 
deposit. Another site, set up to promote the movie Batman, encouraged 
children to ``be good citizens of Gotham'' and fill out the ``census.'' 
\1\ Some of these practices were so disturbing that the Center for 
Media Education enlisted the help of Georgetown University Law Center's 
Institute for Public Representation to file a complaint with the FTC in 
1996. The commission found our complaint persuasive and, with the 
urging of our coalition and others, began examining the children's 
online data collection commercial market.\2\ The FTC's internal 
research played a key role in documenting the rampant spread of data 
collection and the failure of self-regulatory promises by industry. The 
commission's report, released just months prior to passage of COPPA, 
provided crucial evidence of the need for this important law.\3\
---------------------------------------------------------------------------
    \1\ Kathryn Montgomery, Generation Digital: Politics, Commerce, and 
Childhood in the Age of the Internet (Cambridge, MA: MIT Press, 2007); 
Kathryn Montgomery and Shelly Pasnik, Web of Deception: Threats to 
Children from Online Marketing (Washington, D.C.: Center for Media 
Education, 1996).
    \2\ Federal Trade Commission, ``FTC Staff to Survey Consumer 
Privacy on the Internet,'' 26 Feb. 1998, http://www.ftc.gov/opa/1998/
02/webcom2.shtm; Federal Trade Commission, ``Privacy Online: Fair 
Information Practices in the Electronic Marketplace,'' May 2000, 
www.ftc.gov/reports/privacy2000/privacy2000text.pdf (both viewed 26 
Apr. 2010).
    \3\ Federal Trade Commission, ``Privacy Online: A Report to 
Congress,'' June 1998, http://www.ftc.gov/reports/privacy3/priv-23a.pdf 
(viewed 26 Apr. 2010).
---------------------------------------------------------------------------
    Congress made a wise decision in 1998 to enact COPPA. I believe the 
law has been a clear legislative success. It was a balanced and 
sensible solution to a challenging problem. It established a level 
playing field by creating a law that applied to every commercial 
player--from the largest children's media companies to the smallest 
startups. And it sent a strong signal to the growing online marketing 
industry: If you are going to do business with our Nation's children, 
you will have to follow some basic rules. Because decades of research 
documented younger children's particular vulnerabilities to advertising 
and marketing, the law was narrowly tailored to apply only to 
commercial websites that were targeted at children under the age of 13, 
or where there was actual knowledge by the website operator that the 
user was under that age. In keeping with fair information principles, a 
key intent of the law was to minimize the collection of personally 
identifiable data from children, and to eliminate the practice of 
offering prizes and other incentives to encourage such data 
collection.\4\
---------------------------------------------------------------------------
    \4\ The FTC's COPPA rule applies to ``Operators of commercial 
websites and online services directed to children under 13 that collect 
personal information from them; operators of general audience sites 
that knowingly collect personal information from children under 13; and 
operators of general audience sites that have a separate children's 
area and that collect personal information from children under 13.'' 
Federal Trade Commission, ``Children's Online Privacy Protection Act,'' 
http://www.ftc.gov/privacy/privacyinitiatives/childrens.html (viewed 26 
Apr. 2010).
---------------------------------------------------------------------------
    No law is perfect, as everyone in this body is well aware. In the 
case of COPPA, children who are under 13 can lie about their age when 
visiting sites that are not intended for them. Parents are not always 
willing or able to be involved in the day-to-day online navigations of 
their children. But because the legislation was passed during the early 
stages of Internet e-commerce, COPPA established a clear set of ``rules 
of the road'' to help guide the development of the children's digital 
marketplace. As a result, some of the most egregious data collection 
practices that were becoming state-of-the-art in the online marketing 
environment were curtailed. A study in the Journal of Consumer Affairs 
found that more than ninety-five percent of the top 100 children's 
websites in the United States post privacy policies complying with 
COPPA's requirements for information collection and use.\5\ And by 
establishing a safe -harbor mechanism, the law created a system whereby 
self-regulatory guidelines--developed and implemented by a number of 
entities--operate within a framework of clear government rules and 
enforcement authority by the FTC. We are pleased that the commission 
has taken the initiative to examine and respond to specific cases, 
cracking down on those practices that violated the statute.\6\
---------------------------------------------------------------------------
    \5\ Anthony D. Miyazaki, Andrea J. S. Stanaland, and May O. Lwin, 
``Self-Regulatory Safeguards and the Online Privacy of Preteen 
Children, Journal of Advertising 38, n. 4 (Winter 2009): 79, 83; Andrea 
J. S. Stanaland, May O. Lwin, and Susanna Leong, ``Providing Parents 
with Online Privacy Information: Approaches in the U.S. and the UK,'' 
Journal of Consumer Affairs 42 n. 3 (Fall 2009): 474, 484-85.
    \6\ See for example, Federal Trade Commission, ``Iconix Brand Group 
Settles Charges Its Apparel Web Sites Violated Children's Online 
Privacy Protection Act,'' 20 Oct. 2009, http://www.ftc.gov/opa/2009/10/
iconix.shtm (viewed 26 Apr. 2010).
---------------------------------------------------------------------------
    Recent developments in the online marketing arena, however, pose 
new challenges that warrant the attention of the FTC and Congress. The 
Web has matured, thanks especially to broadband and mobile 
technologies. As a result, not only has the digital marketplace grown 
dramatically, it has become an even stronger presence in the lives of 
young people. Today's children are growing up in a ubiquitous digital 
media environment, where mobile devices, instant messaging, social 
networks, virtual reality, avatars, interactive games, and online video 
have become ingrained in their personal and social experience. Members 
of this generation of young people are, in many ways, living their 
lives online. As Advertising Age reported, ``more than 16 million 
children aged 2 to 11 are online, making for a growth rate of 18 
percent in the period 2004 to 2009--the biggest increase among any age 
group, according to Nielsen.'' The same report explains that according 
to a Nielsen Online survey conducted in July 2009, ``Time spent online 
for children ages 2 to 11 increased from about 7 hours to more than 11 
hours per week, or a jump of 63 percent over 5 years.'' \7\
---------------------------------------------------------------------------
    \7\ Beth Snyder Bulik, ``The On-Demand Generation,'' 12 Apr. 2010, 
http://adage.com/digital/article?article_id=143220 (viewed 26 Apr. 
2010).
---------------------------------------------------------------------------
    The online marketing practices we originally identified in the 
1990s have been eclipsed by a new generation of tracking and targeting 
techniques. For example, mobile marketing--combining text messaging, 
mobile video, and other new applications--is one of the fastest growing 
digital commerce platforms throughout the world, and a particularly 
effective way to reach and engage children.\8\ As a recent Kaiser 
Family Foundation study noted, ``Over the past 5 years, there has been 
a huge increase in [cell phone] ownership among 8- to 18-year-olds: 
from 39 percent to 66 percent. . . . During this period, cell phones . 
. . have become true multi-media devices: in fact, young people now 
spend more time listening to music, playing games, and watching TV on 
their cell phones (a total of :49 daily) than they spend talking on 
them (:33).'' \9\ According to the latest industry data, roughly half 
of all children use a mobile phone by age 10, and by age 12, fully 
three-fourths of all children have their own mobile phone.\10\ As one 
media executive commented, the mobile phone is ``the ultimate ad 
vehicle . . . the first one ever in the history of the planet that 
people go to bed with.'' \11\ Mobile advertising will increasingly rely 
on interactive video and become firmly embedded in ``mobile social 
networks.'' Advertising on mobile devices will be especially powerful, 
since it will be able to target users by combining both behavioral and 
location data.\12\ Ads on mobile phones will be able to reach young 
consumers when they are near a particular business and offer electronic 
pitches and discount coupons.\13\
---------------------------------------------------------------------------
    \8\ E. Burns, ``U.S. Mobile Ad Revenue to Grow Significantly 
through 2013,'' ClickZ, 25 Feb. 2009, http://www.clickz.com/3632919 
(viewed 4 Aug. 2009).
    \9\ Kaiser Family Foundation, ``Daily Media Use Among Children and 
Teens Up Dramatically from Five Years Ago,'' 20 Jan. 2010, http://
www.kff.org/entmedia/entmedia012010nr.cfm (viewed 7 Apr. 2010).
    \10\ Pete Blackshaw, ``A Pocket Guide to Social Media and Kids,'' 
Nielsen Wire, 2 Nov. 2009, http://blog.nielsen.com/nielsenwire/
consumer/a-pocket-guide-to-social-media-and-kids/ (viewed 16 Mar. 
2010).
    \11\ A. Klaassen, ``Why Google Sees Cellphones as the `Ultimate Ad 
Vehicle,''' Advertising Age, 8 Sept. 2008, http://adage.com/
mobilemarketingguide08/article?article_id=130697 (viewed 4 Aug. 2009).
    \12\ Center for Digital Democracy and U.S. PIRG, ``Complaint and 
Request for Inquiry and Injunctive Relief Concerning Unfair and 
Deceptive Mobile Marketing Practices,'' Federal Trade Commission 
Filing, 13 Jan. 2009, http://www.democraticmedia.org/current_projects/
privacy/
analysis/mobile_marketing (viewed 7 June 2009).
    \13\ A. Johannes, ``McDonald's Serves Up Mobile Coupons in 
California,'' PROMO Magazine, 26 Oct. 2005, http://promomagazine.com/
incentives/mcds_coupons_102605/ (viewed 4 Aug. 2009).
---------------------------------------------------------------------------
    Behavioral targeting uses a range of online methods--including 
cookies and invisible data files--to learn about the unique interests 
and online behaviors through the tracking and profiling of individual 
users. Through a variety of new techniques, marketers use this data to 
create personalized marketing and sales appeals based on a customer's 
unique preferences, behaviors, and psychological profile.\14\ Recent 
advances in behavioral targeting are enabling marketers to more 
accurately predict and influence user behavior. For example, 
``predictive behavioral targeting'' combines data from a number of 
different sources and makes inferences about how users are likely to 
behave in their response to marketing messages. Increasingly, 
behavioral profiles incorporate information from outside databases.\15\ 
Social media platforms are also embracing behavioral targeting, helping 
to drive ``robust advertising response and conversion.'' \16\
---------------------------------------------------------------------------
    \14\ David Hallerman, ``Behavioral Targeting: Marketing Trends,'' 
eMarketer, June 2008; I. Khan, B. Weishaar, L. Polinsky, et al., 
``Nothing but Net: 2008 Internet Investment Guide,'' 2008, https://
mm.jpmorgan.com/stp/t/c.do?i=2082C248&u=a_p*d_170762.pdf*h_-3ohpnmv 
(viewed 23 Mar. 2009).
    \15\ ``About Acxiom,'' http://www.acxiom.com/about_us/Pages/
AboutAcxiom.aspx (viewed 7 June 2009).
    \16\ ``ValueClick Media Launches Predictive Behavioral Targeting,'' 
21 July 2008, http://phx.
corporate-ir.net/phoenix.zhtml?c=84375&p=irol-newsArticle&ID=1177051; 
Acxiom, ``Digital Marketing Services,'' http://www.acxiom.com/
products_and_services/digital/Pages/DigitalMar
ketingServices.aspx; ``24/7 Real Media Launches Social Media Targeting 
to Improve Ad Performance and Response,'' 27 Apr. 2009, http://
www.247realmedia.com/EN-US/news/article
_445.html (all viewed 7 June 2009).
---------------------------------------------------------------------------
    Last year, a broad coalition of consumer, children, and privacy 
groups urged the FTC to ensure that new technologies involving mobile 
phones and data collection incorporate COPPA relevant safeguards. These 
groups also want the FTC to determine how behavioral marketing impacts 
children covered by COPPA, by analyzing, for example, the stealth data 
collection process delivered by online games, virtual worlds, and age-
relevant social sites.\17\ In its current review, the commission must 
ensure that its regulations implementing COPPA include the full range 
of Internet -enabled or connected services, including the increasingly 
ever-present cell phones children use, along with Web-connected gaming 
devices and online, interactive video.\18\ Congress intended COPPA's 
basic framework to be flexible, anticipating that the FTC would have to 
ensure that the law's implementation would cover new ways of collecting 
personal information from children.\19\ That's why I strongly support 
the FTC asking, in its recent Federal Register notice, whether COPPA's 
definition of personal information should be revised to include the 
latest methods of identifying and targeting online consumers, covering 
the so-called ``cookies'' that are used for interactive marketing data 
collection, as well as ``mobile geo-location information.'' \20\ As the 
February 2009 FTC staff report on online privacy acknowledged, ``in the 
context of online behavioral advertising, the traditional notion of 
what constitutes PII [personally-identifiable information] versus non-
PII is becoming less and less meaningful and should not, by itself, 
determine the protections provided for consumer data.'' \21\ I also 
support ensuring that parents have reasonable and effective methods to 
``review or delete personal information'' in their children's online 
file.
---------------------------------------------------------------------------
    \17\ ``Comments of American Academy of Child and Adolescent 
Psychiatry, the American Academy of Pediatrics, the American 
Psychological Association, Benton Foundation, Campaign for a Commercial 
Free Childhood, Center for Digital Democracy, Children Now, and the 
Office of Communications of the United Church of Christ. Online 
Behavioral Advertising Principles,'' Federal Trade Commission filing, 
11 Apr. 2009, http://www.democraticmedia.org/news_room/
letters/Letter_re_behavioral_advertising_comments; Center for Digital 
Democracy and U.S. PIRG, filing with the Federal Trade Commission 
concerning ``Online Behavioral Advertising Principles,'' 11 Apr. 2008, 
http://www.democraticmedia.org/files/FTCfilingApr08.pdf; Federal Trade 
Commission Staff Report, ``Beyond Voice, Mapping the Mobile 
Marketplace,'' Apr. 2009, 3 http://www.ftc.gov/reports/
mobilemarketplace/mobilemktgfinal.pdf (all viewed 26 Apr. 2010).
    \18\ Federal Trade Commission, ``FTC to Host Public Roundtable to 
Review Whether Technology Changes Warrant Changes to the Children's 
Online Privacy Protection Rule,'' 19 Apr. 2010, http://www.ftc.gov/opa/
2010/04/coppa.shtm; Federal Trade Commission, ``FTC Seeks Public 
Comment on Program to Keep Web Site Operators in Compliance With the 
Children's Online Privacy Protection Rule,'' 6 Jan. 2010, http://
www.ftc.gov/opa/2010/01/isafe.shtm (both viewed 26 Apr. 2010).
    \19\ See, especially, Section 1302980(F) of COPPA.
    \20\ Federal Trade Commission, ``COPPA Rule Review: 2010,'' http://
www.ftc.gov/privacy/privacyinitiatives/childrens_2010rulereview.html 
(viewed 26 Apr. 2010).
    \21\ Federal Trade Commission, ``Federal Trade Commission Staff 
Report: Self-Regulatory Principles For Online Behavioral Advertising,'' 
Feb. 2009, pp. 21-22, http://www.ftc.gov/opa/2009/02/behavad.shtm 
(viewed 26 Apr. 2010).
---------------------------------------------------------------------------
    Without question, digital media play a critically important role in 
the positive development of children and youth, helping them become 
better educated and providing a foundation for their engagement as 
citizens.\22\ But, there are also risks and dangers online, as many of 
us are aware. When COPPA was created, one of our concerns was to ensure 
that the ability to identify, track, and target a child--whether online 
or off--was mediated through Congressional safeguards mandating parent 
involvement. And while young people--and adults--today are being 
continually urged to make more of their personal information available 
in real-time, including their location, research indicates the few 
people understand how that information is collected and used. Even 
young adults, according to a new study released just last week, want to 
ensure their privacy is secured online. The study, conducted by 
scholars from UC Berkeley and the Annenberg School for Communication, 
University of Pennsylvania, found that ``large percentages of young 
adults (those 18-24 years) are in harmony with older Americans 
regarding concerns about online privacy, norms, and policy. . . . 
[Y]oung-adult Americans have an aspiration for increased privacy even 
while they participate in an online reality that is optimized to 
increase their revelation of personal data.'' \23\ As those responsible 
for the welfare of our children, adults must provide reasonable 
safeguards for protecting their privacy, especially to help them 
maneuver through an increasingly complex commercial online data 
collection marketplace.\24\
---------------------------------------------------------------------------
    \22\ MIT Press, ``The John D. and Catherine T. MacArthur Foundation 
Series on Digital Media and Learning,'' http://mitpress.mit.edu/
catalog/browse/browse.asp?btype=6&serid=170; John D. and Catherine T. 
MacArthur Foundation, ``Building the Field of Digital Media and 
Learning,'' http://digitallearning.macfound.org/site/c.enJLKQNlFiG/
b.2029199/k.94AC/Latest_News
.htm; Kathryn Montgomery, Barbara Gottlieb-Robles, and Gary O. Larson, 
``Youth as E-Citizens: Engaging the Digital Generation'' (Washington, 
D.C.: American University, 2004), http://www.centerforsocialmedia.org/
ecitizens/index2.htm (all viewed 26 Apr. 2010).
    \23\ Chris Jay Hoofnagle, Jennifer King, Su Li, and Joseph Turow, 
``How Different are Young Adults from Older Adults When it Comes to 
Information Privacy Attitudes and Policies?'' 14 Apr. 2010, http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1589864 (viewed 26 Apr. 
2010).
    \24\ Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy 
Bleakley, and Michael Hennessy, ``Americans Reject Tailored Advertising 
and Three Activities that Enable It,'' 29 Sept. 2009, http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1478214; Center for Digital 
Democracy, U.S. PIRG, and World Privacy Forum, ``In the Matter of Real-
time Targeting and Auctioning, Data Profiling Optimization, and 
Economic Loss to Consumers and Privacy, Complaint, Request for 
Investigation, Injunction, and Other Relief: Google, Yahoo, PubMatic, 
TARGUSinfo, MediaMath, eXelate, Rubicon Project, AppNexus, Rocket Fuel, 
and Others Named Below,'' Federal Trade Commission filing, 8 Apr. 2010, 
http://www.democraticmedia.org/real-time-targeting; Center for Digital 
Democracy and U.S. PIRG, ``Complaint and Request for Inquiry and 
Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing 
Practices,'' Federal Trade Commission filing, 13 Jan. 2009, http://
www.democraticmedia.org/files/FTCmobile_com
plaint0109.pdf (all viewed 26 Apr. 2010).
---------------------------------------------------------------------------
    Some people suggest that children are now so fully steeped in 
online technologies that they have become savvy about Internet 
marketing, and thus need no protections.\25\ But while children and 
youth have embraced new technologies, they cannot be expected to 
understand the subtle, often covert ways that online marketers are 
collecting, compiling, and analyzing user data. Nor should youth be 
held accountable for the public health implications of the new 
marketing environment. Over the last several years, I have closely 
examined these developments, helping direct a project examining how 
digital marketing targets both children and adolescents for food and 
beverage products linked to the country's youth obesity crisis.\26\
---------------------------------------------------------------------------
    \25\ Alice E. Marwick, Diego Murgia Diaz, and John Palfrey, 
``Youth, Privacy, and Reputation (Literature Review),'' Berkman Center 
Research Publication No. 2010-5, Mar. 2010, p. 10, http://
papers.ssrn.com/sol3/papers.cfm?abstract_id=1588163 (viewed 27 Apr. 
2010).
    \26\ Jeff Chester and Kathryn Montgomery, ``Interactive Food & 
Beverage Marketing: Targeting Children and Youth in the Digital Age,'' 
Berkeley Media Studies Group, May 2007, http://www.digitalads.org/
documents/digiMarketingFull.pdf (viewed 26 Apr. 2010).
---------------------------------------------------------------------------
    Finally, while passage of COPPA established an important framework 
for safeguarding our youngest consumers in the digital marketplace, 
adolescents have no such protections. Neither the online industry nor 
the Federal Trade Commission has adequately addressed the special 
privacy issues raised for adolescents. Because of their avid use of new 
media, adolescents are primary targets for digital marketing.\27\ 
Today's teens are being socialized into this new commercial digital 
culture, which resonates so strongly with many of their fundamental 
developmental tasks, such as identity exploration, social interaction, 
and autonomy.\28\ Many teens go online to seek help for their personal 
problems, to explore their own sexual identities, to find support 
groups for handling emotional crises in their lives, and sometimes to 
talk about things they do not feel comfortable or safe discussing with 
their own parents. Yet, this increased reliance on the Internet 
subjects them to wholesale data collection and profiling. The 
unprecedented ability of digital technologies to track and profile 
individuals across the media landscape, and to engage in ``micro'' or 
``nano'' targeting, puts these young people at special risk of 
compromising their privacy. Teens may be internalizing and normalizing 
these invasive practices that have been so integrally woven into their 
everyday actions and experiences.
---------------------------------------------------------------------------
    \27\ Kathryn C. Montgomery and Jeff Chester, ``Interactive Food and 
Beverage Marketing: Targeting Adolescents in the Digital Age,'' Special 
supplement to Journal of Adolescent Health (September 2009): 1-12.
    \28\ S. Harter, ``Processes Underlying the Construction, 
Maintenance and Enhancement of the Self-concept in Children,'' 
Psychological Perspective on the Self 3 (1990): 45-78; U. Uhlendorff, 
``The Concept of Developmental Tasks,'' Social Work & Society 2, n. 1 
(2004): 54-63; J. Hill, ``Early Adolescence: A Framework,'' Journal of 
Early Adolescence 3, n. 1 (1983): 1-21; K. Subrahmanyam and P. 
Greenfield, ``Online Communication and Adolescent Relationships,'' The 
Future of Children 18, n. 1 (2008): 119-146.
---------------------------------------------------------------------------
    As child advocacy and health groups explained in an April 2008 
filing with the FTC, ``although adolescents are more sophisticated 
consumers than young children are, they face their own age-related 
vulnerabilities regarding privacy.'' The prevailing formula embraced by 
industry and endorsed by regulators is rooted in the concept of 
``notice and choice.'' It is based on the expectation that consumers 
will read the privacy policies that online companies post on their 
websites, and if they don not like the terms, they will ``opt out.'' 
But most privacy policies offer no real choice; instead the policies 
are presented as a ``take-it-or-leave-it'' proposition. Surveys have 
shown that most adults don't read, nor can they readily understand, the 
often confusing, technical legalese that characterizes these 
policies.\29\ For under-aged youth, these challenges are further 
complicated. As the children's coalition filing points out, ``. . . 
adolescents, who have less education and are less likely to make the 
effort to read privacy policies,'' are ``more willing to forgo learning 
about or protecting against behavioral advertising practices. . . in 
order to move quickly and freely access websites and socially 
interact.'' \30\ Social networks have created privacy settings that 
create a false sense of security for teens. While young people may 
believe they are protecting their privacy, they remain totally unaware 
of the nature and extent of data collection, online profiling, and 
behavioral advertising that are becoming routine in these online 
communities.
---------------------------------------------------------------------------
    \29\ Institute for Public Representation (on behalf of the American 
Academy of Child and Adolescent Psychiatry, the American Academy of 
Pediatrics, American Psychological Association, Benton Foundation, 
Campaign for a Commercial Free Childhood, Center for Digital 
Democracy), filing with the Federal Trade Commission concerning 
``Online Behavioral Advertising Principles,'' 11 Apr. 2008, p. 6, 
http://www.democraticmedia.org/files/Children's%20Advocacy%20
Groups%20%20Behavioral%20Advertising%20Comments%20FINAL.pdf (viewed 15 
June 2008).
    \30\ Institute for Public Representation FTC filing, pp. 7, 9.
---------------------------------------------------------------------------
    Recent research within the fields of neuroscience, psychology, and 
marketing has identified key biological and psychosocial attributes of 
the adolescent experience that may make members of this age group 
particularly susceptible to interactive marketing and data collection 
techniques.\31\ A number of scholars have challenged the notion that 
cognitive defenses enable adolescents to resist advertising 
(particularly in new media) more effectively than younger children.\32\ 
Rather than communicating rational or factual appeals, many digital 
marketing techniques are forms of ``implicit persuasion'' that promotes 
``subtle affective associations,'' often circumventing a consumer's 
explicit persuasion knowledge.\33\
---------------------------------------------------------------------------
    \31\ C. Pechmann, L. Levine, S. Loughlin, et al., ``Impulsive and 
Self-conscious: Adolescents' Vulnerability to Advertising and 
Promotion,'' Journal ofPublic Policy & Marketing 24, n. 2 (2005): 202-
221. Frances M. Leslie, Linda J. Levine, Sandra E. Loughlin, and 
Cornelia Pechmann, ``Adolescents' Psychological & Neurobiological 
Development: Implications for Digital Marketing,'' June 2009, http://
digitalads.org/documents/Leslie_et_al_NPLAN_BMSG_memo.pdf (viewed 27 
Apr. 2010).
    \32\ S. Livingstone and E. J. Helsper, ``Does Advertising Literacy 
Mediate the Effects of Advertising on Children? A Critical Examination 
of Two Linked Research Literatures in Relation to Obesity and Food 
Choice,'' Journal of Communication 56, n. 3 (2006): 560- 584.
    \33\ A. Nairn and C. Fine, ``Who's Messing with My Mind? The 
Implications of Dual-process Models for the Ethics of Advertising to 
Children,'' International Journal of Advertising 27, n. 3 (2008): 447-
470.
---------------------------------------------------------------------------
    In addition to its review of COPPA, the FTC should develop specific 
recommendations for protecting the privacy of adolescents as part of 
its broad new initiative on online privacy. \34\ Child advocacy and 
health groups, for example, have called for an expanded definition of 
``sensitive data'' to include the online activities of all persons 
under the age of eighteen, as well as a prohibition against ``the 
collection of sensitive information for behavioral advertising 
purposes.'' \35\
---------------------------------------------------------------------------
    \34\ Federal Trade Commission, ``Exploring Privacy: A Roundtable 
Series,'' http://www.ftc.gov/bcp/workshops/privacyroundtables/
index.shtml (viewed 27 Apr. 2010).
    \35\ Institute for Public Representation FTC filing, 13.
---------------------------------------------------------------------------
    I hope this committee will send a message to the FTC, as you review 
the record, that COPPA remains a valuable safeguard for children 
online, but the rules for implementing it need updating to account for 
the latest developments in digital marketing. I also urge the Committee 
to encourage the FTC to protect the privacy of adolescent consumers.

    Senator Pryor. Thank you.
    Mr. Rotenberg.

        STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR,

                  EPIC AND ADJUNCT PROFESSOR,

                GEORGETOWN UNIVERSITY LAW CENTER

    Mr. Rotenberg. Thank you very much, Mr. Chairman, members 
of the Committee. I appreciate the opportunity to be here 
today.
    I'm the Director of EPIC. We're a nonprofit research 
organization. I also teach privacy law at Georgetown.
    I actually wanted to begin by thanking Professor Montgomery 
for the leadership role she played in helping to ensure passage 
of the Act. We wrote to the FTC, back in 1995, and asked the 
Commission to look at the business practices involving the 
collection and use of personal information on children. And 
following that letter and the hearings and the subsequent work 
of the consumer coalition, Congress did, in fact, pass 
important legislation. And we think that legislation set up the 
simple principle that, in this new online environment, it was 
important to protect young people from the exploitation and 
manipulation of their personal information.
    And I think it's obvious that there have been dramatic 
changes since the time that COPPA has been enacted. And the 
most obvious change is the emergence of the social network 
services. Our kids live online, exchanging intimate information 
with their friends; and that information is then collected and 
used for marketing purposes. And while their disclosures to 
their friends appear, to them, to be very transparent and to 
give them a great deal of control over what they choose to post 
or not post, what's going on behind the scenes, in terms of the 
transfer of their data by companies, such as Facebook, to their 
advertising partners, to their application development 
partners, and now to the third-party websites that they propose 
to transfer information about, is much more opaque.
    Now, Facebook said earlier--and I think this is true--that, 
for the most part, they've tried to discourage the use of the 
service by children under the age of 13 so that they remain 
compliant with COPPA. But, what they haven't addressed, and I 
think the critical question now before the Committee, is, How 
do we deal with the collection and use of this personal 
information on teenagers, children between the ages of 13, 
whose data is being collected in this online environment, and 
then disclosed to marketers and others for purposes completely 
unrelated to the reasons that they made it available?
    The problem is more serious, still, because, in this 
setting, the user has to rely on the privacy policies and the 
privacy settings that they are presented with. That's 
essentially the only way, in a self-regulatory environment, you 
are going to get privacy protection. And what we are seeing, 
increasingly, is that companies, having collected the data on 
teenagers, will change the privacy policies, they will change 
the privacy settings, for the purpose of making this data more 
easily accessible to business partners for marketing purposes. 
This is a problem that COPPA never anticipated. And I think it 
is the single-biggest problem facing children in the online 
world today. The self-regulatory approach that relies on 
privacy settings and privacy policies is not working.
    And it's also not working, in part, I regret to say, 
because I don't think the Federal Trade Commission has been as 
aggressive as it needs to be to go after what are essentially 
unfair and deceptive trade practices. They do a very good job 
on the education side, no doubt about it; and they have 
provided very good materials, to families and teachers and 
educators and others, about what people need to do to protect 
the safety of their children online. But, they have not done 
enough to enforce these unfair and deceptive trade practices. 
And I think they need to do more.
    I want to tell you, briefly, one extraordinary story, a 
complaint that we filed with the Federal Trade Commission last 
year that was offering a product, ostensibly, for parental 
control. It was supposed to protect kids online from, you know, 
risks and dangers that parents might be worried about. The same 
company was gathering the data, through this product that they 
made available, for marketing purposes. And this is how they 
described their own product, ``Every single minute, Pulse is 
aggregating the Web's social media outlets, such as chat and 
chat rooms, blogs, forums, instant messaging, and websites, to 
extract meaningful user-generated content from your target 
audience: the teens.'' They're talking to a marketing firm 
about how they're able to surreptitiously gather information on 
kids online.
    We went to the FTC, and we said to the FTC, ``You need to 
shut down this company.'' The FTC acknowledged the receipt of 
our complaint, but never acted on it.
    But, the story doesn't end there. When the Department of 
Defense learned about how this product operated, and they were, 
at the time, planning to make it available online to military 
families through their online store, they said, ``This poses a 
risk, a privacy and security risk, to military families, and we 
will not make it available.''
    In other words, the Department of Defense, acting on 
information that anyone who had taken a close look at the 
product would have quickly recognized was a serious problem, 
made an appropriate decision.
    The FTC, which has the authority and the expertise to 
police COPPA, never acted.
    I think, in both of these areas, the need to update the law 
so that there are protections for teenagers, those between 13 
and 18, from the misuse of the commercial information, and also 
for the FTC to get much more aggressive on enforcement. 
Education is not enough in this area. They have to go after 
these companies that are not acting appropriately when they 
collect and use personal data.
    Thank you very much.
    [The prepared statement of Mr. Rotenberg follows:]

  Prepared Statement of Marc Rotenberg, Executive Director, EPIC and 
          Adjunct Professor, Georgetown University Law Center

Introduction
    Mr. Chairman and members of the Committee, thank you for the 
opportunity to testify today on ``An Examination of Children's Privacy: 
New Technologies and the Children's Online Privacy Protection Act 
(COPPA)'' My name is Marc Rotenberg and I am the Executive Director of 
the Electronic Privacy Information Center (EPIC) and Adjunct Professor 
at Georgetown University Law Center.
    EPIC is a non-partisan research organization, focused on emerging 
privacy and civil liberties issues. We have a particular interest in 
children's online privacy. In 1995, EPIC wrote to then-FTC Commissioner 
Christine Varney, exposing industry practices that ``ma[de] available 
to the public the names, addresses, ages and telephone numbers of young 
children.'' \1\ We urged the FTC to investigate these business 
practices and to develop appropriate safeguards.
---------------------------------------------------------------------------
    \1\ EPIC Letter to Christine Varney on Direct Marketing Use of 
Children's Data, EPIC, December 14, 1995 available at http://epic.org/
privacy/internet/ftc/ftc_letter.html.
---------------------------------------------------------------------------
    In 1996, I testified before the House Judiciary Committee in 
support of the bill that eventually became COPPA.\2\ I warned: ``The 
collection of data about children is growing at a phenomenal rate. 
Government agencies, private organizations, universities, associations, 
businesses, and club all gather information on kids of all ages. 
Records on our children are collected literally at the time of birth, 
segmented, compiled, and in some cases resold to anyone who wishes to 
buy them.''
---------------------------------------------------------------------------
    \2\ Testimony and Statement for the Record of Marc Rotenberg, 
director Electronic Privacy Information Center on the Children's 
Privacy Protection and Parental Empowerment Act, H.R. 3508 Before the 
House of Representatives, Committee on the Judiciary, Subcommittee on 
Crime, September 12, 1996 available at http://www.epic.org/privacy/
kids/EPIC_Testimony.html.
---------------------------------------------------------------------------
    EPIC worked with the Center for Media Education, which had 
published a groundbreaking study in 1996 on children's privacy, to 
develop COPPA and help ensure enactment. As the CME study found, young 
children cannot understand the potential effects of revealing their 
personal information; neither can they distinguish between substantive 
material on websites and the advertisements surrounding it. Targeting 
of children by marketing techniques resulted in the release of huge 
amounts of private information into the market and triggered the need 
for COPPA.\3\
---------------------------------------------------------------------------
    \3\ Center for Media Education, Web of Deception: Threats to 
Children from Online Marketing, 1996 available at http://www.cme.org/
children/marketing/deception.pdf; see also supra notes 1-2.
---------------------------------------------------------------------------
    For the past 15 years, EPIC has pursued many of the critical online 
privacy issues concerning children. We have testified before lawmakers 
in support of strong privacy safeguards for children. EPIC has also 
filed complaints with the Federal Trade Commission detailing unfair and 
deceptive trade practices that put children's privacy at risk.
    We are also interested in emerging new technologies and practices 
that increase the amount of data collected about children. For example, 
EPIC filed several complaints and a ``friend of the court'' brief 
concerning social networking sites' privacy practices.\4\ These sites 
encourage users to make social connections online, but also build 
detailed profiles about users, and disclose personal information to 
third parties. In addition, EPIC has filed regulatory complaints and 
court documents concerning behavioral marketing practices--practices 
that expose Internet users' personal information to marketers, 
advertisers, and others without users' knowledge.\5\ These emerging 
practices affect many consumers, but children are particularly 
vulnerable.
---------------------------------------------------------------------------
    \4\ EPIC, In re Facebook, http://epic.org/privacy/inrefacebook/; 
EPIC, In re Google Buzz; http://epic.org/privacy/ftc/googlebuzz/
default.html; EPIC, Harris v. Blockbuster, http://epic.org/amicus/
blockbuster/default.html.
    \5\ EPIC, Privacy? Proposed Google/DoubleClick Merger, http://
epic.org/privacy/ftc/google/; EPIC, Google Books Litigation, http://
epic.org/privacy/googlebooks/litigation.html.
---------------------------------------------------------------------------
    We appreciate your interest in children's privacy and new 
technology, and we are grateful for the opportunity to appear before 
the Committee today.
1The Purpose of COPPA and Structure of COPPA is Essentially Sound
    The Children's Online Privacy Protection Act, as set out in the FTC 
Rule, establishes a basic framework for privacy protection. COPPA 
requires any website that collects personal information from children 
to: (1) ``provide notice on the website of what information is 
collected from children by the operator, how the operator uses such 
information, and the operator's disclosure practices for such 
information;'' \6\ (2) ``obtain verifiable parental consent for the 
collection, use, or disclosure of personal information from children;'' 
\7\ (3) provide parents with access to the information collected from 
their children; \8\ and (4) ``establish and maintain reasonable 
procedures to protect the confidentiality, security, and integrity of 
personal information collected from children.'' \9\
---------------------------------------------------------------------------
    \6\ 15 U.S.C.  6502(b)(1)(A)(i) (2009).
    \7\ 15 U.S.C.  6502(b)(1)(A)(ii) (2009).
    \8\ 15 U.S.C.  6502(b)(1)(B) (2009).
    \9\ 15 U.S.C.  6502(b)(1)(D) (2009).
---------------------------------------------------------------------------
    The FTC Rule that was promulgated included several innovative 
provisions, including one that prohibits operators from conditioning a 
child's participation in an online activity on the child's providing 
more information than is reasonably necessary to participate in that 
activity.\10\ That provision wisely anticipated that websites would try 
to extract data from children unless it was made clear that only the 
information necessary to provide the service should be obtained.
---------------------------------------------------------------------------
    \10\ 15 U.S.C.  6502(b)(1)(C) (2009).
---------------------------------------------------------------------------
    Some websites,\11\ including social network websites,\12\ comply 
with COPPA by implementing privacy safeguards for their young users. 
Many other websites,\13\ including social network sites,\14\ allege 
that their sites do not collect personal information from children, and 
are therefore exempt from COPPA requirements. Disputes over COPPA 
typically focus on the age verification procedures and the scope of 
application.
---------------------------------------------------------------------------
    \11\ E.g. The Walt Disney Co., Kids' Privacy Policy, http://
corporate.disney.go.com/corporate/kids.html (``Building on our general 
Privacy Policy, we recognize the need to provide additional privacy 
protections when children visit the sites on which this Kids' Privacy 
Policy is posted.'').
    \12\ E.g. Yoursphere, Yoursphere For Parents, http://internet-
safety.yoursphere.com/news/twitter-facebook-coppa-the-yoursphere-
difference (``Yoursphere is a membership-based, online social community 
exclusively for youth through the age of 18. Here's how Yoursphere 
meets, and exceeds COPPA guidelines. . . .'').
    \13\ E.g. N.Y. Times, The New York Times Privacy Policy Highlights, 
(``The New York Times does not knowingly collect or store any personal 
information, even in aggregate, about children under the age of 13.''); 
U.S. Bank, Privacy Policy, https://loansandlines.usbank.com/loanslines/
privacyPopup.do (``We do not intentionally market to or solicit 
personal information from children under the age of 13.'').
    \14\ E.g. Facebook, Help Center, http://www.facebook.com/help/
?safety=parents (``Facebook requires its users to be at least 13 years 
old before they can create an account. Providing false information to 
create an account is a violation of our Statement of Rights and 
Responsibilities.'').
---------------------------------------------------------------------------
    Overall, COPPA has helped to establish a general understanding that 
the collection and use of information on young children should be 
treated with care and avoided if possible. This is a sensible approach 
that recognizes both the unique vulnerabilities of young children as 
well as the limitations of a self-regulatory approach, which would 
place the burden on minors to interpret privacy policies and make 
informed decisions about the disclosure and use of personal 
information.
    We supported COPPA at the time of enactment and continue to believe 
it provides a sound basis for privacy protection.

Social Networks Have Transformed Data Collection Practices
    It is clear that the single biggest change impacting the privacy of 
children since the adoption of COPPA has been the emergence of social 
network services, such as Facebook, MySpace, and Twitter. These web-
based platforms provide new opportunities for kids to interact online 
and also for companies to gather up information.
    Leaving aside for the moment whether sites are currently in 
compliance with COPPA as they tend to discourage participation by those 
thirteen and under, I would like to focus on the broader implications 
that this technological change has had on children's privacy. In the 
simplest terms, COPPA did not anticipate the immersive online 
experience that a social network service would provide or the extensive 
data collection of both the trivial and the intimate information that 
children would share with these friends. This is not to say that the 
COPPA rules do not apply to all forms of data collection, rather the 
point is that the data collection and use is much more extensive than 
was anticipated.
    We also see the increasingly opaque way that companies transfer 
user information to third parties. On the one hand, there is a great 
deal of transparency when users are able to see what they post and to 
make decisions about who should have access. On the other, the transfer 
of user data to application developers and now to websites is not so 
easy for users to observe and control.
    More specifically, there is growing concern that companies are 
manipulating their privacy policies and privacy settings of users to 
confuse and frustrate users so that more personal information will be 
revealed. EPIC raised this concern in a petition filed with the Federal 
Trade Commission last December concerning the business practices of 
Facebook.\15\ More recently, Senators Schumer, Bennet, Begich, and 
Franken have expressed to Facebook their concern about the most recent 
changes in Facebook's business model.\16\ Senator Schumer specifically 
asked the FTC to develop guidelines for these services.\17\ Similar 
concerns are likely to arise with Twitter as the company begins to 
incorporate advertising and to track the activities of its users.
---------------------------------------------------------------------------
    \15\ EPIC, In re Facebook, http://www.epic.org/privacy/
inrefacebook/EPIC-FacebookCom
plaint.pdf.
    \16\ Letter from Senator Charles Schumer, Senator Michael Bennet, 
Senator Mark Begich, and Senator Al Franken to Facebook CEO Mark 
Zuckerberg, Apr. 27, 2010 available at http://
voices.washingtonpost.com/posttech/Schumer-Franken-Bennet-
Begich%20Letter%20to%20Face
book%204.27.10.pdf.
    \17\ Id.
---------------------------------------------------------------------------
    There is a good argument that these data collection practices 
should be regulated for all users simply because all users have an 
interest in how their personal information is used by these firms. But 
the argument is particularly strong for teenagers, those between the 
ages of 13 and 18, who have no protection under COPPA and who cannot 
easily follow all of the changes taking place in this self- regulatory 
environment. In fact, in our recent complaint to the FTC concerning 
Facebook, we were struck by how many Internet commentators, bloggers, 
and security experts found it difficult to make sense of the recent 
changes in the Facebook privacy settings.\18\
---------------------------------------------------------------------------
    \18\ Supra note 15 at 16-23.
---------------------------------------------------------------------------
    Therefore, updates to COPPA should focus specifically on the 
collection and use of data in the social network world. Teenagers 
should be given much greater control over the collection of data about 
them.

The FTC Has Failed to Enforce Children's Privacy Rights Despite Clear-
        Cut Violations
    One of the growing concerns with COPPA is the failure of the 
Federal Trade Commission to vigorously enforce its provisions. Several 
years ago, there were notable enforcement actions by the FTC. For 
example, in September 2006, the FTC brought COPPA enforcement actions 
against several companies. The FTC fined the website Xanga $1 million 
for failing to obtain parental consent for children under 13 even 
though the site clearly targeted this population.\19\ And the FTC fined 
UMG Recordings $400,00 for similar violations.\20\
---------------------------------------------------------------------------
    \19\ FTC, Xanga.com to Pay $1 Million for Violating Children's 
Online Privacy Protection Rule, Sept. 7, 2006, http://www.ftc.gov/opa/
2006/09/xanga.shtm.
    \20\ FTC, UMG Recordings, Inc. to Pay $400,000, Bonzi Software, 
Inc. To Pay $75,000 to Settle COPPA Civil Penalty Charges, Sept. 13, 
2006, http://www.ftc.gov/opa/2004/02/bonz
iumg.shtm.
---------------------------------------------------------------------------
    But it is difficult to find news of any recent enforcement action. 

The FTC claims on its website:

        The FTC has obtained numerous Federal district court 
        settlements against website operators who are alleged to have 
        violated the COPPA Rule. Press releases, and the complaints and 
        orders may be found at www.ftc.gov/privacy/privacyinitiatives/
        childrens_enf.html.
    But if you go to this link, you will find just one enforcement 
action over the last several years, which was taken against the Iconix 
Brand group and produced a fine of $250,000.\21\
---------------------------------------------------------------------------
    \21\ FTC, Iconix Brand Group Settles Charges Its Apparel Web Sites 
Violated Children's Online Privacy Protection Act, Oct. 20, 2009, 
http://www.ftc.gov/opa/2009/10/iconix.shtm.
---------------------------------------------------------------------------
    EPIC's experience with the recent Echometrix complaint is 
particularly telling. In September 29, 2009, EPIC filed a detailed 
complaint with the Federal Trade Commission alleging that Echometrix, a 
software company, was selling ``parental control'' software that was in 
fact monitoring children's online activity for marketing purposes.\22\ 
As the company itself stated about its datamining service Pulse:
---------------------------------------------------------------------------
    \22\ EPIC, In re Echometrix, http://epic.org/privacy/ftc/
Echometrix%20FTC%20Complaint%20
final.pdf; see EPIC, EPIC-Echometrix, http://epic.org/privacy/
echometrix/.

        Every single minute, Pulse is aggregating the Web's social 
        media outlets such as chat and chat rooms, blogs, forums, 
        instant messaging, and websites to extract meaningful user 
        generated content from your target audience, the teens.\23\
---------------------------------------------------------------------------
    \23\ Wendy Davis, Company Allegedly Uses Monitoring Software To 
Collect Data From Children, MediaPost News (Sept. 29, 2009), http://
www.mediapost.com/publications/?fa=Articles.show
Article&art--aid=114428. The company has since changed its 
characterization of the Pulse service.

    The EPIC complaint asked the FTC to stop these practices, seek 
compensation for victims, and ensure that Echometrix's collection and 
disclosure practices comply with COPPA.
    The Federal Trade Commission acknowledged receipt of the complaint, 
but never took an enforcement action against the company. As far as we 
know, they never even opened an investigation.
    You might conclude that perhaps our complaint was mistaken or that 
maybe the company had changed its practices, but there is more to the 
Echometrix story. Not long after we filed the complaint with the FTC, 
we learned that the Department of Defense shared our concerns about 
this product, particularly as it would place at risk children in 
military families.
    In an e-mail that we obtained through a Freedom of Information Act 
request, we learned that the Manager of the AAFES' Exchange Online 
Mall, which provides products and services for military families around 
the world, wrote to Echometrix:

        I was forwarded the attached complaint submitted to the FTC by 
        EPIC. It is very unfortunate that you did not inform me of this 
        issue. Our customer's privacy and security is very important to 
        us, and we trust our Mall partners to maintain the security of 
        our customers.

        I have removed your site, and it will stay offline until this 
        matter with EPIC and the FTC is resolved.\24\
---------------------------------------------------------------------------
    \24\ E-mail from Matthew McCoy, AAFES to Kevin Sullivan and Jeffrey 
Supinsky, Echometrix, Oct. 14, 2009 available at http://epic.org/
privacy/echometrix/Excerpts_from_echometrix
_docs_12-1-09.pdf.

    The Department of Defense was able, with just a quick review of the 
privacy issues, to determine that this product should not be sold to 
military families. But the Federal Trade Commission, which has the 
statutory authority and presumably the expertise to investigate such 
matters, simply ignored it.\25\
---------------------------------------------------------------------------
    \25\ Jaikumar Vijayan, DOD nixes vendor of online monitoring 
software over privacy concerns: EchoMetrix suspended from selling 
products via military's shopping portal, Computerworld, Dec. 4, 2009, 
http://www.computerworld.com/s/article/9141821/
DOD_nixes_vendor_of_online
_monitoring_software_over_privacy_concerns.
---------------------------------------------------------------------------
    To this date, the FTC has not explained why it failed to take 
action.

Updates to COPPA
    One area where there is a clear need to update COPPA concerns the 
scope of Personally Identifiable Information. Under the original rule, 
traditional categories of personal information, such as name, address, 
phone number and social security number are treated as ``Personal 
information.'' \26\ The Rule also wisely treats persistent identifiers, 
such as cookies, as personal information.\27\ However, the Rule did not 
anticipate the emergence of the mobile web and location-based services. 
It is possible that such information could be considered as part of the 
catchall provision, section 312.2(g), but the better approach would be 
to make explicit that location information associated with an 
individual child should be included in the categories of personal 
information.
---------------------------------------------------------------------------
    \26\  312.2 (Definitions).
    \27\  312.2(f).
---------------------------------------------------------------------------
    We would also recommend that serious consideration be given to 
raising the age of COPPA coverage. This was a hotly debated issue at 
the time of the law's enactment. At the time of introduction, the 
Children's Privacy Protection and Parental Empowerment Act of 1996, 
which later became COPPA, set the age requirement at 16. Eventually, to 
help ensure passage, the age requirement was dropped to 13. But it 
remains an opportunity, particularly now with the bill up for review, 
whether the privacy obligations should extend to those who are 16 or 
perhaps even 18.
    Today, I recommend that Congress raise the age requirement in COPPA 
to 18. The emergence of social networks and the powerful commercial 
forces that are seeking to extract personal data on all users of these 
services, but particularly children, raise new challenges that the 
original COPPA simply did not contemplate. To the extent that companies 
choose to collect personal information on children between 13 and 18, 
they should be subject to privacy obligations. If they believe that the 
privacy obligations are too burdensome, the alternative is 
straightforward: provide an online experience that does not require the 
collection of so much personal data. Innovative companies, no doubt, 
will find clever new business models that respect users' privacy.
    If the Congress chooses not to raise the age on COPPA, then I 
anticipate that the privacy problems will grow more severe in the next 
few years. Not only will companies that target young teens gather more 
data, their business practices will become increasingly more opaque and 
more difficult for users to manage. We have seen just in the last few 
years how companies such as Facebook have found that they can 
manipulate privacy settings and change privacy policies to coax 
personal information out of users who had earlier made clear which 
information they would reveal and which information they would keep 
private.
    There is one proviso for this recommendation. For children in 
between the ages of 13 to 18, I believe that the companies subject to 
COPPA should have an obligation to provide privacy rights directly to 
the users of their services and not to their parents. By this I mean 
that it is the kids who should be able to learn how their personal data 
is being gathered and object where appropriate. I think this approach 
will encourage teenagers to exercise greater control over their online 
experience and to understand the privacy practices of the companies 
they deal with. While it is appropriate that parents make these 
decisions for younger children, creating privacy rights for teenagers 
is likely to lead to better informed decisions and greater 
consideration of privacy interests by companies providing online 
services.
    The growing concerns about the FTC's ability to safeguard online 
privacy raises another concern and that is whether the FTC has the 
authority and the competence to address emerging privacy challenges. It 
is not just in the area of COPPA enforcement that there are concerns. 
The FTC has also shown an inability to address such important new 
topics as cloud computing, location privacy, or the broader question of 
the effectiveness of web privacy policies and self-regulation.
    EPIC has had several important complaints pending at the FTC. 
Whereas previous Commissions acted forcefully on the recommendations of 
consumer privacy groups, the current FTC seems unwilling or unable to 
address the privacy challenges that confront users of new services 
every day.\28\ In one particularly egregious example, it took the 
attack on Google in China in January of this year to get the company to 
routinely encrypt Gmail, something that EPIC had specifically 
recommended to the FTC in our March 2009 complaint.\29\
---------------------------------------------------------------------------
    \28\ Marc Rotenberg, ``Does the FTC Care About Consumer Privacy?'' 
9 BNA Privacy and Security Law 453,478 (March 29, 2010).
    \29\ EPIC, in re Google and Cloud Computing, http://epic.org/
privacy/cloudcomputing/google/ftc031709.pdf at  9, 30, 47; see EPIC, 
In re Google and Cloud Computing, http://epic.org/privacy/
cloudcomputing/google/.
---------------------------------------------------------------------------
    There is another issue I would like to bring your attention to 
concerning children and new technology. While much of COPPA's focus is 
understandably directed toward the Internet and data gathering activity 
by commercial firms, it is important to consider also how new 
technologies are gathering data on children in public spaces and with 
new communications technologies. There is, for example, the use of RIFD 
technology for identity documents that makes it possible to track and 
record the location of children. Properly implemented there may be some 
security benefits. But there are also substantial risks that should be 
considered. In one case, public objections led a school to drop its 
plan to require RFID-enabled tags for identity documents.\30\
---------------------------------------------------------------------------
    \30\ Wired, School Drops RFID Tag Program, Feb. 16, 2005, http://
www.wired.com/techbiz/media/news/2005/02/66626.
---------------------------------------------------------------------------
Conclusion
    COPPA was a smart and forward-looking privacy law. It helped slow 
the commercialization of personal information concerning children and 
it promoted safety and respect for the treatment of minors using new 
online services. Around the edges, there are understandable questions 
about application and implementation. Age verification continues to be 
a challenge. But the central purpose--to establish privacy safeguards 
for the collection and use of personal information on children--is 
sensible and important. The critical task now is to carry forward this 
goal as new business practices continue to raise new privacy 
challenges.
    Thank you for your interest. I will be pleased to answer your 
questions.
References
    EPIC, ``EPIC--Children's Online Privacy Protection Act (COPPA)'' 
http://epic.org/privacy/kids/default.html
    EPIC, ``EPIC--Cloud Computing'' http://epic.org/privacy/
cloudcomputing/
    EPIC, ``EPIC--Echometrix'' http://epic.org/privacy/echometrix/
    EPIC, ``FTC Complaint on Amazon.com COPPA Compliance'' (Apr. 22, 
2003) http://epic.org/privacy/amazon/coppacomplaint.html
    EPIC, ``Radio Frequency Identification (RFID) Systems'' http://
epic.org/privacy/rfid/
    EPIC, ``In re Facebook'' http://epic.org/privacy/inrefacebook/
    EPIC, ``In re Google Buzz'' http://epic.org/privacy/ftc/googlebuzz/
default.html
    EPIC, ``In re Google and Cloud Computing'' http://epic.org/privacy/
cloudcomputing/google/
    FTC, ``Children's Online Privacy Protection Rule; Final Rule'' 
http://www.ftc.gov/os/1999/10/64fr59888.htm
    FTC, ``COPPA FAQs'' http://www.ftc.gov/privacy/coppafaqs.shtm
    FTC, ``How to Comply With The Children's Online Privacy Protection 
Rule'' http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus45.shtm 

    Senator Pryor. Thank you.
    Mr. Szoka.

            STATEMENT OF BERIN SZOKA, SENIOR FELLOW

           AND DIRECTOR, CENTER FOR INTERNET FREEDOM,

               THE PROGRESS & FREEDOM FOUNDATION

    Mr. Szoka. Mr. Chairman, Mr. Ranking Member, and Committee 
members, thank you for inviting me here today.
    Despite sitting at the kids' table, I am a Senior Fellow at 
The Progress & Freedom Foundation. So, you can just imagine how 
young my colleagues must be!
    But, I commend the Committee for studying COPPA, and also 
the Federal Trade Commission, for its review of the COPPA rule, 
which I think is an important distinction we should keep in 
mind.
    As Ms. Rich explained, for an ``Internet junior,'' as we 
have referred to it, of sites that are directed to children 
under 13, COPPA requires sites to either age-verify all users 
or to limit the functionality of the site to prevent children 
from making personal information publicly available, including 
the sharing of user-generated content.
    COPPA imposes the same requirement on general audience 
sites when they have actual knowledge that they are collecting 
information from a user under 13 or, again, enabling them to 
share information.
    Because of this forced separation and the costs of age 
verification, COPPA may well have unintentionally limited the 
choice and competition in the marketplace for children's 
content by driving consolidation in that marketplace.
    On the other hand, COPPA has been reasonably successful in 
fulfilling Congress's original goal of enhancing parental 
involvement to protect children's online privacy and safety.
    Whatever this tradeoff, I am here today to caution against 
expanding COPPA beyond its original, limited purpose. COPPA's 
unique value lies in its flexibility, its subtlety, and its 
intentional narrowness. And my concern here is not just about 
innovation, but also about free speech.
    COPPA is flexible, because it potentially applies the--to 
the entire Internet, regardless of the access device used, 
including services scarcely imaginable in 1998.
    COPPA is subtle, because it requires verifiable parental 
consent, not only if site and service operators gather personal 
information from kids for their own use, but also if they 
enable children to make that information publicly available 
online.
    Even more subtle, however, is COPPA's creative solution to 
the thorny problem of age verification. And, in a nutshell, I 
would say that 13 is just right. Unlike the similarly named 
Child Online Protection Act, or COPA, COPPA requires age 
verification of users on sites clearly directed at children 
only--and, again, where they have actual knowledge; whereas, 
COPA required age verification of all users for any site 
offering content deemed harmful to minors.
    Back in 1998, Congress considered, but wisely chose not, to 
apply COPPA to adolescents. Unfortunately, recent efforts to 
expand COPPA have put online privacy, child safety, free 
speech, and anonymity on a collision course. Several states 
have proposed what we, at PFF, have called ``COPPA 2.0 laws,'' 
extending COPPA to adolescents under 17 or 18. But, once the 
age threshold rises above 13, it becomes increasingly difficult 
to distinguish sites directed at children below the threshold 
from general audience sites. With this seemingly small change, 
COPPA would essentially converge with COPA. COPPA would extend 
beyond a discreet Internet junior to require age verification 
for sites used by many adults. And indeed, other states have 
proposed simply extending COPPA to all social networking sites.
    But, requiring adults and even older teens to prove their 
age by identifying themselves constitutes a prior restraint on 
anonymous or pseudo anonymous communications. And this would 
raise the same First Amendment concerns that caused the courts 
to strike down COPA.
    Ironically, broader age verification mandates would 
actually reduce online privacy by requiring more information to 
be collected, both from adolescents and from adults, which 
would include credit card information. While COPPA's safe 
harbor is playing a valuable part in administering self-
regulation under COPPA, government shouldn't put them in the 
awkward position of becoming repositories for huge troves of 
personal information in the name of protecting privacy.
    Nor would COPPA expansion make adolescents safer online. 
Some have argued that age-verification mandates could protect 
children by allowing sites to create safe spaces that exclude 
predators. Unfortunately, the reality is that technology for 
reliable age verification simply does not exist. Even the FTC 
has made it clear that it doesn't consider COPPA's verifiable 
parental consent methods, such as the use of a credit card, as 
equivalent to strict age verification.
    COPPA could--expansion could also undermine the viability 
of many online sites and services. As you've heard here today, 
some consider the real marketers--excuse me--marketers to be 
the real predators, even though advertising is what we have 
called ``the great hidden benefactor'' that funds the 
overwhelming majority of free online content and services. 
COPPA already applies to the collection of personal information 
that could potentially allow the contacting of children under 
13, and the Network Advertising Initiative already requires 
verifiable parental consent for behavioral advertising to 
children under 13. But, if COPPA were expanded to require 
general audience sites funded by tailored advertising to age-
verify all users, it would devolve into the unconstitutional 
approach found in COPPA.
    Importantly, COPPA expansion would also raise costs for 
smaller or new sites and services geared toward minors. And, in 
turn, this could discourage innovation, limit choice, and raise 
prices for consumers, and, as I mentioned before, also 
potentially restrict speech.
    But, ultimately, concerns about tailored advertising may be 
less about privacy or safety than what about--advertising 
scholar Jack Calfee, of the American Enterprise Institute, has 
called ``the fear of persuasion,'' the idea that advertising is 
inherently manipulative, and grows only more so with increased 
relevance. As he has noted, by 10 or so, children have a full 
understanding of the purpose of advertising, and, equally 
important, an active suspicion of what advertisers say. If 
government has a role in--to play in addressing concerns about 
tailored marketing, it lies in educating kids about 
advertising, to help them become smarter consumers.
    Last week, the FTC launched just such an education 
campaign, with its AdMongo tutorial website. The FTC excels in 
consumer education, and should be encouraged in these efforts 
as a less restrictive alternative to regulation.
    Finally, briefly, I want to caution that H.R. 4173, passed 
by the House in the fall, would give the FTC the capability, 
even if it didn't intend to do so today, to unilaterally change 
COPPA, including its age range. And I would simply suggest that 
such changes should be made by Congress, and not the FTC. If 
Congress wants to help the FTC implement COPPA, it should 
consider additional funding for education, and indeed for 
enforcement.
    Thank you for inviting me to testify.
    [The prepared statement of Mr. Szoka follows:]

    Prepared Statement of Berin Szoka, Senior Fellow and Director, 
     Center for Internet Freedom, The Progress & Freedom Foundation

    Mr. Chairman and Committee members, thank you for inviting me here 
today. My name is Berin Szoka.\1\ I'm a Senior Fellow at The Progress & 
Freedom Foundation (PFF). PFF is a market-oriented think tank and 
501(c)(3) non-profit founded in 1993 that studies the digital 
revolution and its implications for public policy. PFF's mission is to 
educate policymakers, opinion leaders, and the public about issues 
associated with technological change, based on a philosophy of limited 
government, free markets, and individual sovereignty.
---------------------------------------------------------------------------
    \1\ The views expressed here are his own, and not necessarily the 
views of the PFF board, other fellows or staff.
---------------------------------------------------------------------------
    I commend this committee for studying the Children's Online Privacy 
Protection Act or COPPA, and the FTC for its upcoming COPPA Review and 
Roundtable.\2\ My colleague Adam Thierer, PFF's President, has been 
actively engaged in debates about online child safety and privacy since 
joining PFF in 2005, and is the author of Parental Controls & Online 
Child Protection: Survey of Tools & Methods, a regularly updated 
compendium now in its fourth edition and available for free online.\3\ 
The constant theme in PFF's work in this area has been to emphasize the 
tools and methods available to parents to control their children's use 
of media, including the Internet and to the central role played by 
education efforts in helping both parents and children make smarter 
choices. We also highlight enforcement of existing laws as an 
additional ``less restrictive'' alternative to new regulation, and 
attempt to highlight the trade-offs involved in imposing new regulation 
of online communications.
---------------------------------------------------------------------------
    \2\ Federal Trade Commission, Request for Public Comment on the 
FTC's Implementation of the Children's Online Privacy Protection Rule, 
April 5, 2010, http://www.ftc.gov/os/2010/03/100324coppa.pdf; see also 
COPPA Rule Review Roundtable, http://www.ftc.gov/bcp/workshops/coppa/
index.shtml.
    \3\ Adam Thierer, Parental Controls & Online Child Protection: 
Survey of Tools & Methods, Version 4.0, Fall 2008, www.pff.org/
parentalcontrols/index.html.
---------------------------------------------------------------------------
    In May 2009, Adam and I published a 35-page paper entitled COPPA 
2.0: The New Battle over Privacy, Age Verification, Online Safety & 
Free Speech, providing an overview of COPPA, how it works, its costs 
and benefits, and explaining the dangers inherent in several then-
pending efforts to expand COPPA by expanding the law to cover 
adolescents or all social networking sites.\4\ We identified a number 
of legal, technical, and other practical problems with such proposals 
in that they would:
---------------------------------------------------------------------------
    \4\ Berin Szoka & Adam Thierer, COPPA 2.0: The New Battle over 
Privacy, Age Verification, Online Safety & Free Speech, Progress on 
Point 16.11, May 2009, http://pff.org/issues-pubs/pops/2009/pop16.11-
COPPA-and-age-verification.pdf.

   Burden the free speech rights of adults by imposing age 
        verification mandates on many sites used by adults, thus 
        restricting anonymous speech and essentially converging--in 
        terms of practical consequences--with the unconstitutional 
        Children's Online Protection Act (COPA),\5\ another 1998 law 
        sometimes confused with COPPA;
---------------------------------------------------------------------------
    \5\ 47 U.S.C.  231. While COPPA governs sites ``directed at'' 
children, COPA would have required age verification for content deemed 
``harmful to minors.'' COPA has been struck down on First Amendment 
grounds.

   Burden the free speech rights of adolescents to speak freely 
        on--or gather information from--legal and socially beneficial 
---------------------------------------------------------------------------
        websites;

   Hamper routine and socially beneficial communication between 
        adolescents and adults;

   Reduce, rather than enhance, the privacy of adolescents, 
        parents and other adults because of the massive volume of 
        personal information that would have to be collected about 
        users for authentication purposes (likely including credit card 
        data);

   Would likely be the subject of massive fraud or evasion 
        since it is not always possible to definitively verify the 
        parent-child relationship, or because the system could be 
        ``gamed'' in other ways by determined adolescents;

   Do nothing to prevent offshore sites and services from 
        operating outside these rules;

   Present major practical challenges for law enforcement 
        officials in the face of such evasion by both domestic users 
        and offshore sites;

   Could destroy opportunities for new or smaller website 
        operators to break into the market and offer competing services 
        and innovations, thus contributing to consolidation of online 
        content and services by erecting barriers to entry; and

   Violate the Commerce Clause of the U.S. Constitution if 
        enacted by states, since Internet activity clearly represents 
        interstate commerce that states have no authority to regulate.

    This testimony summarizes the key aspects of that paper, which I 
attach below for the Committee's convenience, but also provides 
additional context on subsequent developments and related issues. 
Subsequently, I filed written testimony with the Maine Legislature 
regarding proposals in Maine, including a law enacted over the summer 
but never enforced by the state attorney general, to apply the COPPA 
framework to the collection of health-related information from 
adolescents.\6\ We also look forward filing comments in the FTC's 
upcoming COPPA Review.
---------------------------------------------------------------------------
    \6\ Berin Szoka, Written to Maine Legislature on Act to Protect 
Minors from Pharmaceutical Marketing Practices, LD 1677, March 4, 2010, 
www.pff.org/issues-pubs/filings/2010/2010-03-04-
Maine_Law_Testimony.pdf.
---------------------------------------------------------------------------
    COPPA can best be summarized as follows: For an ``Internet Jr.'' of 
sites ``directed at'' children under 13, COPPA requires sites either to 
age-verify all users or limit functionality to prevent children from 
making personal information ``publicly available''--including the 
sharing of user-generated content. COPPA imposes the same requirement 
on general audience sites when they have actual knowledge a user is 
under 13.

The Costs of COPPA
    Because of this forced separation and the costs of age 
verification, COPPA may well have unintentionally limited choice and 
competition by driving increased consolidation in the marketplace for 
child-oriented sites and services online and discouraging new entry by 
smaller ``mom-and-pop'' sites that could cater to children. As early as 
2001, even some Congressmen recognized this ``unintended consequence'' 
of COPPA in Congressional hearings on privacy.\7\ There are significant 
costs associated with the verifiable parental consent methods used to 
comply with COPPA. Of course, it could be the case that there are other 
reasons that there are relatively few sites catering exclusively to 
children. But this is a question worth considering, and the FTC 
deserves credit for beginning its COPPA review with this question.\8\ 
As noted by Parry Aftab, Executive Director of the children's advocacy 
group Wired Safety, ``COPPA wasn't responsible for the demise of these 
sites, but when combined with the other factors [it] tipped the 
balance.'' \9\ She concludes, appropriately:
---------------------------------------------------------------------------
    \7\ Rep. Billy Tauzin (R-LA) noted that COPPA ``has now forced 
companies to discontinue a number of products targeted toward 
children'' and asked ``If we end up forcing private companies and 
nonprofits to eliminate beneficial products such as crime prevention 
material, have we done a good thing? If teen-friendly sites, those that 
totally respect the privacy of the users stop offering e-mail services 
to children, is that a good thing? An Examination of Existing Federal 
Statutes Addressing Information Privacy: Hearing of the House Committee 
On Energy and Commerce, 107th Cong. 6 (April 3, 2001) (statement of 
Rep. Tauzin.), available at http://
republicans.energycommerce.house.gov/107/action/107-22.pdf.
    \8\ Federal Trade Commission, Request for Public Comment on the 
FTC's Implementation of the Children's Online Privacy Protection Rule, 
at 2 April 5, 2010, http://www.ftc.gov/os/2010/03/100324coppa.pdf.
    \9\ Comments of Parry Aftab, Request for Public Comment on the 
Implementation of COPPA and COPPA Rule's Sliding Scale Mechanism for 
Obtaining Verifiable Parental Consent Before Collecting Personal 
Information from Children at 3, June 27, 2005, www.ftc.gov/os/comments/
COPPArulereview/516296-00021.pdf.

        It is crucial that at this tentative stage for the kids 
        Internet industry we don't do anything to make its survival 
        more difficult. We should be looking at easy to encourage safer 
        communities for preteens and innovations to help create fun, 
        entertaining and educational content for kids online.\10\
---------------------------------------------------------------------------
    \10\ Id.
---------------------------------------------------------------------------
The Success of COPPA
    On the other hand, COPPA has been reasonably successful in 
fulfilling Congress's original goals, as expressed by the law's 
Congressional sponsors:

        (1) to enhance parental involvement in a child's online 
        activities in order to protect the privacy of children in the 
        online environment; (2) to enhance parental involvement to help 
        protect the safety of children in online fora such as 
        chatrooms, home pages, and pen-pal services in which children 
        may make public postings of identifying information; (3) to 
        maintain the security of personally identifiable information of 
        children collected online; and (4) to protect children's 
        privacy by limiting the collection of personal information from 
        children without parental consent.\11\
---------------------------------------------------------------------------
    \11\ 144 Cong. Rec. S11657 (daily ed. Oct. 7, 1998) (statement of 
Rep. Bryan).

    Thus, as its name implies, COPPA is first and foremost about 
protecting the privacy of children. COPPA's primary means for achieving 
this goal is enhancing parental involvement or, as the FTC has put it, 
``provid[ing] parents with a set of effective tools . . . for becoming 
involved in and overseeing their children's interactions online.'' \12\ 
However admirable, ``protect[ing] the safety of children'' is merely an 
indirect goal of COPPA--something to be achieved through the means of 
enhancing parental involvement (COPPA's direct goal). The FTC declares 
that COPPA ``has provided a workable system to help protect the online 
safety and privacy of the Internet's youngest visitors.'' \13\
---------------------------------------------------------------------------
    \12\ Federal Trade Commission, Implementing the Children's Online 
Privacy Protection Act: A Report to Congress at 28, Feb. 2007, 
www.ftc.gov/reports/coppa/07COPPA_Report_to
_Congress.pdf.
    \13\ Id.
---------------------------------------------------------------------------
    Indeed, COPPA may succeed in achieving its original purpose of 
enhancing parental involvement, but strict age verification mandates 
intended to go beyond COPPA will ultimately fail because kids will 
simply lie to circumvent age verification requirements. As Microsoft 
researcher Danah Boyd has put it, ``COPPA did not stop most children 
from creating accounts, but it did teach children and their parents an 
important lesson: Lying is the path to access.'' \14\ Even though 
``there is no perfect solution'' and it is not possible to completely 
``stop a child from lying and putting themselves at risk,'' Denise 
Tayloe of Privo, one of the four FTC-approved providers of COPPA safe 
harbor age verification services, believes that COPPA ``provides a 
platform to educate parents and kids about privacy.'' \15\
---------------------------------------------------------------------------
    \14\ Danah Michele Boyd, Taken Out of Context American Teen 
Sociality in Networked Publics, at 151 Fall 2008, www.danah.org/papers/
TakenOutOfContext.pdf.
    \15\ E-mail from Denise Tayloe to Adam Thierer (Mar. 15, 2007) 
(copy on file with author).
---------------------------------------------------------------------------
    Especially given this practical limitation and whatever the trade-
offs involved in COPPA, I'm here today to caution against expanding 
COPPA beyond its original, limited purpose. COPPA's unique value lies 
in its flexibility, subtlety, and intentional narrowness.
COPPA is Flexible Enough to Cover a Rapidly Changing Landscape
    COPPA is flexible because it potentially applies to the entire 
Internet regardless of the access device used--including services 
scarcely imaginable in 1998. Specifically, COPPA applies to any 
``operator,'' which the statute defines to mean:

        any person who operates a website located on the Internet or an 
        online service and who collects or maintains personal 
        information from or about the users of or visitors to such 
        website or online service, or on whose behalf such information 
        is collected or maintained, where such website or online 
        service is operated for commercial purposes, including any 
        person offering products or services for sale through that 
        website or online service, involving commerce.\16\
---------------------------------------------------------------------------
    \16\ 15 U.S.C.  6501(2).

---------------------------------------------------------------------------
    COPPA defines the key term ``Internet'' broadly to mean:

        collectively the myriad of computer and telecommunications 
        facilities, including equipment and operating software, which 
        comprise the interconnected worldwide network of networks that 
        employ the Transmission Control Protocol/ Internet Protocol, or 
        any predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.\17\
---------------------------------------------------------------------------
    \17\ 15 U.S.C.  6501(6).

---------------------------------------------------------------------------
    In interpreting its COPPA Rule, the FTC has said:

        The Rule's Statement of Basis and Purpose makes clear that the 
        term Internet is intended to apply to broadband networks, as 
        well as to intranets maintained by online services that either 
        are accessible via the Internet, or that have gateways to the 
        Internet.\18\
---------------------------------------------------------------------------
    \18\ Federal Trade Commission, Frequently Asked Questions about the 
Children's Online Privacy Protection Rule, Question 6 (``What types of 
online transmissions does COPPA apply to?''), www.ftc.gov/privacy/
coppafaqs.shtm.

    Because nearly all communications platforms have converged on the 
``Internet,'' thus defined, COPPA would reach a wide variety of 
services and media not commonly thought of as belonging to the 
``Internet.'' For example, if a video game console is networked through 
the Internet to allow users to play games with each other, COPPA would 
apply to potential sharing of personal information. To this extent, the 
FTC ought not need new statutory authority from Congress.
COPPA's Subtlety Lies in its Narrowness
    COPPA is subtle because it requires ``verifiable parental consent'' 
not only if site and service operators gather personal information from 
kids for their own use, but also if sites enable children to make 
personal information ``publicly available'' online. Even more subtle is 
COPPA's creative solution to the thorny problem of age verification. 
Unlike the similarly-named Child Online Protection Act of 1998 (COPA, 
pronounced ``koh-pah'' instead of ``kah-pah''),\19\ COPPA only requires 
age verification of users onsites clearly directed at children, whereas 
COPA required it for any site offering content deemed ``harmful to 
minors.''
---------------------------------------------------------------------------
    \19\ 47 U.S.C.  231.
---------------------------------------------------------------------------
Efforts to Expand COPPA Raise Serious First Amendment Concerns
    Back in 1998, Congress wisely chose not to apply COPPA to 
adolescents. Unfortunately, recent efforts to expand COPPA have put 
online privacy, child safety, free speech and anonymity on a collision 
course. Several states have proposed what we at PFF have called ``COPPA 
2.0'' laws, extending COPPA to adolescents up to 17 or 18. But once the 
age threshold rises above 13, it becomes increasingly difficult to 
distinguish sites ``directed at'' children below the threshold from 
general audience sites. With this seemingly small change, COPPA would 
essentially converge with COPA: COPPA would extend beyond a discrete 
``Internet, Jr.'' to require age verification for sites used by many 
adults--and, indeed, other states have proposed simply extending COPPA 
to all social networking sites. But requiring adults and even older 
teens to prove their age by identifying themselves constitutes a prior 
restraint on anonymous or pseudonymous communication. This raises the 
same First Amendment concerns that caused the courts to strike down 
COPA.
    After a decade-long court battle over COPA's constitutionality, the 
U.S. Supreme Court in January 2009 rejected the government's latest 
request to revive the law, meaning it is likely dead.\20\ Three of the 
key reasons the courts struck down COPA would also apply to COPPA 2.0 
proposals:
---------------------------------------------------------------------------
    \20\ See Adam Thierer, The Progress & Freedom Foundation, Closing 
the Book on COPA, PFF Blog, Jan. 21, 2009, http://blog.pff.org/
archives/2009/01/closing_the_boo.html. See also Alex Harris, Child 
Online Protection Act Still Unconstitutional, http://
cyberlaw.stanford.edu/packet/200811/child-online-protection-act-still-
unconstitutional.

   Anonymous Speech Rights of Adults. COPA burdened the speech 
        rights of adults to access information subject to age 
        verification requirements, both by making speech more difficult 
        and by stigmatizing it. In 2003, the Third Circuit noted that 
        age verification requirements ``will likely deter many adults 
        from accessing restricted content, because many Web users are 
        simply unwilling to provide identification information in order 
        to gain access to content, especially where the information 
        they wish to access is sensitive or controversial.'' \21\ The 
        Supreme Court has recognized the vital importance of anonymous 
        speech in the context of traditional publication.\22\ By 
        imposing broad age verification requirements, COPPA 2.0 would 
        restrict the rights of adults to send and receive information 
        anonymously just as COPA did. If anything, the speech burdened 
        by COPPA 2.0 deserves more protection, not less, than the 
        speech burdened by COPA: Where COPA merely burdened access to 
        content deemed ``harmful to minors'' (viz., pornography), COPPA 
        2.0 would burden access to material by adults as well as minors 
        not because that material is harmful or obscene but merely 
        because it is ``directed at'' minors! Thus, the content covered 
        by COPPA 2.0 proposals could include not merely pornography, 
        but communications about political nature, which deserved the 
        highest degree of First Amendment protection.
---------------------------------------------------------------------------
    \21\ American Civil Liberties Union v. Ashcroft, 322 F.3d 240, 259 
(3d Cir. 2003).
    \22\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 342 (1995) 
(striking down law that prohibited distribution of anonymous campaign 
literature); see also Talley v. California, 362 U.S. 60 (1960) 
(striking down a state law that forbade all anonymous leafletting).

   Speech Rights of Site Operators. The necessary corollary of 
        blocking adults from accessing certain content anonymously--and 
        thereby deterring some users from accessing that content--is 
        that COPPA 2.0 proposals would, like COPA, necessarily reduce 
        the audience size of websites subject to age verification 
        mandates. Furthermore, such mandates would encourage websites 
        to self-censor themselves to avoid offering content they fear 
        could be considered ``directed at'' adolescents because doing 
        so might subject them to an age verification mandate--or to 
        legal liability if they fail to implement age verification. The 
        substantial cost of age verification could significantly 
        impact, if not make impossible, sites that allow sharing of 
        personal information, including user-generated content, because 
        such sites generally do not charge for content and rely instead 
        on advertising revenues. The Third Circuit cited all of these 
        burdens on the free speech rights of website operators in 
        striking down COPA.\23\
---------------------------------------------------------------------------
    \23\ See ACLU III, 534 F.3d at 196-97 (citing ACLU v. Gonzales, 478 
F. Supp. 2d 775, 804). The Court held that websites ``face significant 
costs to implement [COPA's age verification mandates] and will suffer 
the loss of legitimate visitors once they do so.'' Id. at 197.

   Less Restrictive Alternatives to Regulation. The Third 
        Circuit drew on the Supreme Court's 2004 decision striking down 
        COPA on the grounds that ``[b]locking and filtering software is 
        an alternative that is less restrictive than COPA, and, in 
        addition, likely more effective as a means of restricting 
        children's access to materials harmful to them.'' \24\ 
        Similarly, parental control software already empowers parents 
        to restrict their kids' access to sites that ``collect'' 
        personal information. It's particularly easy for parents to 
        restrict access to the leading social networking sites that 
        seem to be driving so much of the push for COPPA 2.0.
---------------------------------------------------------------------------
    \24\ Id. at 198 (quoting ACLU v. Mukasey, 534 F.3d 181, 198 
(2008)).
---------------------------------------------------------------------------
COPPA Expansion Would Undermine Privacy
    Ironically, broad age verification mandates would reduce online 
privacy by requiring more information to be collected from both 
adolescents and adults, including credit card information, in order to 
verify age and the parent/child relationship (in the admittedly 
imperfect fashions prescribed by COPPA's ``Sliding Scale''). While 
COPPA's safe harbor administrators play a valuable role in 
administering self-regulation under COPPA,\25\ government shouldn't put 
them in the awkward position of becoming repositories for huge troves 
of personal information in the name of protecting privacy.
---------------------------------------------------------------------------
    \25\ The four safe harbor programs are administered by the 
Children's Advertising Review Unit of the Council of Better Business 
Bureaus (CARU); the Entertainment Software Rating Board (ESRB); TRUSTe; 
and Privo. See Federal Trade Commission, Safe Harbor Program, www.ftc
.gov/privacy/privacyinitiatives/childrens_shp.html.
---------------------------------------------------------------------------
COPPA Expansion Would Not Enhance Child Safety
    Some have argued that age verification mandates could protect 
children by allowing sites to create ``safe spaces'' that exclude 
predators. Unfortunately, the reality is that the technology for 
reliable age verification simply doesn't exist.
    Federal courts have found that there is ``no evidence of age 
verification services or products available on the market to owners of 
websites that actually reliably establish or verify the age of Internet 
users. Nor is there evidence of such services or products that can 
effectively prevent access to Web pages by a minor.'' \26\ Few public 
data bases exist that could be referenced to conduct such verifications 
for minors, and most parents do not want the few records that do exist 
about their children (e.g., birth certificates, Social Security 
numbers, school records) to become more easily accessible.\27\ Indeed, 
concerns about those records being compromised or falling into the 
wrong hands have led to legal restrictions on their accessibility.\28\ 
Even the FTC has made clear that it doesn't consider COPPA's ``sliding 
scale'' of verifiable parental consent methods--use of a credit card, 
print-and-fax forms, follow-up phone calls and e-mails, and using 
encryption certificates \29\--as equivalent to strict age 
verification.\30\
---------------------------------------------------------------------------
    \26\ Gonzales, 478 F. Supp. 2d at 806.
    \27\ See Adam Thierer, The Progress & Freedom Foundation, Age 
Verification Debate Continues; Schools Now at Center of Discussion, PFF 
Blog, Sept. 25, 2008, http://blog.pff.org/archives/2008/09/
age_verificatio_1.html.
    \28\ Various laws and regulations have been implemented that shield 
such records from public use, including various state statutes and the 
Family Educational Rights and Privacy Act of 1974, 20 U.S.C.  1232g, 
www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
    \29\ 16 C.F.R.  312.5(b)(2).
    \30\ In a February 2007 report to Congress about the status of the 
law and its enforcement, the FTC said that no changes to COPPA were 
then necessary because the law had ``been effective in helping to 
protect the privacy and safety of young children online.'' Federal 
Trade Commission, Implementing the Children's Online Privacy Protection 
Act: A Report to Congress at 1, Feb. 2007, www.ftc.gov/reports/coppa/
07COPPA_Report_to_Congress.pdf. In discussing the effectiveness of the 
parental consent verification methods authorized in the FTC's sliding 
scale approach, however, the agency acknowledged that ``none of these 
mechanisms is foolproof.'' Id. at 13. The FTC attempts to distinguish 
these parental consent verification methods from other kinds of age 
verification tools in noting that ``age verification technologies have 
not kept pace with other developments, and are not currently available 
as a substitute for other screening mechanisms.'' Id. at 12.
---------------------------------------------------------------------------
Fears of Advertising Should Not Drive COPPA Expansion
    COPPA expansion could also undermine the viability of many online 
sites and services. Some consider marketers the ``real predators''--
even though advertising is the great ``Hidden Benefactor'' \31\ that 
funds the overwhelming majority of ``free'' Internet content and 
services. COPPA already applies to the collection of information that 
could potentially allow the contacting of a child under 13. The Network 
Advertising Initiative already requires verifiable parental consent for 
behavioral advertising to children under 13. But if COPPA were expanded 
to require general audience sites funded by tailored advertising to 
age-verify all users, it would devolve into the unconstitutional 
approach found in COPA. Importantly, COPPA expansion would also raise 
costs for smaller or new sites and services geared toward minors. This 
could discourage new innovation, limit choice, and raise prices for 
consumers.\32\
---------------------------------------------------------------------------
    \31\ Adam Thierer & Berin Szoka, The Hidden Benefactor: How 
Advertising Informs, Educates & Benefits Consumers, Progress on Point 
6.5, Feb. 2010, www.pff.org/issues-pubs/ps/2010/pdf/ps6.5-the-
hiddenbenefactor.pdf.
    \32\ In 2005, the FTC has cited an estimate of $45/child as the 
cost of obtaining verifiable parental consent for child-oriented sites 
to comply with COPPA. See Comments of Parry Aftab, Request for Public 
Comment on the Implementation of COPPA and COPPA Rule's Sliding Scale 
Mechanism for Obtaining Verifiable Parental Consent Before Collecting 
Personal Information from Children at 2, June 27, 2005, www.ftc.gov/os/
comments/COPPArulereview/516296-00021.pdf.
---------------------------------------------------------------------------
    Ultimately, concerns about tailored advertising may be less about 
privacy than about what advertising scholar Jack Calfee has dubbed the 
``Fear of Persuasion''--the idea that advertising is inherently 
manipulative and only grows more so with increased relevance. But as 
Calfee notes, ``by the age 10 or so, children develop a full 
understanding of the purpose of advertising and equally important, an 
active suspicion of what advertisers say.'' \33\ If government has a 
role to play in addressing concerns about tailored marketing, it lies 
in educating kids about advertising to help them become smarter 
consumers. Last week, the FTC launched just such an education campaign 
with its AdMongo tutorial website (www.admongo.gov).\34\ The FTC excels 
in consumer education, and should be encouraged in these efforts as a 
less restrictive alternative to regulation. Other excellent examples of 
FTC education efforts include:
---------------------------------------------------------------------------
    \33\ Jack Calfee, American Enterprise Institute, Fear of 
Persuasion: A New Perspective on Advertising and Regulation, 59 (1997).
    \34\ Federal Trade Commission to Launch Advertising Literacy 
Campaign National Program Gives `Tweens' Ages 8 to 12 Skills to 
Recognize, Understand Advertising, April 26, 2010, www.ftc.gov/opa/
2010/04/admongo.shtm.

        OnGuardOnline.gov (tips on online security, fraud avoidance and 
---------------------------------------------------------------------------
        privacy);

        NetCetera: Chatting With Kids About Being Online 
        (www.onguardonline.gov/topics/netcetera.aspx); and

        You Are Here: Where Kids Learn to be Smarter Consumers 
        (ftc.gov/youarehere/).

Opening the Door to COPPA Expansion through FTC Overhaul via 
        Financial Reform
    Finally, financial reform legislation recently passed by the House 
would give the FTC sweeping new rulemaking powers, and could allow the 
FTC to unilaterally change COPPA, including its age range. 
Specifically, H.R. 4173 would give the FTC normal rulemaking authority 
under the Administrative Procedures Act, replacing the special 
rulemaking procedures crafted by Congress with the 1975 Magnuson-Moss 
Act, and strengthened through additional procedural safeguards in 1980, 
to ensure that the agency did not rush into preemptive regulation 
without carefully weighing the costs and benefits of government 
intervention.\35\
---------------------------------------------------------------------------
    \35\ See generally, Berin Szoka, How Financial Overhaul Could Put 
the FTC on Steroids & Transform Internet Regulation Overnight, Progress 
Snapshot 6.7, March 2010, www.pff.org/issues-pubs/ps/2010/pdf/ps6.7-
FTC_on_steroids.pdf.
---------------------------------------------------------------------------
    Such decisions should be made by Congress, not the FTC. If Congress 
wants to help the FTC implement COPPA, it should consider additional 
funding for education and enforcement. These, in conjunction with 
empowerment of parents and kids to manage their own privacy and other 
online preferences, offer a better approach to addressing concerns 
about online child privacy and safety than increased regulation.
    Thank you again for inviting me to testify.

Related PFF Publications
   COPPA 2.0: The New Battle over Privacy, Age Verification, 
        Online Safety & Free Speech, Berin Szoka & Adam Thierer, 
        Progress on Point 16.11, May 2009.

   Written to Maine Legislature on Act to Protect Minors from 
        Pharmaceutical Marketing Practices, LD 1677, Berin Szoka, March 
        4, 2010.

   Parental Controls & Online Child Protection: A Survey of 
        Tools & Methods, Adam Thierer, Special Report, Version 4.0, 
        Fall 2008.

   Five Online Safety Task Forces Agree: Education, Empowerment 
        & Self-Regulation Are the Answer, Adam Thierer, Progress on 
        Point 16.13, July 8, 2009.

   The Perils of Mandatory Parental Controls and Restrictive 
        Defaults, Adam Thierer, Progress on Point 15.4, April 11, 2008.

   Written Testimony before House Committee on the Judiciary on 
        Cyber Bullying and other Online Safety Issues for Children, 
        Berin Szoka & Adam Thierer, September 30, 2009.

   Privacy Trade-Offs: How Further Regulation Could Diminish 
        Consumer Choice, Raise Prices, Quash Digital Innovation & 
        Curtail Free Speech, Comments of Berin Szoka to FTC Exploring 
        Privacy Roundtable, Nov. 2009.

   Privacy Polls v. Real-World Trade-Offs, Berin Szoka, 
        Progress Snapshot 5.10, Oct. 2009.

   Online Advertising & User Privacy: Principles to Guide the 
        Debate, Berin Szoka & Adam Thierer, Progress Snapshot 4.19, 
        Sept. 2008.

   Targeted Online Advertising: What's the Harm & Where Are We 
        Heading?, Berin Szoka & Adam Thierer, Progress on Point 16.2, 
        April 2009.

   How Financial Overhaul Could Put the FTC on Steroids & 
        Transform Internet Regulation Overnight, Berin Szoka, Progress 
        Snapshot 6.7, March 2010.
                                 ______
                                 

The Progress & Freedom Foundation--Progress on Point--Volume 16, Issue 
                              11--May 2009

COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety 
                             & Free Speech

                     by Berin Szoka & Adam Thierer

Executive Summary
    Online privacy, child safety, free speech and anonymity are on a 
collision course. The 1998 Children's Online Privacy Protection Act 
(COPPA) already mandates certain online privacy protections for 
children under 13, but many advocate expanding online privacy 
protections for both adolescents and adults. Furthermore, efforts 
continue at both the Federal and state levels to institute new 
regulations, such as age verification mandates, aimed at ensuring the 
safety of children online. There is an inherent tension between these 
objectives: Attempts to achieve perfectly ``safe'' online environments 
will likely require the surrender of some privacy and speech rights, 
including the right to speak anonymously.
    These tensions are coming to a head with state-based efforts to 
expand COPPA, which requires ``verifiable parental consent'' before 
certain sites or services may collect, or enable the sharing of, 
personal information from children under the age of 13. Several 
proposed state laws would extend COPPA's parental-consent framework to 
cover all adolescents under 18. This seemingly small change would 
require age verification of not only adolescents and their parents, 
but--for the first time--large numbers of adults, thus raising grave 
First Amendment concerns. Such broad age verification mandates would, 
ironically, reduce online privacy by requiring more information to be 
collected from both adolescents and adults for age verification 
purposes, while doing little to make adolescents safer. In practical 
terms, the increased scale of ``COPPA 2.0'' efforts would present 
significant implementation and enforcement challenges. Finally, state-
level COPPA 2.0 proposals would likely conflict with the Constitution's 
Commerce Clause.
    Despite these profound problems, COPPA expansion has great 
rhetorical appeal and seems likely to be at the heart of future child 
safety debates--especially efforts to require mandatory age 
verification. There are, however, many better ways to protect children 
online than by expanding COPPA beyond its original, limited purpose.

I. Introduction
    When the debate about social networking safety first heated up a 
few years ago, some state attorneys general (AGs) and vendors of age 
verification services implied that the technology existed--or could be 
easily developed--to verify the age of any minor who sought access to 
an interactive website.\1\ Federal law currently requires--via the 
Children's Online Privacy Protection Act (COPPA) of 1998 \2\--that 
child-oriented website operators or service providers ``Obtain 
verifiable parental consent prior to any collection, use, and/or 
disclosure of personal information from children [under 13].'' \3\ But 
advocates of age verification mandates have argued that online child 
safety would be improved if websites--particularly ``social networking 
sites'' like MySpace, Facebook and Bebo--were required to do more: 
screen users by age and to limit or ban access by those over, or under, 
a certain age.
---------------------------------------------------------------------------
    \1\ See, e.g., Emily Steel & Julia Angwin, MySpace Receives More 
Pressure to Limit Children's Access to Site, Wall Street Journal, June 
23, 2006, http://online.wsj.com/public/article/SB115102268445288250-
YRxkt0rTsyyf1QiQf2EPBYSf7iU_20070624.html.
    \2\ 15 U.S.C.  6501-6506.
    \3\ See 16 C.F.R.  312.5. See infra at 6 and note 25 for a 
discussion of COPPA's other requirements, particularly that COPPA 
applies if a website has ``actual knowledge'' that it is collecting 
information from a child even if the website is not ``directed at'' 
children.
---------------------------------------------------------------------------
    Today, however, the practical limitations and dangers of age 
verification mandates have become more widely recognized. Few continue 
to argue for directly mandating verification of the age of minors 
online--or that such verification, in its strictest sense, is even 
technically feasible. Federal courts have found that there is ``no 
evidence of age verification services or products available on the 
market to owners of websites that actually reliably establish or verify 
the age of Internet users. Nor is there evidence of such services or 
products that can effectively prevent access to Web pages by a minor.'' 
\4\ Few public data bases exist that could be referenced to conduct 
such verifications for minors, and most parents do not want the few 
records that do exist about their children (e.g., birth certificates, 
Social Security numbers, school records) to become more easily 
accessible.\5\ Indeed, concerns about those records being compromised 
or falling into the wrong hands have led to legal restrictions on their 
accessibility.\6\
---------------------------------------------------------------------------
    \4\ ACLU v. Gonzales, 478 F. Supp. 2d 775, 806 (E.D. Pa. 2007) 
[hereinafter Gonzales]; see infra at 28.
    \5\ See Adam Thierer, The Progress & Freedom Foundation, Age 
Verification Debate Continues; Schools Now at Center of Discussion, PFF 
Blog, Sept. 25, 2008, http://blog.pff.org/archives/2008/09/
age_verificatio_1.html.
    \6\ Various laws and regulations have been implemented that shield 
such records from public use, including various state statutes and the 
Family Educational Rights and Privacy Act of 1974, 20 U.S.C.  1232g, 
www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
---------------------------------------------------------------------------
    There are a host of other concerns about age verification 
mandates.\7\ Some of these concerns were summarized in a recent report 
produced by the Internet Safety Technical Task Force, a blue ribbon 
task force assembled in 2008 by state AGs to study this issue:
---------------------------------------------------------------------------
    \7\ For a fuller exploration of these issues, see Adam Thierer, The 
Progress & Freedom Foundation, Social Networking and Age Verification: 
Many Hard Questions; No Easy Solutions, Progress on Point No. 14.5, 
Mar. 2007; Adam Thierer, The Progress & Freedom Foundation, Statement 
Regarding the Internet Safety Technical Task Force's Final Report to 
the Attorneys General, Jan. 14, 2008, www.pff.org/issues-pubs/other/
090114ISTTFthiererclosingstatement.pdf; Nancy Willard, Why Age and 
Identity Verification Will Not Work--And is a Really Bad Idea, Jan. 26, 
2009, www.csriu.org/PDFs/digitalidnot.pdf; Jeff Schmidt, Online Child 
Safety: A Security Professional's Take, The Guardian, Spring 2007, 
www.jschmidt.org/AgeVerification/Gardian_JSchmidt.pdf.

        Age verification and identity authentication technologies are 
        appealing in concept but challenged in terms of effectiveness. 
        Any system that relies on remote verification of information 
        has potential for inaccuracies. For example, on the user side, 
        it is never certain that the person attempting to verify an 
        identity is using their own actual identity or someone else's. 
        Any system that relies on public records has a better 
        likelihood of accurately verifying an adult than a minor due to 
        extant records. Any system that focuses on third-party in-
        person verification would require significant political backing 
        and social acceptance. Additionally, any central repository of 
        this type of personal information would raise significant 
        privacy concerns and security issues.\8\
---------------------------------------------------------------------------
    \8\ Internet Safety Technical Task Force, Enhancing Child Safety & 
Online Technologies: Final Report of the Internet Safety Technical Task 
Force to the Multi-State Working Group on Social Networking of State 
Attorneys General of the United States, Dec. 31, 2008, at 10, http://
cyber.law.harvard.edu/pubrelease/isttf [hereinafter ISTTF Final 
Report]. Full disclosure: Adam Thierer was a member of this task force.

    With opposition to strict age verification mandates growing, some 
regulatory advocates now seek to institute such mandates through the 
back door of ``parental consent'' mandates in the model of COPPA. Such 
``COPPA 2.0'' legislation has been introduced at the state level that 
would extend the COPPA parental-consent framework to cover all minors 
between the ages of 13 and 17 inclusive (``adolescents''). Some of 
these bills would also broaden the range of sites covered, increase the 
amount of information required to be collected to achieve ``verifiable 
parental consent'' or impose other mandates such as parental access.
    Two such bills were introduced in 2007, in North Carolina (with the 
support of that state's Attorney General Roy Cooper)\9\ and 
Georgia.\10\ While these bills were never passed, a similar bill is 
currently pending in Illinois.\11\ Because the scope of such bills 
would reach all ``social networking sites'' that offered certain 
functionality (e.g., user profiles), rather only those sites directed 
at a particular age bracket (as under COPPA),\12\ they would extend age 
verification mandates far beyond sites that might be considered 
``adolescent-oriented.'' Another bill is currently pending in New 
Jersey; like COPPA, this bill would reach only sites directed at 
adolescents, but it might reach a broader range of sites, because its 
scope is not limited specifically to ``social networking'' 
functionality.\13\ The introduction of these bills makes it clear that 
future online identity verification debates will be increasingly tied 
up with efforts to expand the COPPA framework. These mandates will 
likely arrive in the form of state-level expansions of, or Federal 
amendments to, COPPA, or such proposals will at least cite COPPA's 
regulatory framework as precedent. Yet COPPA 2.0 advocates seem to 
forget that, back in 1998, Congress considered, but ultimately 
rejected, a requirement in the original version of COPPA that operators 
make ``reasonable efforts to provide the parents with notice and an 
opportunity to prevent or curtail the collection or use of personal 
information collected from children over the age of 12 and under the 
age of 17.'' \14\ This requirement would have been significantly less 
burdensome than the COPPA 2.0 approaches advanced today, but it was 
stricken from the final version of COPPA after likely constitutional 
and practical problems were identified.\15\
---------------------------------------------------------------------------
    \9\ S.B. 132, 2007 Gen. Assem., Reg. Sess.  8 (N.C. 2007), 
available at www.ncga.state.nc.us/Sessions/2007/Bills/Senate/HTML/
S132v3.html; see also Roy Cooper, Protecting Children from Sexual 
Predators: SB 132, July 24, 2007, www.ncdoj.com/
DocumentStreamerClient?directory
=WhatsNew/&file=S132%20summary%20final.pdf; see also Adam Thierer, The 
Progress & Freedom Foundation, Age Verification Showdown in North 
Carolina, PFF Blog, July 26, 2007, http://blog.pff.org/archives/2007/
07/age_verificatio.html.
    \10\ S.B. 59, Gen. Assem., 2007-2008 Leg. Sess. (Ga. 2007), 
available at www.legis.ga.gov/legis/2007_08/fulltext/sb59.htm.
    \11\ H.B. 1312, 96th Gen. Assem., Synopsis as Introduced (Il. 2007) 
[hereinafter SNWARA], available at www.ilga.gov/legislation/
billstatus.asp?DocNum=1312&GAID=10&GA=96&Doc
TypeID=HB&LegID=43038&SessionID=76.
    \12\ See infra note 22 and associated text (noting that that COPPA 
also applies in cases of ``actual knowledge,'' even if a site is not 
``directed at'' children); see also infra Section V.A. (discussing the 
meaning of ``directed at'').
    \13\ A.B. 108, Gen. Assem., 213th Leg. Sess. (N.J. 2008) 
[hereinafter AOPPA], available at www.njleg.state.nj.us/2008/Bills/
A0500/108_I1.HTM.
    \14\ Children's Online Privacy Protection Act, S. 2326, 105th Cong. 
3(a)(2)(iii) (1998).
    \15\ Testimony of Deirdre Mulligan, Staff Counsel, Center for 
Democracy and Technology, before the Senate Committee on Commerce, 
Science, and Transportation Subcommittee on Communications, Sept. 23, 
1998, available at www.cdt.org/testimony/980923mulligan.shtml 
[hereinafter Mulligan Testimony].
---------------------------------------------------------------------------
    Today's COPPA 2.0 bills are fraught with even greater legal, 
technical, and other practical problems in that they would:

   Burden the free speech rights of adults by imposing age 
        verification mandates on many sites used by adults, thus 
        restricting anonymous speech and essentially converging--in 
        terms of practical consequences--with the unconstitutional 
        Children's Online Protection Act (COPA),\16\ another 1998 law 
        sometimes confused with COPPA;
---------------------------------------------------------------------------
    \16\ 47 U.S.C.  231. While COPPA governs sites ``directed at'' 
children, COPA would have required age verification for content deemed 
``harmful to minors.'' COPA has been struck down on First Amendment 
grounds. See infra at Section VI.

   Burden the free speech rights of adolescents to speak freely 
        on--or gather information from--legal and socially beneficial 
---------------------------------------------------------------------------
        websites;

   Hamper routine and socially beneficial communication between 
        adolescents and adults;

   Reduce, rather than enhance, the privacy of adolescents, 
        parents and other adults because of the massive volume of 
        personal information that would have to be collected about 
        users for authentication purposes (likely including credit card 
        data);

   Would likely be the subject of massive fraud or evasion 
        since it is not always possible to definitively verify the 
        parent-child relationship, or because the system could be 
        ``gamed'' in other ways by determined adolescents;

   Do nothing to prevent offshore sites and services from 
        operating outside these rules;

   Present major practical challenges for law enforcement 
        officials in the face of such evasion by both domestic users 
        and offshore sites;

   Could destroy opportunities for new or smaller website 
        operators to break into the market and offer competing services 
        and innovations, thus contributing to consolidation of online 
        content and services by erecting barriers to entry; and

   Violate the Commerce Clause of the U.S. Constitution, since 
        Internet activity clearly represents interstate commerce that 
        states have no authority to regulate.

    There are better approaches to protect adolescents that do not 
implicate the serious legal and societal issues raised by COPPA 2.0 
efforts.\17\ Attempts to expand COPPA to cover adolescents are thus 
unnecessary and misguided and should be rejected at both the state and 
Federal levels.
---------------------------------------------------------------------------
    \17\ See generally Adam Thierer, The Progress & Freedom Foundation, 
Parental Controls and Online Child Protection: A Survey of Tools and 
Methods, Special Report, Version 3.1, Fall 2008, www.pff.org/
parentalcontrols/index.html (cataloguing the tools and methods 
available to parents to control their kids' Internet use).
---------------------------------------------------------------------------
    The FTC should consider carefully the limitations of COPPA and the 
pitfalls of COPPA 2.0 as the agency prepares to begin an expedited 
review of COPPA (five years ahead of schedule).\18\
---------------------------------------------------------------------------
    \18\ Howard Buskirk & Yu-Ting Wang, FTC to Expedite Review of 
Children's Online Privacy Protection Rule, Communications Daily, April 
23, 2009, at 5-7.
---------------------------------------------------------------------------
    Before examining in greater detail the problems posed by COPPA 2.0 
proposals (Sections IV-VIII), we review how COPPA 1.0 currently works 
(Section II) and what it achieves (Section III).

II. Current Implementation of COPPA
Terminology
    ``Adult''--Anyone 18 and over
    ``Minor''--Anyone under 18
    ``Child''--Anyone under 13
    ``Adolescent''--Anyone 13 or over but less than 18
    ``Kid''--Because of the specific meaning of ``child'' under COPPA, 
we have used ``kid'' instead of ``child'' when discussing interaction 
with parents and as a colloquial catch-all where appropriate.
    ``PI-collecting site''--Any site that collects what COPPA considers 
``personal information,'' which includes contact information.
    ``Social networking site''--A generic term for a PI-collecting site 
focused on user profiles and connections among users. Some legislative 
proposals use this term to refer to sites with specific functionality.
    COPPA generally requires that commercial operators of websites and 
services obtain ``verifiable parental consent'' before collecting, 
disclosing or using ``personal information'' (e.g., name, contact 
information) \19\ about children under 13 \20\ if either (i) their 
website or service (or ``portion thereof'') is ``directed at children'' 
\21\ or (ii) they have actual knowledge that they are collecting 
personal information from a child.\22\ Even if sites and services that 
collect personal information (``PI-collecting sites'' \23\) are not 
``directed at'' children, they must still have such a process in place 
to deal with cases in which a child has disclosed that they are under 
13. The FTC has defined COPPA's scope so broadly that it could apply 
even to virtual worlds and multiplayer online games (e.g., Second Life, 
World of Warcraft).\24\ COPPA also requires certain notices about 
information collection, parental access to information collected about 
children, reasonable data security procedures, and restrictions on the 
collection of personal information through games and prizes.\25\
---------------------------------------------------------------------------
    \19\ The FTC has defined ``personal information'' to include:
    (a) A first and last name; (b) A home or other physical address 
including street name and name of a city or town; (c) An e-mail address 
or other online contact information, including but not limited to an 
instant messaging user Identifier, or a screen name that reveals an 
individual's e-mail address; (d) A telephone number; (e) A Social 
Security number; (f) A persistent identifier, such as a customer number 
held in a cookie or a processor serial number, where such identifier is 
associated with individually identifiable information; or a combination 
of a last name or photograph of the individual with other information 
such that the combination permits physical or online contacting; or (g) 
Information concerning the child or the parents of that child that the 
operator collects online from the child and combines with an identifier 
described.
    16 C.F.R.  312.2.
    \20\ The word ``child'' is sometimes used interchangeably with the 
legal term ``minor'' (someone under 18) in Federal law. See, e.g., 18 
U.S.C.  2256(1) (defining ``minor'' as ``any person under the age of 
eighteen years'') and 18 U.S.C.  2256(8) (defining ``child 
pornography'' as ``any visual depiction . . . of sexually explicit 
conduct [involving a minor]''). In common speech, the term ``child'' is 
often used to mean ``a son or daughter of any age.'' Dictionary.com, 
``child,'' Merriam-Webster's Dictionary of Law, 
dictionary.reference.com/browse/child. By contrast, COPPA defines 
``child'' as a subset of ``minor.'' COPPA 2.0 bills would apply to 
older minors not currently subject to COPPA, generally referred to as 
``adolescents.''
    \21\ 16 C.F.R.  312.2 (definition of ``website or online service 
directed to children''); see infra at 22-24 (discussing the FTC's 
criteria for deciding what constitutes a site ``directed to'' 
children).
    \22\ See 16 C.F.R.  312.3; see also 16 C.F.R.  312.2 (definition 
of ``website or online service directed to children'').
    \23\ We use the term ``PI-collecting sites'' to refer to both sites 
and services only for lack of a clearer catch-all.
    \24\ As the FTC has explained:
    COPPA applies to personal information collected online by websites 
and online services located on the Internet. The Rule defines 
``Internet'' to mean the myriad of computer and telecommunications 
facilities that make up the world-wide networks that employ the 
Transmission Control Protocol/Internet Protocol (TCP/IP), or any 
predecessor or successor protocols used to communicate information of 
all kinds by wire, radio, or other methods of transmission. See 16 
C.F.R.  312.2 (definition of ``Internet''). The Rule's Statement of 
Basis and Purpose makes clear that the term Internet is intended to 
apply to broadband networks, as well as to intranets maintained by 
online services that either are accessible via the Internet, or that 
have gateways to the Internet.
    Federal Trade Commission, Frequently Asked Questions about the 
Children's Online Privacy Protection Rule [hereinafter COPPA FAQ], 
Question 6 (``What types of online transmissions does COPPA apply 
to?''), www.ftc.gov/privacy/coppafaqs.shtm.
    \25\ Operators of PI-collecting sites must:
    Provide notice on the website or online service of what information 
it collects from children, how it uses such information, and its 
disclosure practices for such information; . . . (c) Provide a 
reasonable means for a parent to review the personal information 
collected from a child and to refuse to permit its further use or 
maintenance; (d) Not condition a child's participation in a game, the 
offering of a prize, or another activity on the child disclosing more 
personal information than is reasonably necessary to participate in 
such activity; and (e) Establish and maintain reasonable procedures to 
protect the confidentiality, security, and integrity of personal 
information collected from children.
    16 C.F.R.  312.3 (internal cross-references omitted).
---------------------------------------------------------------------------
A. The Difficulties in Obtaining ``Verifiable Parental Consent''
    In drafting the regulations that implemented COPPA (the ``COPPA 
Rule'' ),\26\ the Federal Trade Commission (FTC) in 1999 adopted a 
``sliding scale'' approach to obtaining parental consent.\27\ This 
approach allows operators of PI-collecting sites to use a mix of 
methods to comply with the law, including print-and-fax forms, follow-
up phone calls and e-mails, credit card authorizations and using 
encryption certificates.\28\ The FTC has also authorized four ``safe 
harbor'' programs operated by private companies that help website 
operators comply with COPPA.\29\
---------------------------------------------------------------------------
    \26\ 16 C.F.R. Part 312. We use ``COPPA Rule'' when referring 
specifically to the FTC's implementing regulations, but use ``COPPA'' 
both to refer to the statute itself and to the scheme generally where 
appropriate.
    \27\ See Federal Trade Commission, How to Comply with The 
Children's Online Privacy Protection Rule, Nov. 1999, www.ftc.gov/bcp/
edu/pubs/business/idtheft/bus45.shtm.
    \28\ 16 C.F.R.  312.5(b)(2). See generally Children's Online 
Privacy Protection Rule, 64 Fed. Reg. 59,888 (Nov. 3, 1999), available 
at www.ftc.gov/os/1999/10/64fr59888.pdf [hereinafter 1999 COPPA Order]; 
see also COPPA FAQ supra note 24, Question 32 (``How do I get parental 
consent?'').
    \29\ The four safe harbor programs are administered by the 
Children's Advertising Review Unit of the Council of Better Business 
Bureaus (CARU); the Entertainment Software Rating Board (ESRB); TRUSTe; 
and Privo. See Federal Trade Commission, Safe Harbor Program, 
www.ftc.gov/privacy/privacyinitiatives/childrens_shp.html.
---------------------------------------------------------------------------
    In a February 2007 report to Congress about the status of the law 
and its enforcement, the FTC said that no changes to COPPA were then 
necessary because the law had ``been effective in helping to protect 
the privacy and safety of young children online.'' \30\ In discussing 
the effectiveness of the parental consent verification methods 
authorized in the FTC's sliding scale approach, however, the agency 
acknowledged that ``none of these mechanisms is foolproof.'' \31\ The 
FTC attempts to distinguish these parental consent verification methods 
from other kinds of age verification tools in noting that ``age 
verification technologies have not kept pace with other developments, 
and are not currently available as a substitute for other screening 
mechanisms.'' \32\ This makes it clear that the FTC does not regard the 
methods the agency has prescribed for obtaining parental consent under 
COPPA as equivalent to strict age verification.
---------------------------------------------------------------------------
    \30\ Federal Trade Commission, Implementing the Children's Online 
Privacy Protection Act: A Report to Congress at 1, Feb. 2007, 
www.ftc.gov/reports/coppa/07COPPA_Report_to_
Congress.pdf [hereinafter 2007 COPPA Implementation Report].
    \31\ Id. at 13.
    \32\ Id. at 12.
---------------------------------------------------------------------------
    Although credit cards may seem the most robust tool for verifying 
parental consent (essentially, age verifying the parent), Federal 
courts have found, in rejecting the constitutionality of COPA, that, 
``payment cards cannot be used to verify age because minors under 17 
have access to credit cards, debit cards, and reloadable prepaid 
cards'' and, although ``payment card issuers usually will not issue 
credit and debit cards directly to minors without their parent's 
consent because of the financial risks associated with minors . . . 
there are many other ways in which a minor may obtain and use payment 
cards.'' \33\
---------------------------------------------------------------------------
    \33\ Gonzales, 478 F. Supp. 2d at 801. COPA would have prohibited 
the online dissemination of material deemed harmful to minors under 17 
for commercial purposes, 47 U.S.C.  231(a)(1), subject to a safe 
harbor for sites that made a ``good faith'' effort to restrict access 
by minors: ``(A) by requiring use of a credit card, debit account, 
adult access code, or adult personal identification number; (B) by 
accepting a digital certificate that verifies age; or (C) by any other 
reasonable measures that are feasible under available technology,'' 47 
U.S.C.  231(c)(1).
---------------------------------------------------------------------------
B. ``Collection'': When Parental Consent is Required
    COPPA requires that operators obtain verifiable parental consent 
``before any collection, use, and/or disclosure of personal information 
from children''--as well as for ``any material change in the 
collection, use, and/or disclosure practices to which the parent has 
previously consented,'' \34\ subject to certain narrow exceptions.\35\ 
Understanding how the COPPA Rule currently works and the pitfalls of 
COPPA expansion requires examining the three-pronged definition of 
``collection'' created by the FTC, which COPPA itself left 
undefined.\36\
---------------------------------------------------------------------------
    \34\ 16 C.F.R.  312.5(a).
    \35\ 16 C.F.R.  312.5(c).
    \36\ The FTC has provided three definitions of ``collection'':
    the gathering of any personal information from a child by any 
means, including but not limited to: (a) Requesting that children 
submit personal information online; (b) Enabling children to make 
personal information publicly available through a chat room, message 
board, or other means, except where the operator deletes all 
individually identifiable information from postings by children before 
they are made public, and also deletes such information from the 
operator's records; or (c) The passive tracking or use of any 
identifying code linked to an individual, such as a cookie.
    16 C.F.R.  312.2. See also infra at Section II.B.
---------------------------------------------------------------------------
1. Requests from Sites
    Most obviously, the COPPA Rule considers ``collection'' to occur 
each time a PI-collecting site requests ``that children submit personal 
information online.'' \37\ This requirement generally minimizes the 
amount of data collected from children and ensures that parents control 
the collection of information from their children.
---------------------------------------------------------------------------
    \37\ 16 C.F.R.  312.2 (definition of ``collection'').
---------------------------------------------------------------------------
2. Enabling Sharing of Personal Information
    Less intuitively, the COPPA Rule considers ``collection'' to occur 
when a PI-collecting site merely ``enabl[es] children to make personal 
information publicly available . . . except where the operator deletes 
all individually identifiable information from postings by children 
before they are made public, and also deletes such information from the 
operator's records.'' \38\
---------------------------------------------------------------------------
    \38\ Id.
---------------------------------------------------------------------------
    Unlike the first prong of ``collection,'' consent is not required 
each time a communications tool is used to ``make personal information 
publicly available,'' but merely for the child to gain access to the 
tool (e.g., upon creation of a user account). Thus, the FTC intends to 
make parents gatekeepers over which sites their children join or 
participate in, rather than to give parents a veto right over every 
instance in which a child wants to share personal information (e.g., by 
posting it to their profile or ``wall'' on a social networking site). 
Given the degree of interactivity on social networking sites, it is 
difficult to imagine how so granular a veto requirement could be 
feasibly implemented if COPPA were expanded.
    What it means to make information ``publicly available'' is 
unclear. COPPA clearly requires consent before granting a child access 
to a site that would allow the child to ``broadcast'' personal 
information, such as by posting their name, photo, contact information, 
etc. such that the ``public'' can access that information, whether that 
means posting information to a social networking profile, on a website, 
or in a ``public'' chat room or message board (the latter two being the 
specific examples cited in COPPA and the COPPA Rule).\39\ But does 
COPPA apply to communications that are not intended to be public? Would 
COPPA apply to a site that only allowed users to send ``private'' 
messages to each other? In short, how public is ``public'' enough that 
giving a child access to the underlying functionality would constitute 
collection? The FTC has never clearly answered these questions, but it 
has implied that it takes the ``maximalist'' view of what counts as 
collection: Allowing children to share personal information with 
anyone, even in one-to-one communications, constitutes ``collection'' 
subject to COPPA's parental consent requirement.\40\ By contrast, the 
``minimalist'' view would define ``collection'' in terms of the 
capability to ``publish'' or ``broadcast'' personal information such 
that it becomes ``available'' to anyone with access to the PI-
collecting site. Which view a court would accept, if presented with a 
challenge to COPPA, is beyond the scope of this paper, but the 
ambiguity is worth noting.\41\
---------------------------------------------------------------------------
    \39\ 15 U.S.C.  6501(4)(B)(iv-v) (definition of ``disclosure''); 
16 C.F.R.  312.2 (definition of ``collection'').
    \40\ In December 2007, the FTC added a question it its FAQ 
reflecting the agency's view that COPPA would require parental consent 
before allowing a child to send electronic greeting cards or forward 
items of interest to their friends. COPPA FAQ supra note 24, Question 
44 (``My child-directed website wants to offer electronic post cards 
and the ability for children to forward items of interest on my site to 
their friends. Can I take advantage of one of the e-mail exceptions to 
parental consent?''). The FTC requires parental consent if users can 
``freely type messages in either the subject line of the e-card or in 
any text fields''--presumably, because this might lead to the sharing 
of personal information with the card's recipient. See Jim Dunstan, E-
cards and ``Forward-to-a-Friend'' Promotions: Not Kid Friendly Anymore, 
www.gsblaw.com/practice/
notableevents.asp?StoryID=1137185152008&groupID=21; see also Jim 
Dunstan, FTC Issues Final Rules in CAN-SPAM Proceeding: Forward-To-A-
Friend Promotion Mystery Solved, www.gsblaw.com/practice/
notableevents.asp?StoryID=17866132008&groupID=21.
    \41\ The maximalist approach essentially reads the term ``publicly 
available'' out of the statute by construing collection to mean 
``available to anyone.'' Such a construction might, for example, 
violate the cannon of statutory interpretation against surplusage: 
``[T]he presence of statutory language `cannot be regarded as mere 
surplusage; it means something.' '' Chickasaw Nation v. United States, 
534 U.S. 84, 97 (2001) (quoting Potter v. United States, 155 U.S. 438, 
446 (1894)).
---------------------------------------------------------------------------
    However broad the definition of ``publicly available,'' the FTC's 
definition of ``collection'' to include the enabling of communication 
by children that might result in the any of personal information was 
itself controversial when the FTC first wrote the COPPA rules. The FTC 
(again) took a maximalist view of ``collection,'' \42\ overriding the 
objections of free speech advocates who argued that Congress intended 
``to place duties on those who collect information from children'' (in 
the normal sense of ``collection'' contained in the first prong of the 
definition) rather than ``to regulate children's behavior'' or ``limit 
children's ability to speak.'' \43\ These advocates proposed a 
minimalist definition of ``collection'' as ``gathering, by an operator, 
of personal information,'' such that merely providing functionality 
like chat rooms and message boards would not constitute collection 
unless the operator actually gleaned personal information from such 
fora.\44\
---------------------------------------------------------------------------
    \42\ 1999 COPPA Order, supra note 28, at 59,889-890.
    \43\ Supplemental Comments of The Center for Democracy and 
Technology, The American Civil Liberties Union, and The American 
Library Association, filed in Rulemaking to Implement the Children's 
Online Privacy Protection Act of 1998, Aug. 25, 1999, at  I.B 
www.ftc.gov/privacy/comments/supplementalcdtacluala.htm.
    \44\ Id. (emphasis original, indicating proposed addition to the 
FTC's rule as originally proposed).
---------------------------------------------------------------------------
3. Online Tracking & Cookies
    Finally, COPPA would consider collection to occur through the use 
of persistent identifiers such as cookies \45\ if associated with 
individually identifiable information or ``a combination of a last name 
or photograph of the individual with other information such that the 
combination permits physical or online contacting.'' \46\
---------------------------------------------------------------------------
    \45\ 16 C.F.R.  312.2 (definition of ``collects or collection'').
    \46\ 16 C.F.R.  312.2 (definition of ``personal information'').
---------------------------------------------------------------------------
C. COPPA's Place in an Evolving Landscape
    In the decade since Congress enacted COPPA, the kinds of 
information-sharing functionality governed by the ``publicly 
available'' prong of collection have exploded in popularity. New 
interactive communications tools and methods, now generally referred to 
as ``social networking'' capabilities, are a key hallmark of the ``Web 
2.0'' era.\47\ Of course, they had their precursors even in 1998, but 
the examples of such tools included in COPPA and the initial COPPA rule 
reveal just how much the web has evolved: ``Chat rooms'' and ``message 
boards'' certainly still exist but they have largely morphed into 
today's social networking sites (e.g., Facebook, Myspace), which would 
have been unrecognizable in 1998, while services like blogging and 
micro-blogging (e.g., Twitter) would have been inconceivable. Today, 
more users feel comfortable making personal information more ``publicly 
available'' than ever before, broadcasting their every thought and 
action, and even their exact physical location,\48\ for all the world 
to see.
---------------------------------------------------------------------------
    \47\ Tim O'Reilly, What Is Web 2.0?: Design Patterns and Business 
Models for the Next Generation of Software, Sept. 30, 2005, 
www.oreillynet.com/lpt/a/6228.
    \48\ See, e.g., Google Latitude, www.google.com/latitude/
intro.html; loopt, www.loopt.com; Pelago, http://pelago.com.
---------------------------------------------------------------------------
    The growing ubiquity of ``Web 2.0'' tools has two implications. 
First, the sites currently covered by COPPA are growing ever more 
limited in their functionality relative to the rest of the Internet, as 
discussed be low.\49\ For example, child-oriented sites must obtain 
verifiable parental consent before allowing children to send e-cards or 
use ``Forward-to-a-Friend'' functionality if the sites ``permit the 
sender to enter her full name, her e-mail address, or the recipient's 
full name'' or ``provide users with the ability to freely type messages 
in either the subject line of the e-card or in any text fields.'' \50\ 
Second, even under the minimalist view of ``publicly available,'' 
expanding COPPA's age scope would affect far more websites today than 
it would have 11 years ago, because the functionality that constitutes 
``collection'' (under the second prong of that term's definition) is 
now pervasive.
---------------------------------------------------------------------------
    \49\ See infra at Section III.A.
    \50\ Absent such sharing, the FTC allows child-oriented sites to 
use COPPA's exception for one-time communications, found at 16 C.F.R.  
312.5(c). See supra note 40.
---------------------------------------------------------------------------
III. Does COPPA Really Work?
    Before addressing the many challenges associated with COPPA 2.0 
proposals, one must ask the critical--but ignored--threshold question: 
Is ``COPPA 1.0'' really working? To answer this question, one must 
first decide what COPPA 1.0 is supposed to accomplish. The original 
goals of COPPA, as expressed by its Congressional sponsors, were to:

        (1) to enhance parental involvement in a child's online 
        activities in order to protect the privacy of children in the 
        online environment; (2) to enhance parental involvement to help 
        protect the safety of children in online fora such as 
        chatrooms, home pages, and pen-pal services in which children 
        may make public postings of identifying information; (3) to 
        maintain the security of personally identifiable information of 
        children collected online; and (4) to protect children's 
        privacy by limiting the collection of personal information from 
        children without parental consent.\51\
---------------------------------------------------------------------------
    \51\ 144 Cong. Rec. S11657 (daily ed. Oct. 7, 1998) (statement of 
Rep. Bryan).

    Thus, as its name implies, COPPA is first and foremost about 
protecting the privacy of children. COPPA's primary means for achieving 
this goal is enhancing parental involvement or, as the FTC has put it, 
``provid[ing] parents with a set of effective tools . . . for becoming 
involved in and overseeing their children's interactions online.'' \52\ 
However admirable, ``protect[ing] the safety of children'' is merely an 
indirect goal of COPPA--something to be achieved through the means of 
enhancing parental involvement (COPPA's direct goal). The FTC has 
attempted to blur this distinction, elevating child protection to a 
direct goal of COPPA.\53\ Indeed, this was the primary reason the FTC 
adopted the maximalist definition of ``collection'' to include enabling 
communication (rather than direct gathering of personal information by 
operators), over-ruling free speech concerns.\54\
---------------------------------------------------------------------------
    \52\ 2007 COPPA Implementation Report, supra note 30, at 28.
    \53\ The FTC has carefully--or perhaps simply carelessly--edited 
Congress's original statement of purpose: Where Congress had originally 
declared that COPPA was intended ``to enhance parental involvement to 
help protect the safety of children [online],'' 144 Cong. Rec. S11657 
(emphasis added), the FTC has declared that COPPA was intended ``to 
protect the safety of children [online].'' 2007 COPPA Implementation 
Report, supra note 30, at 3.
    \54\ The FTC based its adoption of the maximalist view of 
``collection'' by noting that:
    children's use of chat rooms and bulletin boards that are 
accessible to all online users present the most serious safety risks, 
because it enables them to communicate freely with strangers. Indeed, 
an investigation conducted by the FBI and the Justice Department 
revealed that these services are quickly becoming the most common 
resources used by predators for identifying and contacting children.
    1999 COPPA Order, supra note 28, at 59,890 (internal citations 
omitted). See also supra at 11 and note 43.
---------------------------------------------------------------------------
    The FTC claims COPPA ``has provided a workable system to help 
protect the online safety and privacy of the Internet's youngest 
visitors.'' \55\ Indeed, many of those advocating expansion of COPPA do 
so on the grounds that COPPA makes children safer online from sexual 
predators. What these advocates fail to acknowledge is that, to the 
extent COPPA has enhanced child safety--indeed, to the extent that 
COPPA can be effectively administered at all--it is because of the 
unique circumstances of the under-13 age bracket and the PI-collecting 
sites that have evolved to serve that community. In particular:
---------------------------------------------------------------------------
    \55\ 2007 COPPA Implementation Report, supra note 30, at 28.

        1. The functionality of child-oriented sites is usually tightly 
---------------------------------------------------------------------------
        limited: They are closed, walled gardens;

        2. Many smaller websites catering to children charge a fee for 
        admission--even as fee-based models have withered away on the 
        rest of the Internet; and

        3. There are relatively few sites that cater exclusively to the 
        under-13 crowd, which may be an unintended consequence of COPPA 
        itself.

    Each of these factors is discussed below, as relates to COPPA's 
perceived goals.

A. Child-Oriented Sites Limit Functionality
    Child-oriented sites typically have very limited functionality: In 
essence, their operators intentionally ``cripple'' the sort of 
functionality found in most PI-collecting sites (especially social 
networking sites) geared toward older users. That fact alone makes 
COPPA-covered sites far less likely to be subject to fraudulent entry 
or dangerous interactions: Why would an adolescent or an adult predator 
ever want to gain access to a site that offers little more than drop-
down menus and a few buttons to click on when interacting with others?
    The primary reason that children are likely safer in those 
environments probably has less to do with COPPA's parental consent 
requirements and much more to do with the fact that most of the PI-
collecting sites covered by COPPA are tightly controlled and highly 
moderated walled gardens with very limited functionality--a sort of 
``Junior Internet.''

B. Child-Oriented Sites Charge Fees
    While most Internet content and services are now ``free'' (i.e., 
advertising-supported ),\56\ many child-oriented PI-collecting sites 
charge admission fees. There are several reasons they do so:
---------------------------------------------------------------------------
    \56\ See, e.g., Chris Anderson, Free! Why $0.00 Is the Future of 
Business, Wired, Feb. 25, 2008, www.wired.com/techbiz/it/magazine/16-
03/ff_free. The most notable exception to this rule is Massively 
Multiplayer Online games such as World of Warcraft, which are also 
potentially subject to COPPA.

   ``[R]equiring a parent to use a credit card in connection 
        with a transaction'' is among the methods for obtaining 
        verifiable parental consent in the FTC's sliding scale.\57\ The 
        FTC requires that an operator charge some fee so that the 
        credit card will be verified by its issuer and ``because, 
        through receipt of a monthly statement, the parent is given 
        additional notice that the transaction occurred and has an 
        opportunity to investigate any suspicious activity and revoke 
        consent.'' \58\
---------------------------------------------------------------------------
    \57\ 16 C.F.R.  312.5(b)(2).
    \58\ See COPPA FAQ, supra note 24, Question 33 (``I would like to 
get consent by collecting a credit card number from the parent, but I 
don't want to engage in a transaction. Is this ok?'').

   Commercial child-oriented sites must somehow recoup the 
        costs of obtaining verifiable parental consent--estimated in 
        2005 at more than $45 per child.\59\ Because COPPA limits 
        operators' ability to effectively target advertising to 
        children, thereby reducing the value of advertising inventory 
        on PI-collecting sites, they usually must rely on direct fees.
---------------------------------------------------------------------------
    \59\ See Comments of Parry Aftab, Request for Public Comment on the 
Implementation of COPPA and COPPA Rule's Sliding Scale Mechanism for 
Obtaining Verifiable Parental Consent Before Collecting Personal 
Information from Children at 2, June 27, 2005, www.ftc.gov/os/comments/
COPPArulereview/516296-00021.pdf [hereinafter Aftab Comments].

   Many child-oriented sites rely heavily on constant human 
        moderation and oversight, which necessitates a method of 
---------------------------------------------------------------------------
        funding those workers.

   It is easier for child-oriented sites to continue charging 
        small fees once they have a credit card on file (something most 
        sites never accomplish) and because there is relatively less 
        competition in the child-oriented marketplace than in the 
        Internet generally.

    Importantly, the more a site charges for access, the more likely it 
is that the parent or guardian pays attention to what their child is 
doing on that site. The hassle for parents of having to pay a fee gets 
parents thinking, and talking to their kids, about those sites, argues 
Denise Tayloe of Privo, one of the four FTC-approved providers of COPPA 
safe harbor age verification services.\60\
---------------------------------------------------------------------------
    \60\ Denise Tayloe, It's Time to Comply with COPPA, The Privacy 
Advisor, Vol. 6, No. 10, Oct. 2006, at 5.
---------------------------------------------------------------------------
    However, Tayloe has noted that one of the problems associated with 
the current COPPA regime is that ``Children quickly learned to lie 
about their age in order to gain access to the interactive features on 
their favorite sites. As a result,'' she notes, ``data bases have 
become tainted with inaccurate information and chaos seems to be king 
where COPPA is concerned.'' \61\ The FTC, well aware that blocking 
access to children under 13 could simply encourage them to lie about 
their age, requires operators to ``design [their] age collection input 
screens in a manner that does not encourage children to provide a false 
age in order to gain access to [their] site.'' \62\ In particular, the 
FTC recommends ``using a temporary or a permanent cookie to prevent 
children from back-buttoning to enter a different age.'' \63\ But if 
children can learn to lie about their age, they can probably learn to 
delete cookies, too--since cookie deletion is a privacy feature now 
common in every browser.\64\
---------------------------------------------------------------------------
    \61\ Id.
    \62\ See COPPA FAQ, supra note 58, Question 39 (``Can I block 
children under 13 from my general audience website?'').
    \63\ Id.
    \64\ Adam Thierer, Berin Szoka & Adam Marcus, The Progress & 
Freedom Foundation, Privacy Solutions, PFF Blog, Ongoing Series, http:/
/blog.pff.org/archives/ongoing_series/privacy_
solutions.
---------------------------------------------------------------------------
    Despite these problems, Tayloe falls back on the original 
justification of COPPA: increasing parental involvement. Even though 
``there is no perfect solution'' and it is not possible to completely 
``stop a child from lying and putting themselves at risk,'' Tayloe 
believes that COPPA ``provides a platform to educate parents and kids 
about privacy.'' \65\ Providing a platform to educate parents and kids 
about online privacy or safety is certainly important, but there are 
other ways to do this besides imposing strict age verification 
mandates. Educational initiatives and public service announcements, for 
example, could also encourage greater parent-child interaction. Indeed, 
the courts have concluded that the First Amendment requires the 
government to utilize such educational initiatives as ``less 
restrictive'' alternatives to age verification technologies in other 
contexts.\66\
---------------------------------------------------------------------------
    \65\ E-mail from Denise Tayloe to Adam Thierer (Mar. 15, 2007) 
(copy on file with author).
    \66\ See infra at VI.A.3.
---------------------------------------------------------------------------
    While we don't really have any idea what level of parent-child 
interaction COPPA incentivizes, or how many children (or adults) are 
able to gain access to PI-collecting sites under false pretenses, the 
key operational assumption on which COPPA rests is that by creating an 
added economic hurdle or barrier to entry (in the form of entry fees or 
the hassle of filling out paperwork or forms), COPPA gets some--maybe 
even most--parents to put more thought into what their kids are doing 
online, and that in turn somehow improves online child safety.
    However useful COPPA might be in enhancing parental involvement, it 
does not necessarily mean that children are operating in perfectly 
``secure'' or ``verified'' environments. COPPA wasn't primarily put on 
the books to prevent ``bad guys'' from interacting with children 
online; it was about minimizing the collection of children's personal 
information and giving parents control over collection of information 
from their children.\67\ Thus, COPPA does not require excluding older 
users from child-oriented sites, some websites indeed may try to do so, 
building on COPPA's required age verification system, because of market 
demand from parents to exclude sexual predators. Of course, age 
verification is hardly fool-proof for either kids or adults. So, to the 
extent some ``bad guys'' are getting on those sites under false 
pretenses, both children and parents may be lulled into to a false 
sense of security after they are told the site is COPPA-verified--
whether or not the site actually attempts to exclude older users and 
regardless of how effective the site may be in doing so. This may 
actually increase the danger of predation to children.\68\
---------------------------------------------------------------------------
    \67\ See supra at 16.
    \68\ Internet security expert John Cardillo argues that even COPPA-
compliant sites are vulnerable:
    During an analysis of the security processes of certain sites we 
tested Imbee's. Our security team was able to create several fake 
children. More troubling was the inconsistency of the information used 
to do so. We used a fake name for the parent, a different fake name 
created for the Yahoo! e-mail account used at registration, and my 
credit card info (because the name on the CC is irrelevant). Fictional 
child, and three fake identifiers on supposedly the same adult. Not one 
red flag was raised, and we were allowed onto the site without a 
problem. Our team was able to do this multiple times. Had we been a 
real bad guy, we could have, at any time, chatted with other kids on 
the site as a child. One of several different children actually. Not 
only isn't it a security solution, it's downright dangerous.
    E-mail from John J. Cardillo to Adam Thierer (March 11, 2007) (copy 
on file with author). Cardillo's findings thus make it clear how real 
predators intent on doing harm to children could exploit age 
verification processes designed to exclude adults from a supposedly 
``teens-only'' site (just as predators already do with sites supposedly 
limited to kids under 13). Indeed, because many predators have children 
of their own, they might use this approach to obtain an ID for their 
own kids and then go online under their child's name to prey on other 
children. The fiction that all users of a site are ``verified'' creates 
a false sense of security--a serious problem for child safety. As 
Cardillo has noted elsewhere, predators who create a ``pedophile 
passport'' could operate freely in supposedly ``safe and secure'' 
environments. See Adam Thierer, The Progress & Freedom Foundation, Age 
Verification for Social Networking Sites: Is It Possible? Is It 
Desirable?, Progress on Point 14.8, May 2007, at 6, www.pff.org/issues-
pubs/pops/pop14.8ag
everificationtranscript.pdf.
---------------------------------------------------------------------------
C. Does COPPA Encourage Consolidation or Limit Competition?
    As noted above, there are significant costs associated with the 
verifiable parental consent methods that PI-collecting sites must 
implement to comply with COPPA. If we are to fully understand the 
experience of COPPA as a regulatory model, we must consider the extent 
to which COPPA may have had the unintended consequence of limiting 
choice and competition by driving increased consolidation in the 
marketplace for child-oriented sites and services online--a question 
the FTC should consider answering. As early as 2001, even some 
Congressmen recognized this ``unintended consequence'' of COPPA in 
Congressional hearings on privacy.\69\
---------------------------------------------------------------------------
    \69\ Rep. Billy Tauzin (R-LA) noted that COPPA ``has now forced 
companies to discontinue a number of products targeted toward 
children'' and asked ``If we end up forcing private companies and 
nonprofits to eliminate beneficial products such as crime prevention 
material, have we done a good thing? If teen-friendly sites, those that 
totally respect the privacy of the users stop offering e-mail services 
to children, is that a good thing? An Examination of Existing Federal 
Statutes Addressing Information Privacy: Hearing of the House Committee 
On Energy and Commerce, 107th Cong. 6 (April 3, 2001) (statement of 
Rep. Tauzin.), available at http://
republicans.energycommerce.house.gov/107/action/107-22.pdf.
---------------------------------------------------------------------------
    Of course, it could be the case that there are other reasons that 
there are relatively few sites catering exclusively to children. 
Nonetheless, as discussed below, it's worth considering how expanding 
COPPA might lead to more consolidation in the marketplace or how it 
discourages greater entry by smaller ``mom-and-pop'' sites that could 
cater to children. As noted by Parry Aftab, Executive Director of the 
children's advocacy group Wired Safety, ``COPPA wasn't responsible for 
the demise of these sites, but when combined with the other factors 
[it] tipped the balance.'' \70\ She concludes, appropriately:
---------------------------------------------------------------------------
    \70\ Aftab Comments, supra note 59, at 3.

        It is crucial that at this tentative stage for the kids 
        Internet industry we don't do anything to make its survival 
        more difficult. We should be looking at easy to encourage safer 
        communities for preteens and innovations to help create fun, 
        entertaining and educational content for kids online.\71\
---------------------------------------------------------------------------
    \71\ Id.
---------------------------------------------------------------------------
IV. What if COPPA Were Expanded to Cover Adolescents?
    However effective COPPA might be in fulfilling its purposes, and 
whatever its unintended consequences, the COPPA Rule's requirements are 
relatively easy for the private sector to implement and for the 
government to enforce because, as mentioned, they apply only to the 
collection of information about children under 13 by commercial 
operators only when (i) the operator's PI-collecting Site or service is 
``directed to children'' or (ii) the operator has actual knowledge that 
they are collecting personal information from a child. But how well 
would the COPPA approach ``scale up'' to the 13-17 age bracket?
    The key practical difficulty in implementing a COPPA 2.0 system for 
adolescents is in the anonymity inherent in the technical architecture 
of the Internet. To quote a memorable cartoon from The New Yorker of 
all time: ``On the Internet, nobody knows you're a dog.'' \72\ Because 
website operators generally do not know who is accessing their site, 
requiring any special treatment of minors (e.g., parental consent prior 
to the collection of personal information, access to the child's user 
profile) is tantamount to requiring age-verification of all users.\73\
---------------------------------------------------------------------------
    \72\ Peter Steiner, On the Internet, Nobody Knows You're a Dog, The 
New Yorker, July 5, 1993 at 61, available at www.unc.edu/depts/jomc/
academics/dri/idog.html (cartoon of a dog, sitting at a computer 
terminal, talking to another dog).
    \73\ Of course, the COPPA's second prong of age-verification 
requirement applies only when the website operator has ``actual 
knowledge'' that the user is a minor. See supra at 7 & note 22.
---------------------------------------------------------------------------
    Because ``child-oriented'' websites are generally easy to define 
and are very rarely used by adults, COPPA 1.0s age verification mandate 
has not significantly impacted the free speech rights of adults. But it 
is far more difficult to define a class of ``adolescent-oriented'' 
websites (as proposed in New Jersey) that are not also used by 
significant numbers of adults. Indeed, the Illinois bill does not even 
attempt to do so, defining its scope not in COPPA's ``directed at'' 
terms but purely in terms of site functionality.\74\ In this sense, the 
Illinois bill is more restrictive than the New Jersey bill, since it 
would apply to sites with a certain functionality regardless of to whom 
they are ``directed at.'' On the other hand, the New Jersey proposal is 
far more sweeping, since it applies to any site that collects user 
information if the site is ``directed at'' adolescents.\75\ Whichever 
bill might ultimately affect more websites, the practical result of 
both COPPA 2.0 proposals is the same: They would, without explicitly 
saying so, require age verification of a large numbers of adults. This 
raises profound First Amendment concerns--particularly about the right 
of Americans to speak and receive information anonymously online.\76\
---------------------------------------------------------------------------
    \74\ The Illinois Bill defines a ``social networking site'' as:
    an Internet website containing profile web pages of the members of 
the website that include the names or nicknames of such members, 
photographs placed on the profile web pages by such member, or any 
other personal or personally identifying information about such members 
and links to other profile web pages on social networking websites of 
friends or associates of such members that can be accessed by other 
members or visitors to the website. A social networking website 
provides members of or visitors to such website the ability to leave 
messages or comments on the profile web page that are visible to all or 
some visitors to the profile web page and may also include a form of 
electronic mail for members of the social networking website.
    SNWARA, supra note 11, 5. This definition seems almost tailor-made 
for MySpace and Facebook: The second sentence of the definition would 
exclude sites like LinkedIn, which includes profiles but does not allow 
users to post public comments on other users' profiles. While this 
focus on specific site functionality seems to differ from COPPA's 
approach, in fact it does little more than apply COPPA's second 
definition of ``collection'' as ``Enabling children to make personal 
information publicly available.'' See 16 C.F.R.  312.2 (definition of 
``collection''); see also supra at 8.
    \75\ See supra note 13.
    \76\ Adam Thierer, The Progress & Freedom Foundation, USA Today, 
Age Verification, and the Death of Online Anonymity, PFF Blog, Jan. 23, 
2008, http://blog.pff.org/archives/2008/01/usa_today_doesn.html.
---------------------------------------------------------------------------
V. The Differences Between Children (0-12) & Adolescents (13-17)
    Before examining these First Amendment concerns (which are more 
directly apparent in the case of the Illinois proposal), one must ask 
how they arise in the case of the more complicated New Jersey proposal, 
which applies to PI-collecting sites ``directed at'' adolescents.\77\ 
This examination reveals the fundamental flaw in any attempt to extend 
COPPA to cover adolescents: COPPA 1.0 works only because of the unique 
characteristics of the under-13 age bracket.
---------------------------------------------------------------------------
    \77\ Like COPPA, New Jersey's AOPPA bill also applies to cases of 
actual knowledge that an operator is collecting personal information 
from an adolescent. See supra note 13.
---------------------------------------------------------------------------
A. Subjective Assessments about Intended Audiences Are Significantly 
        Easier for Children than for Adolescents
    In determining whether a PI-collecting Site or service is 
``directed at children,'' the FTC considers the site or service's 
``subject matter, visual or audio content, age of models, language or 
other characteristics of the website or online service, as well as 
whether advertising promoting or appearing on the website or online 
service is directed to children . . . and whether a site uses animated 
characters.'' \78\ The following excerpts from FTC complaints 
illustrate how the agency has applied these criteria:
---------------------------------------------------------------------------
    \78\ 16 C.F.R.  312.2 (definition of ``website or online service 
directed to children'').

        The . . . subject matter [of www.lilromeo.com] is Lil' Romeo, a 
        twelve-year-old recording artist who ``enjoys `just being a 
        regular kid.' '' The website features content directed to 
        children such as an animated game in which the player helps 
        Lil' Romeo save an elementary school from aliens by answering 
        simple math and history questions. The website also features 
        music and lyrics from Lil' Romeo's album ``Game Time,'' which 
        is ``about having fun, and also about, you know, kids['] things 
        . . .'' \79\
---------------------------------------------------------------------------
    \79\ U.S. v. UMG Recordings, Inc., Civil Action No. CV-04-1050, 
Complaint at 4-5 (C.D. Ca. 2004), www.ftc.gov/os/caselist/
umgrecordings/040217compumgrecording.pdf.

---------------------------------------------------------------------------
    And:

        Defendant operates the www.etch-a-sketch.com website, which 
        provides information about its toys, including the ``Etch A 
        Sketch'' drawing toy. The subject matter, visual content, and 
        language of this website are directed to children under the age 
        of 13. For example, the site features a cartoon character named 
        ``Etchy''--an Etch A Sketch sporting sunglasses, purple hair 
        and legs. Etchy invites visitors to play ``cool games,'' such 
        as drawing with an online Etch A Sketch, finding hidden 
        numbers, letters and shapes, and coloring pictures of Etchy and 
        friends. The site also contains an ``interactive story'' 
        titled, ``Etchy Goes to a Birthday Party.'' \80\
---------------------------------------------------------------------------
    \80\ U.S. v. The Ohio Art Company, Complaint,  12 (N.D. Oh. 2002), 
www.ftc.gov/os/2002/04/ohioartcomplaint.htm.

    The FTC settled both cases with consent decrees--like, apparently, 
all the FTC's COPPA enforcement actions.\81\ These examples demonstrate 
that subjective standards can sometimes work reasonably well in certain 
contexts. As Justice Potter Stewart famously said of obscenity, ``I 
know it when I see it.'' \82\ The same could probably be said, in many 
cases, about what constitutes child-oriented content; and this approach 
seems to have worked well enough for the FTC's COPPA enforcement 
efforts. But how well, if at all, would such a standard work in 
determining the scope of COPPA 2.0 proposals (like New Jersey's) that 
retain COPPA's requirement that a site be ``directed at'' a certain 
audience when that audience is not children (0-12) but adolescents (13-
17)? \83\
---------------------------------------------------------------------------
    \81\ See Federal Trade Commission, Children's Privacy Enforcement 
Cases, www.ftc.gov/privacy/privacyinitiatives/childrens_enf.html 
(including a consent decree for each case).
    \82\ Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (Stewart, J., 
concurring).
    \83\ While New Jersey's proposal retains this approach, hewing 
closely to COPPA's current structure, see supra note 13 and 
accompanying text , Illinois's proposal drops the concept and simply 
applies to all sites with certain social networking functionality, see 
supra note 11.
---------------------------------------------------------------------------
    Any regulatory system that, like COPPA, rests on age stratification 
inevitably requires the drawing of arbitrary boundaries. But 
ultimately, some age must be chosen. Whatever the differences between 
12 and 13, the differences between 12 (COPPA's ceiling) and 17 (the 
ceiling established in some COPPA 2.0 measures) are significant. 
Although the original version of the COPPA legislation would have 
required ``reasonable efforts to provide the parents with notice and an 
opportunity to prevent or curtail the collection or use of personal 
information'' for kids 13-16, the legislation never required verifiable 
parental consent for minors above 12.\84\ The FTC explains Congress's 
rationale for this distinction as follows:
---------------------------------------------------------------------------
    \84\ See supra note 14 and associated text.

        Congress and industry self-regulatory bodies have traditionally 
        distinguished children aged 12 and under, who are particularly 
        vulnerable to overreaching by marketers, from children over the 
        age of 12, for whom strong, but more flexible protections may 
        be appropriate. In addition, distinguishing adolescents from 
        younger children may be warranted where younger children may 
        not understand the safety and privacy issues created by the 
        online collection of personal information.\85\
---------------------------------------------------------------------------
    \85\ COPPA FAQ, supra note 58, Question 8 (``Why does COPPA apply 
only to children under 13? What about protecting the online privacy of 
teens?''), www.ftc.gov/privacy/coppafaqs.shtm. The FTC also reminds 
companies:

    websites' information practices regarding teens and adults are 
subject to Section 5 of the FTC Act, which prohibits unfair or 
deceptive acts and practices. See Staff Opinion Letter to Center for 
Media Education (July 15, 1997) for guidance on how Section 5 applies 
to information practices involving teens. In addition, recent concern 
about the risks of child participation on social networking websites 
led the FTC to issue a set of safety tips for social networking. See 
``Social Networking Sites: A Parents' Guide'' (September 2007), 
available at www.ftc.gov/opa/2006/05/socialnetworking.shtm; see also 
www.onguardonline.gov/docs/onguardonline_socialnetworking.
pdf.

    Thus, it appears that Congress was simply following a long-standing 
distinction based on the cognitive capabilities of children under 13. 
But whether anyone realized it at the time, this distinction has proved 
essential for the administration of COPPA as a statute that defines its 
scope by the audience to which sites are ``directed.'' Whenever the 
``tipping point'' in cognitive capabilities occurs, the age of 13 
roughly corresponds to an important point of departure in psychological 
growth between ``childhood'' and ``adolescence.''
    This moment was best described two thousand years ago by the 
Apostle Paul of Tarsus, when he wrote, ``When I was a child, I spake as 
a child, I understood as a child, I thought as a child: but when I 
became a man, I put away childish things.'' \86\ Paul equated what we 
think of as ``adolescence''--a profoundly modern invention \87\--with 
adulthood. Paul had no more conception of ``adolescence'' than did 
Shakespeare, who--like Congress with COPPA--chose thirteen as the age 
of Juliet, his greatest star-crossed lover.\88\ But Paul offered 
perhaps the best reason why COPPA's scope ends at thirteen: this is the 
roughly point at which minors begin to shun ``childish things''--say, 
losing interest in Club Penguin in favor of more ``grown-up'' sites 
like MySpace or Facebook. If one has to choose a clear bright line rule 
as to when, on average, that shift occurs, 13 seems to be about as 
accurate as any. (Indeed, modern Jews--like the Jewish Paul before 
them--continue to recognize this as the threshold of maturity by 
generally holding a Bar Mitzvah for boys at age 13, and a Bat Mitzvah 
ceremony for girls at age 12.\89\) This is less a question of how much 
protection minors of any particular age require, and more a question of 
when their interests change: At about this age, adolescents begin to 
share interests with adults in ways that children 12 and below do not; 
if left to their own devices, adolescents would spend far more time on 
``general audience'' \90\ websites than would children. Thirteen is 
probably about the point at which this transformation begins to 
accelerate. But regardless of precisely when it happens, it should be 
apparent that the sites favored by adolescents 13 and over will be 
difficult to distinguish as ``adolescent-oriented'' because they are 
rarely, if ever, as thoroughly dominated by adolescents as ``child-
oriented'' sites are by children 12 and under. This problem gives rise 
to the significant constitutional concerns raised by COPPA 2.0 
proposals.
---------------------------------------------------------------------------
    \86\ The First Epistle of Paul the Apostle to the Corinthians 13:11 
(King James), available at www.bartleby.com/108/46/13.html (emphasis 
added).
    \87\ Sociologist Rowan Wolf explains:

    [F]or much of the history of human society, there has not really 
been the concept of ``childhood'' as we know it today. Once a child was 
able to speak and eat on its own, it was essentially considered a 
miniature adult capable of participating in a limited way in the 
survival of the family. Once ``children'' hit puberty, they were 
considered adults, though they might not take on adult roles until they 
formed their own family. There was no concept of adolescence. . . . 
Children went from ``miniature adults'' expected to act like adults but 
without the rights of adults, to a carefree, dependent period of 
exploration and learning. When we look at the expectations of 
``teenagers,'' we define this as a rebellious period of individuation. 
We simultaneously expect adolescents to act like adults and rebel from 
them at the same time. This is a period where people are sexually 
mature, but socially and economically dependent.

    Age Stratification, Sept. 2005, www.srwolf.com/wolfsoc/
articlearchives/2008/11/age_strati
fication.html.
    \88\ See, e.g., The Invention of Adolescence, Psychology Today, 
Jan./Feb. 1995, www.psycho
logytoday.com/articles/pto-19950101-000024.html.
    \89\ See, e.g., Bar Mitzvah, Bat Mitzvah and Confirmation, Judaism 
101, http://www.jew
faq.org/barmitz.htm.
    \90\ The term ``general audience'' is commonly used instead of 
``adult-oriented'' for content that is not directed at children.
---------------------------------------------------------------------------
B. The Difficulties of Empirical Assessments about Intended Audiences
    If the subjective ``I know it when I see it standard'' is not so 
easily applied for determining what constitutes adolescent-oriented PI-
collecting sites, the alternative under the FTC's COPPA rules is to 
examine ``competent and reliable empirical evidence.'' \91\ Could 
demographic data about a site's membership provide sufficiently clear 
guidance about the scope of a law that (like New Jersey's proposal) 
retains COPPA's current ``directed at'' approach? \92\
---------------------------------------------------------------------------
    \91\ 16 C.F.R.  312.2 (definition of ``website or online service 
directed to children'').
    \92\ See supra note 13.
---------------------------------------------------------------------------
    The FTC has never addressed the difficult question of setting a 
minimum threshold of child membership/participation in a site above 
which the site would be considered ``directed at children:'' Not one of 
the complaints brought by the FTC under COPPA cites demographic 
evidence. Because, as discussed above, child-oriented websites tend to 
exist in a virtually distinct ``Junior Internet,'' with little overlap 
between adults and children, and because many parents use technological 
controls to keep their children (but not their adolescents) within this 
Junior Internet, it is hardly surprising that the FTC has never 
answered this question: Subjective criteria are generally sufficient to 
identify child-oriented sites, and those sites are likely to be used 
overwhelmingly by children or young adolescents with very little adult 
participation.
    But as discussed above, few of the websites frequented by 
adolescents are dominated so overwhelmingly by adolescents as children 
dominate the membership of the Junior Internet to which COPPA currently 
applies. Instead, adolescents participate in many of the same PI-
collecting sites used by adults, as demonstrated by the following 
sample of some of the more popular Web 2.0 sites, including demographic 
estimates:

                  Exhibit 1: Popular Web 2.0 Sites\93\
------------------------------------------------------------------------
                     Unique U.S.    Annual U.S. Page   % of Users Under
    Site Name           Users            Views              Age 18
------------------------------------------------------------------------
myyearbook.com          2,000,000        860,000,000             50.00%
bebo.com                2,400,000        340,000,000             35.00%
nickjr.com              2,400,000        210,000,000             31.67%
myspace.com            67,000,000     43,000,000,000             28.36%
photobucket.com        25,000,000      1,300,000,000             26.80%
movie6.net              1,100,000         24,000,000             26.36%
fanpop.com              1,100,000         16,000,000             21.82%
xanga.com               1,600,000         82,000,000             20.00%
tagged.com              3,500,000      1,100,000,000             19.71%
zango.com               2,900,000         21,000,000             17.93%
aol.com                37,000,000      4,000,000,000             16.49%
hi5.com                 2,800,000        870,000,000             15.00%
facebook.com           74,000,000     30,000,000,000             12.16%
yahoo.com             140,000,000     36,000,000,000             11.43%
friendster.com          1,600,000        490,000,000             11.25%
wordpress.com          23,000,000        300,000,000             10.43%
gametrailers.com        1,200,000         50,000,000             10.00%
flickr.com             21,000,000      1,000,000,000              9.52%
------------------------------------------------------------------------

    So would some of these sites be considered ``adolescent-oriented'' 
even though most of their users are actually adults? Perhaps not in New 
Jersey (depending on the circumstances of any particular site ),\94\ 
but this is essentially what the Illinois bill requires: \95\ The 
approximately 88 percent of Facebook's users 18 and above must be age 
verified for the sake of obtaining parental consent for the 12 percent 
under 18. This example is apt, because 12 percent happens to coincide 
with the estimated percentage of American Internet users under 18: 12.6 
percent or 28 million Americans.\96\
---------------------------------------------------------------------------
    \93\Data obtained from Google Ad Planner on Mar. 1, 2009, https://
www.google.com/adplanner/planning (by dividing ``UV users'' for the 0-
17 ``audience'' by ``UV users'' for the entire population).
    \94\ See supra note 13 and at 17.
    \95\ See supra note 74.
    \96\ Data obtained from Google Ad Planner on Mar. 1, 2009, https://
www.google.com/adplanner/planning (by limiting age to 0-17).
---------------------------------------------------------------------------
C. Possible Reactions to COPPA 2.0s Uncertain Scope
    Of the top 250 sites ranked by audience reach, only a handful stand 
out as being obviously child-oriented, such as cartoonnetwork.com and 
nick.com (Nickelodeon). A number of leading social networks top the 
list and many, if not most, of these sites require the sharing of some 
personal information (if only an e-mail address) for full 
functionality. But how would any of these operators--let alone the 
millions of sites in the ``Long Tail'' of Internet content--determine 
whether they would be considered adolescent-oriented? By the same 
token, how should a legislator following Illinois's approach (defining 
the scope of the COPPA 2.0 law in terms of site functionality) decide 
which features should trigger age verification requirements?
    To the extent PI-collecting Site operators might be unsure whether 
a COPPA 2.0 age verification mandate would apply to them, they would 
likely take one of the following steps to minimize their potential 
liability.

1. Trying to Block All Adolescents
    Of course, since PI-collecting Site operators do not know which 
would-be users are minors without an age verification system (and 
perhaps not even then!), the most they could do would be to claim that 
they block access by adolescents. Websites can certainly try to block 
users who initially admit to being under 18 from trying to register 
again for the site.\97\ But this approach is only effective to the 
extent that adolescents are naive enough to admit their true age in the 
first place and not to know how to circumvent whatever system the 
operator has in place for preventing users from trying to register for 
the site after initially being blocked--which should be relatively 
simple to do (e.g., by deleting cookies from the site).
---------------------------------------------------------------------------
    \97\ See supra at 29.
---------------------------------------------------------------------------
2. Avoiding Actual Knowledge
    Some PI-collecting Site operators may give up on the ``directed 
at'' prong and try to avoid gaining ``actual knowledge'' that a user is 
under 18 simply by ceasing to ask for age information upon the creation 
of a user account--or perhaps by no longer requiring the creation of 
user accounts altogether. But this is a dangerous gamble because, if a 
site is ultimately found to be ``adolescent-oriented,'' not asking for 
age upon sign-up might be considered a serious violation in itself.\98\ 
This ``Catch-22'' places site operators in a difficult and legally 
precarious position--especially significant smaller site operators 
trying to raise funding.
---------------------------------------------------------------------------
    \98\ For example, the amount of a penalty imposed on an operator 
deemed to be in violation would depend on ``Respondent's good faith'' 
and ``The deterrent effect of the penalty action.'' 16 C.F.R.  1.67(b) 
& (d).
---------------------------------------------------------------------------
    Other operators may reduce human moderation of their site in order 
to avoid situations in which an employee might learn that a user is 
under 18 (e.g., by reading their comments or profile). This is 
precisely the sort of perverse incentive that Congress attempted to 
avoid in passing Section 230 of the Communications Decency Act of 1996, 
which fully immunized online intermediaries from liability even if they 
made ``good Samaritan'' efforts to self-police their sites for 
objectionable content.\99\ (The FTC has already created this perverse 
incentive under COPPA, but given the demand among parents for heavy 
moderation on child-oriented sites, COPPA's perverse incentive may have 
had little effect.\100\ ) Thus, COPPA 2.0 proposals could lead to less 
protection for minors, not more, by discouraging site operators from 
``chaperoning'' interaction on their sites.\101\
---------------------------------------------------------------------------
    \99\ ``No provider or user of an interactive computer service shall 
be held liable on account of . . . any action taken to enable or make 
available to information content providers or others the technical 
means to restrict access to material . . . material that the provider 
or user considers to be obscene, lewd, lascivious, filthy, excessively 
violent, harassing, or otherwise objectionable. . . .'' 47 U.S.C.  
230(c)(2).
    \100\ See COPPA FAQ, supra note 58, Question 41(b) (``What happens 
if a child visits a chat room or creates a blog and announces his or 
her age?''). The FTC answers: ``You may be considered to have actual 
knowledge with respect to that child if someone from your organization 
sees the post, or if someone alerts you to the post (for example, a 
concerned parent who learns that his child is participating on your 
site). However, if no one in your organization is aware of the post, 
then you may not have the requisite actual knowledge under the Rule.'' 
Id.
    \101\ See infra at 30.
---------------------------------------------------------------------------
3. Age-Verifying All Users
    COPPA 2.0s greatest threat is that large numbers of PI-collecting 
Site operators would be--or would feel--compelled to require age-
verification of large numbers of adults as users. There is currently no 
age verification requirement other than COPPA, which affects adults 
only to the extent that parents need to establish their parental 
relationship to their kids. But COPPA affects few other adults because 
few adults want to use child-oriented PI-collecting sites like Disney's 
Club Penguin. COPPA 2.0 proposals would either directly require age 
verification of all adults who wanted to use ``social networking 
sites'' (as proposed in Illinois) or indirectly require much the same 
thing by mandating age verification for ``adolescent-oriented sites'' 
(as proposed in New Jersey). Indeed, this may be precisely what some 
COPPA 2.0 advocates want, since they may envision it as the only way to 
make the Internet truly ``safe'' for adolescents.
    But few proponents would make such a goal explicit, for they know 
that such a ``scaled-up'' COPPA would essentially converge with COPA as 
a broad age verification mandate. As noted below, this highlights the 
First Amendment implications of trying to turn COPPA into something it 
was not designed to be: not merely a tool for enhancing parental 
involvement and kids' privacy, but a broad mandate for child safety.

VI. The First Amendment Implications of Broad Age Verification Mandates
    Both COPPA and COPA rest on a stratification of users by age, but 
the approach of the two laws is very different: While COPPA requires 
age verification if content is ``directed at'' minors under age 13, 
COPA would have required that all website operators restrict access to 
material deemed ``harmful to minors'' by minors under the age of 17 and 
therefore requires age verification of all users who attempt to access 
such content (in order to identify minors). COPPA is focused on certain 
kinds of potentially harmful contacts \102\ while COPA is focused on 
potentially harmful content.\103\
---------------------------------------------------------------------------
    \102\ See supra at 9.
    \103\ COPA makes it illegal to ``knowingly . . . make[ ] any 
communication for commercial purposes that is available to any minor 
and that includes any material that is harmful to minors.'' 47 U.S.C. 
231.
---------------------------------------------------------------------------
    But by expanding the age range of COPPA to include adolescents, 
COPPA 2.0 proposals essentially converge with COPA, reaching the same 
practical consequence: age verification mandates for large numbers of 
adults as users (not as parents). Only the scope of sites covered by 
the laws is different: under COPA, sites deemed ``harmful to minors,'' 
and, under COPPA 2.0, adolescent-oriented or certain social networking 
sites. Thus, to the extent that COPPA 2.0 proposals require age 
verification of adults, they would be subject to constitutional attacks 
similar to those against COPA. But COPPA 2.0 proposals would also 
burden the rights of adults to communicate with adolescents and the 
free speech rights of adolescents.
    Finally, the fact that COPPA (like COPA) applies only to commercial 
sites would do little to protect it from constitutional attack, because 
in a world of user-generated content, the commercial nature of a site 
has little to do with the commercial/non-commercial nature of the 
speech carried on it. For example, obviously commercial sites like 
MySpace and Facebook serve as platforms for a wide variety of not-for-
profit and political communications.

A. First Amendment Rights of Adults
    After a decade-long court battle over the constitutionality of 
COPA, the U.S. Supreme Court in January 2009 rejected the government's 
latest request to revive the law, meaning it is likely dead.\104\ Three 
of the key reasons the courts struck down COPA would also apply to 
COPPA 2.0 proposals.
---------------------------------------------------------------------------
    \104\ See Adam Thierer, The Progress & Freedom Foundation, Closing 
the Book on COPA, PFF Blog, Jan. 21, 2009, http://blog.pff.org/
archives/2009/01/closing_the_boo.html. See also Alex Harris, Child 
Online Protection Act Still Unconstitutional, http://
cyberlaw.stanford.edu/packet/200811/child-online-protection-act-
stillunconstitutional.
---------------------------------------------------------------------------
1. Anonymous Speech Rights of Adults
    COPA burdened the speech rights of adults to access information 
subject to age verification requirements, both by making speech more 
difficult and by stigmatizing it. In 2003, the Third Circuit noted that 
age verification requirements ``will likely deter many adults from 
accessing restricted content, because many Web users are simply 
unwilling to provide identification information in order to gain access 
to content, especially where the information they wish to access is 
sensitive or controversial.'' \105\ In 2008, in striking down COPA for 
the third and final time, the Third Circuit approvingly quoted the 
district court, which had noted that part of the reason age 
verification requirements deterred users from accessing restricted 
content was ``because Internet users are concerned about security on 
the Internet and because Internet users are afraid of fraud and 
identity theft on the Internet.'' \106\ The district court had held 
that:
---------------------------------------------------------------------------
    \105\ American Civil Liberties Union v. Ashcroft, 322 F.3d 240, 259 
(3d Cir. 2003) (ACLU II).
    \106\ American Civil Liberties Union v. Ashcroft, 534 F.3d 181, 196 
(3d Cir. 2008) (ACLU III) (Gonzales, 478 F. Supp. 2d 775 at 806).

        Requiring users to go through an age verification process would 
        lead to a distinct loss of personal privacy. Many people wish 
        to browse and access material privately and anonymously, 
        especially if it is sexually explicit. Web users are especially 
        unlikely to provide a credit card or personal information to 
        gain access to sensitive, personal, controversial, or 
        stigmatized content on the Web. As a result of this desire to 
        remain anonymous, many users who are not willing to access 
        information non-anonymously will be deterred from accessing the 
        desired information.\107\
---------------------------------------------------------------------------
    \107\ Gonzales at 805.

    The Supreme Court has recognized the vital importance of anonymous 
---------------------------------------------------------------------------
speech in the context of traditional publication:

        Anonymous pamphlets, leaflets, brochures and even books have 
        played an important role in the progress of mankind. Great 
        works of literature have frequently been produced by authors 
        writing under assumed names. Despite readers' curiosity and the 
        public's interest in identifying the creator of a work of art, 
        an author generally is free to decide whether or not to 
        disclose his or her true identity. The decision in favor of 
        anonymity may be motivated by fear of economic or official 
        retaliation, by concern about social ostracism, or merely by a 
        desire to preserve as much of one's privacy as possible. 
        Whatever the motivation may be, at least in the field of 
        literary endeavor, the interest in having anonymous works enter 
        the marketplace of ideas unquestionably outweighs any public 
        interest in requiring disclosure as a condition of entry. 
        Accordingly, an author's decision to remain anonymous, like 
        other decisions concerning omissions or additions to the 
        content of a publication, is an aspect of the freedom of speech 
        protected by the First Amendment.\108\
---------------------------------------------------------------------------
    \108\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 342 (1995) 
(striking down law that prohibited distribution of anonymous campaign 
literature); see also Talley v. California, 362 U.S. 60 (1960) 
(striking down a state law that forbade all anonymous leafletting).

    By imposing broad age verification requirements, COPPA 2.0 would 
restrict the rights of adults to send and receive information 
anonymously just as COPA did. If anything, the speech burdened by COPPA 
2.0 deserves more protection, not less, than the speech burdened by 
COPA: Where COPA merely burdened access to content deemed ``harmful to 
minors'' (viz., pornography), COPPA 2.0 would burden access to material 
by adults as well as minors not because that material is harmful or 
obscene but merely because it is ``directed at'' minors! Thus, the 
content covered by COPPA 2.0 proposals could include not merely 
pornography, but communications about political nature, which deserved 
the highest degree of First Amendment protection.

2. Speech Rights of Site Operators
    The necessary corollary of blocking adults from accessing certain 
content anonymously--and thereby deterring some users from accessing 
that content--is that COPPA 2.0, like COPA, would necessarily reduce 
the audience size of PI-collecting sites subject to age verification 
mandates. Furthermore, such mandates would encourage websites to self-
censor themselves to avoid offering content they fear could be 
considered ``directed at'' adolescents because doing so might subject 
them to an age verification mandate--or to legal liability if they fail 
to implement age verification. The substantial cost of age verification 
could significantly impact, if not make impossible, the business models 
of many PI-collecting sites, which generally do not charge for content 
and rely instead on advertising revenues. The Third Circuit cited all 
of these burdens on the free speech rights of website operators in 
striking down COPA.\109\
---------------------------------------------------------------------------
    \109\ See ACLU III, 534 F.3d at 196-97 (citing Gonzales at 804). 
The Court held that websites ``face significant costs to implement 
[COPA's age verification mandates] and will suffer the loss of 
legitimate visitors once they do so.'' Id. at 197.
---------------------------------------------------------------------------
3. Less Restrictive Alternatives to Regulation
    The Third Circuit drew on the Supreme Court's 2004 decision 
striking down COPA on the grounds that ``[b]locking and filtering 
software is an alternative that is less restrictive than COPA, and, in 
addition, likely more effective as a means of restricting children's 
access to materials harmful to them.'' \110\ Similarly, parental 
control software already empowers parents to restrict their kids' 
access to PI-collecting sites. (It's particularly easy for parents to 
restrict access to the leading social networking sites that seem to be 
driving so much of the push for COPPA 2.0, so that their kids.)
---------------------------------------------------------------------------
    \110\ Id. at 198 (quoting ACLU v. Mukasey, 534 F.3d 181, 198 
(2008)).
---------------------------------------------------------------------------
    Thus, the free speech rights burdened COPPA 2.0 proposals are at 
least as important as those burdened by COPA, and blocking software 
already empowers parents to restrict their kids' access to PI-
collecting sites, just as it allows parents to restrict access to 
pornography. Of course, if COPPA 2.0 laws were actually enacted and 
subject to legal challenge, the outcome of the case would depend 
largely on the level of constitutional scrutiny involved. COPPA 2.0 
advocates might argue that, whatever the rights at stake, a lower level 
of constitutional scrutiny should apply because COPPA 2.0 does not 
target a special category of content. If true, this could mean that, 
although age verification mandates to restrict access to ``harmful'' 
material are unconstitutional, far more sweeping mandates restricting 
access to non-harmful information could be constitutional. Such 
inconsistency is indeed a perverse consequence of the fact that our 
First Amendment jurisprudence focuses not on the rights at stake, but 
on whether a regulation is ``content-neutral'' in deciding what level 
of scrutiny to apply--which, in turn, often determines the outcome of 
the case.\111\ But in this case, COPPA 2.0 proposals likely would be 
subject to strict scrutiny to the extent that they are, like COPA, 
focused on a certain category of content: that ``directed at'' 
adolescents (rather than ``harmful to minors'').
---------------------------------------------------------------------------
    \111\ Ashutosh Avinash Bhagwat, The Test that Ate Everything: 
Intermediate Scrutiny in First Amendment Jurisprudence, 2007 U. Ill. 
Law. Rev. 783 (2007), available at http://papers
.ssrn.com/sol3/papers.cfm?abstract_id=887566.
---------------------------------------------------------------------------
    Legislators who attempt to escape strict scrutiny by defining the 
scope of their bill (as in Illinois) not by its targeted audience but 
by reference to specific functional capabilities (in the definition of 
``social networking site'') \112\ will likely find that a court will 
see through such window-dressing: If they recognize that such bills are 
nonetheless aimed at a certain category of adolescent-oriented content, 
they will apply strict scrutiny anyway. But even under intermediate 
scrutiny, COPPA 2.0 proposals would be subject to serious attack.
---------------------------------------------------------------------------
    \112\ See supra note 74.
---------------------------------------------------------------------------
B. First Amendment Rights of Adolescents
    In addition, in COPPA 2.0 approaches, the government would restrict 
the ability of adolescents to access content, not because it could be 
harmful to them or because it is obscene, but merely because it is 
``directed to'' them. While the First Amendment rights of minors may 
not be on par with those of adults, adolescents do have the right to 
access certain types of information and express themselves in certain 
ways.\113\ The Supreme Court has held that ``constitutional rights do 
not mature and come into being magically only when one attains the 
state-defined age of majority.'' \114\ It remains unclear how an 
expanded COPPA model might interfere with the First Amendment rights of 
adolescents, but it is clear that privacy and speech rights would come 
into conflict under COPPA 2.0, as they do in other contexts.\115\
---------------------------------------------------------------------------
    \113\ See Theresa Chmara & Daniel Mach, Minors' Rights to Receive 
Information Under the First Amendment, Memorandum from Jenner & Block 
to the Freedom To Read Foundation, Feb. 2, 2004, www.ala.org/ala/
aboutala/offices/oif/ifissues/issuesrelatedlinks/minorsrights.cfm 
(summarizing case law regarding minors' first amendment rights, 
especially in schools and in the context of mandates that public 
libraries filter Internet content); United States v. American Library 
Ass'n, 123 S. Ct. 2297 (2003), available at laws.findlaw.com/us/000/02-
361.html (upholding the constitutionality of a filtering software 
system applicable to minors); see generally, Tinker v. Des Moines Ind. 
Comm. School Dist., 393 U.S. 503 (1969) (upholding students' rights to 
wear protest armbands and affirming that minors have speech rights) 
available at www.oyez.org/cases/1960-1969/1968/1968_21; cf. Morse v. 
Frederick, 551 U.S. 393 (2007), available at www.oyez.org/cases/2000-
2009/2006/2006_06_278/ (holding that the First Amendment rights of 
students in school and at school-supervised events are not as broad as 
those of adults in other settings).
    \114\ Planned Parenthood of Cent. Mo. v. Danforth, 428 U.S. 52, 74 
(1976) (minors' right to abortion). See also Bellotti v. Baird, 443 
U.S. 622, 635 n.13 (minors possess close to the ``full capacity for 
individual choice which is the presupposition of First Amendment 
guarantees''); Catherine Ross, An Emerging Right for Mature Minors to 
Receive Information, 2 U. Pa. J. Const. L. 223 (1999); Lee Tien & Seth 
Schoen, Reply Comments of the Electronic Frontier Foundation filed in 
Implementation of the Child Safe Viewing Act; Examination of Parental 
Control Technologies for Video or Audio Programming, MB Docket No. 
0926, Federal Communications Commission, May 18, 2009, http://
fjallfoss.fcc.gov/prod/ecfs/retrieve.cgi?native_or_pdf=pdf&id_docu
ment=6520216901.
    \115\ See generally Solveig Singleton, Privacy Versus the First 
Amendment: A Skeptical Approach, 11 Fordham Intell. Prop. Media & Ent. 
L.J. 97 (2000), available at http://law.fordham.edu/publications/
articles/200flspub6588.pdf; Eugene Volokh, Freedom of Speech and 
Information Privacy: The Troubling Implications of a Right to Stop 
People from Speaking About You, 52 Stan. L. Rev. 1175 (2000), available 
at www.law.ucla.edu/volokh/privacy.htm.
---------------------------------------------------------------------------
    For example, how might the parental-consent based model limit the 
ability of adolescents to obtain information about ``safer sex'' or how 
to deal with trauma, depression, family abuse, or addiction. Would an 
abusive father authorize a teen to visit a website about how to report 
child abuse? Would a parent of an adolescent struggling with their 
sexual identity let their kid participate in a self-help social 
networking page for gay and lesbian youth? \116\ What rights are at 
play here and how do we reconcile them?
---------------------------------------------------------------------------
    \116\ ``There are parents who, for a variety of reasons (political, 
cultural, or religious beliefs, ignorance of the facts, fear of being 
exposed as abusers, etc.), would deliberately prevent their teens from 
accessing social-network sites (SNS).'' ISTTF Final Report, supra note 
8, Appendix F, Statement of Connect Safely, at 262 (listing examples of 
unintended consequences of age verification mandates).
---------------------------------------------------------------------------
    Maintaining the ability of kids to participate online interactions 
goes beyond content that most people would recognize as ``serious''--
from the perspective of both First Amendment values and the education 
of children. As a recent MacArthur Foundation study of the online youth 
Internet use concluded:

        Contrary to adult perceptions, while hanging out online, youth 
        are picking up basic social and technological skills they need 
        to fully participate in contemporary society. Erecting barriers 
        to participation deprives teens of access to these forms of 
        learning. Participation in the digital age means more than 
        being able to access ``serious'' online information and 
        culture.\117\
---------------------------------------------------------------------------
    \117\ John D. and Catherine T. MacArthur Foundation, Living and 
Learning with New Media: Summary of Findings from the Digital Youth 
Project, at 2 [hereinafter MacArthur Study] http://
digitalyouth.ischool.berkeley.edu/files/report/digitalyouth-
WhitePaper.pdf.

    It was at least in part in recognition of such difficult First 
Amendment questions that Congress removed the requirement in the 
initial legislative draft of COPPA that would have required PI-based 
sites to ``use reasonable efforts to provide the parents with notice 
and an opportunity to prevent or curtail the collection or use of 
personal information collected from children over the age of 12 and 
under the age of 17.'' \118\
---------------------------------------------------------------------------
    \118\ This requirement was contained in the original bill, supra 
note 14  3(a)(2)(A)(iii), but was removed when that bill was 
reintroduced in its final form. In the interim, Congress held a hearing 
at which testimony was offered by, among others, Deirdre Mulligan of 
the Center for Democracy and Technology, which generally supported 
COPPA but argued for the very revisions that were ultimately made. In 
particular, Mulligan argued that:
    Under the bill each time a 15 year old signs-up to receive 
information through e-mail his or her parent would be notified. For 
example if a 15 year old visits a site, whether a bookstore or a 
women's health clinic where material is made available for sale and 
requests information about purchasing a particular book or merely 
inquires about books on a particular subject (abuse, religion) using 
their e-mail address the teenager's parent would be notified. This may 
chill older minors in pursuit of information.
    Mulligan Testimony, supra note 15.
---------------------------------------------------------------------------
    Even if parents have an absolute right to block their adolescents' 
access to such data, they can already exercise that right by applying 
strict controls on the computers in their home. COPPA 2.0 proposals go 
well beyond recognizing this right by setting the default to ``parental 
consent required'' for adolescents to access a wide range of content--
meaning that parents must ``opt-in'' on behalf of their children before 
their children can participate in PI-collecting sites. This, in turn, 
burdens the ability of adolescents to communicate, because their 
parents might censor (rightly or wrongly) certain information, or 
simply fail to understand the technologies involved or to be actively 
engaged. But whatever the free speech rights of adolescents, if anyone 
should be interfering with those rights, it should be their parents--
not the government.
    Some parents may object that, however effective parental control 
software may be in the home, it does not allow parents to control what 
their kids' access outside the home. This argument is understandable on 
some level, but in the end, it amounts to a demand that roadblocks be 
put up everywhere for the sake of particularly sensitive parents at the 
expense of everyone else in society, including potentially huge numbers 
of adult users--and of online anonymity in general.
    But Illinois's COPPA 2.0 proposal goes even further, not merely 
expanding COPPA to cover a particular variety of social networking 
sites,\119\ but requiring that such sites ``allow the parent or 
guardian of the minor unrestricted access to the profile web page of 
the minor at all times.'' \120\ Congress considered just such a 
parental access mandate in the initial draft of COPPA legislation back 
in 1998, but ultimately removed it from the final version of the 
legislation,\121\ apparently because even some of COPPA's supporters 
worried, given the bill's initial application to the 13-16 age bracket, 
that ``The establishment of a parental right to access all personal 
information about a teenager may intrude on older minors' privacy, 
rather than protect.'' \122\
---------------------------------------------------------------------------
    \119\ See supra note 74.
    \120\ SNWARA, supra note 11,  10(c).
    \121\ The original COPPA bill required that parents have ``access 
to the personal information of the child of that parent collected by 
that website,'' S. 2326, supra note 14,  3(a)(2)(iv)(I), while the 
bill as passed instead requires only that parents be given ``a 
description of the specific types of personal information collected 
from the child by that operator,'' 15 U.S.C.  6502(b)(1)(B)(I) 
(emphasis added).
    \122\ See Mulligan Testimony, supra note 118.
---------------------------------------------------------------------------
C. Communication between Adolescents & Adults
    Finally, COPPA 2.0 could infringe on the free speech rights of 
adults to communicate with adolescents online by driving PI-collecting 
sites to segregate users by age or to attempt to block access by 
adolescents. The vast majority of adult-minor interactions online are 
not of a harassing or predatory nature--indeed, they generally involve 
adults looking to help or assist minors in various ways. As the 
MacArthur Foundation study cited above concluded:

        In contexts of peer-based learning, adults . . . have an 
        important role to play, though it is not the conventionally 
        authoritative one. In friendship-driven practices, direct adult 
        participation is often unwelcome, but in interest-driven groups 
        we found a much stronger role for more experiences participants 
        to play. Unlike instructors in formal educational settings, 
        however, these adults are passionate hobbyists and creators, 
        and youth see them as experienced peers, not as people who have 
        authority over them. These adults exert tremendous influence in 
        setting communal norms and what educators might call ``learning 
        goals,'' though they do not have direct authority over 
        newcomers.\123\
---------------------------------------------------------------------------
    \123\ MacArthur Study, supra note 117, at 39 (emphasis added).

    A substantial portion of those interactions involve parents talking 
to their own kids, older and younger siblings communicating with one 
another, teachers and mentors talking to their students, or even co-
workers of different ages communicating. Even when adult-minor 
communications involve complete strangers, there is typically a 
socially-beneficial purpose. Think of two people--one an adult and one 
a minor--debating politics on a discussion board, or creating a 
Wikipedia entry together. What about a Presidential campaign website 
that involves millions of volunteers of all ages communicating and 
collaborating to a common purpose? There are countless other examples. 
How would such interactions be affected by COPPA 2.0? Restricting such 
interactions would raise profound First Amendment concerns about 
freedom of speech as well as of association.
    In any First Amendment analysis, a court must consider not only the 
free speech rights at stake and the availability of less restrictive 
alternatives to regulation, but the governmental interest being 
advanced. Again, neither COPPA nor the COPPA 2.0 proposals discussed 
herein (in New Jersey and Illinois) requires exclusion of older users 
from a website, nor directly governs the sharing of personal 
information among users (where that sharing does not also constitute 
collection by the site itself). But separation of adolescents from 
adults is likely to be an indirect effect of COPPA 2.0 requirements--as 
COPPA 2.0 advocates probably realize--because, once PI-collecting sites 
are required to age-verify users, they will face reputational, 
political and potentially legal pressure to make interactions between 
adolescents and children more difficult in the name of ``child 
safety.'' More subtly, if PI-collecting site operators have an 
incentive to avoid being considered ``directed at'' adolescents, they 
will also have an incentive to discourage adolescent participation on 
their site--which achieves a similar result.
    Here, one must further ask if attempting to quarantine children 
from adults (however indirectly) actually advances, on net, a strong 
governmental interest in child protection. Such a quarantine is 
unlikely to stop adults with truly nefarious intentions from 
communicating with minors, as systems designed to exclude participation 
by adults in a ``kids-only'' or ``adolescents-only'' area can be easily 
circumvented. Given the lack of strong identity records for minors, 
it's much easier for an adult to pretend to be a minor than vice versa. 
The effect of age stratification on truly bad actors is likely to be 
marginal at best--or harmful at worst: Building walls around 
adolescents through age-verification might actually make it easier for 
predators to target teens, since a predator who gains access to a 
supposedly teen-only site will be less likely to be exposed as a 
predator by targeting an adult they think is a teen. So for the sake of 
marginal (if any) gains in child protection, would we not be excluding 
beneficial interaction between adults and minors?
    To hear some of the advocates of COPPA 2.0 talk about how teens 
currently behave online, one might think that online environments in 
which adolescents were left to their own devices--imagine a ``Teen 
MySpace'' for the 13-17 crowd, walled off from the rest of MySpace--
would be far worse, perhaps an online version of Lord of the Flies. 
These concerns are clearly exaggerated: The critics frequently complain 
about ``the way kids talk to each other these days'' while looking at 
their own past adolescent banter with rose-colored lenses. What is 
clear is that adolescents (and young adults) behave better in online 
environments where adults are present, too. Perhaps the best 
demonstration of this fact has been the uproar from adolescents and 
young adults that has accompanied Facebook's explosive growth in 
popularity among older users in recent months.\124\ Many kids hate the 
idea of adults joining Facebook precisely because the presence of 
adults encourages kids to ``self-regulate'' by exercising better 
judgment and following better netiquette.\125\
---------------------------------------------------------------------------
    \124\ Justin Smith, Number of U.S. Facebook Users Over 35 Nearly 
Doubles in Last 60 Days, Inside Facebook Blog Mar. 25, 2009, 
www.insidefacebook.com/2009/03/25/number-of-us-facebook-users-over-35-
nearly-doubles-inlast-60-days/.
    \125\ See, e.g., Lori Aratani, When Mom or Dad Asks To Be a 
Facebook ``'Friend,'' The Washington Post, Mar. 9, 2008, 
www.washingtonpost.com/wp-dyn/content/article/2008/03/08/
AR2008030801034.html. ```I do not know if this has happened to anybody, 
but this morning I log on to Facebook and I have a new friend request!' 
wrote 19-year-old Mike Yeamans, a sophomore at James Madison 
University, on one of several `No Parents on Facebook' groups that have 
popped up on the site. `I am excited to make a new friend so I click on 
the link. I could not believe what I saw. My father! This is an 
outrage!''' Id.
---------------------------------------------------------------------------
    Anne Collier, founder and executive director of the child safety 
advocacy organization Net Family News, Inc. and editor of 
NetFamilyNews.org and ConnectSafely.org, suggests that the push for 
``segregation'' by age (e.g., creating a teen-only version of Second 
Life) for safety's sake is ``losing steam'' because:

        it's a response to the predator panic teens and parents have 
        been subjected to in U.S. society, not to the realities of 
        youth on the social Web. What nearly a decade of peer-reviewed 
        academic research shows is that peer-to-peer behavior is the 
        online risk that affects many more youth, the vast majority of 
        online kids who are not already at-risk youth offline. 
        Segregating teens from adults online doesn't address 
        harassment, defamation, imposter profiles, cyberbullying, etc. 
        It may help keep online predators away from kids (even though 
        online predation, or abuse resulting from online communication, 
        constitutes only 1 percent of overall child sexual exploitation 
        . . .), which is a great outcome, but it's not enough unless 
        all that parents are worried about is predators.\126\
---------------------------------------------------------------------------
    \126\ Anne Collier, Where Will OnlineTeens Go Next?, May 1, 2009, 
www.netfamilynews.org/2009/05/wherewill-online-teens-go-next.html 
(internal citations omitted). For evidence of at-risk youth, Collier 
sites the ISTTF Final Report, supra note 8. Regarding the percentage of 
all child sexual exploitation that results from online communication, 
she cites Janis Wolak, David Finkelhor & Kimberly Mitchell, Crimes 
Against Children Research Center, Trends in Arrests of Online 
Predators, 2009) www.unh.edu/ccrc/pdf/CV194.pdf; see also, Anne 
Collier, Major Update on Net predators: CACRC study, March 31, 2009, 
www.netfamilynews.org/2009/03/major-update-on-net-predators-mostly.html 
(summarizing study).

    Collier discusses the particularly acute problem of ``actual or 
perceived sexual orientation and gender expression,'' which the Salt 
Lake Tribune has noted are ``two of the top three reasons secondary 
school students said their peers were most often bullied at school.'' 
\127\ This kind of harassment recently attracted widespread public 
attention after two 11-year-old boys committed suicide after 
experiencing anti-gay harassment and bullying at school.\128\
---------------------------------------------------------------------------
    \127\ Anne Collier, Anti-Gay Bullying Most Pervasive, April 29, 
2009, www.netfamilynews.org/2009/04/anti-gaybullying-most-
pervasive.html (quoting Charles Robbins & Eliza Byard, Gay Suicide: 
Addressing Harassment in Schools, Salt Lake Tribune, April 24, 2009, 
www.sltrib.com/opinion/ci_12220931 [hereinafter Gay suicide]).
    \128\ Gay suicide, supra note 127.
---------------------------------------------------------------------------
    Nationwide, ``Lesbian, gay, bisexual, transgender and questioning 
youth are up to four times more likely to attempt suicide than their 
heterosexual peers.'' \129\ This child safety risk is painfully real, 
with anti-gay harassment being only its most obvious form. But 
``segregating'' teens from adults seems likely to aggravate this 
problem by removing adults from the mix as a potential source of 
discipline.
---------------------------------------------------------------------------
    \129\ Id.
---------------------------------------------------------------------------
    Of course, adults play a critical role in disciplining interaction 
among the 0-12 age bracket, but not as direct participants in on-site 
interaction. Again, how many adults actually want to use Club Penguin? 
Instead, parents can supervise what their kids do online through 
parental control software. Parents could, of course, use that same 
software to monitor what their adolescent kids do, too. But as kids get 
older, most parents realize that the training wheels have to come off 
at some point. Few parents will want to spy on their 17-year-old until 
the day before the kid starts college (or enlists in the military or 
gets married). But most parents probably would prefer that, if their 
kids are interacting in an online environment, they think twice about 
what they do and say online. It is by no means clear that restricting 
online interaction between teens and adults will serve that end.
VII. The Commerce Clause Implications of State-Level COPPA 2.0
    State-based efforts to expand COPPA or to impose other forms of 
age/identity verification raise additional constitutional concerns: 
State-level efforts by state government or state AGs to push through an 
expansion of COPPA would likely violate the Commerce Clause of the U.S. 
Constitution.
    For simplicity, the preceding discussion did not consider how PI-
collecting sites would respond to COPPA obligations imposed in one U.S. 
state but not others. Sites might default to the ``lowest common 
denominator'' of whatever would be acceptable in the most restrictive 
states--especially if those states has populations as large as Illinois 
or New Jersey. But websites could also attempt to configure their 
services to function differently depending on what state the user is 
in. Thus, age verification mandates might also require location 
mandates (again, perversely requiring the collection of more 
information in the name of protecting adolescents' privacy). If a site 
relied only on location information provided by the user, adolescents 
would quickly learn to lie about what state they live in just as 
children have learned to lie about how old they are to avoid triggering 
COPPA's ``actual knowledge'' requirement. Alternatively, websites could 
attempt to determine a user's location automatically based on their IP 
address, but such ``IP geocoding'' is not always accurate and can be 
subverted by use of a proxy.
    This technical discussion should help to illustrate why state-level 
COPPA 2.0 proposals would burden communication over the Internet, a 
uniquely ``interstate'' medium whose architecture makes it difficult, 
if not impossible, to isolate the effects of state regulation on 
residents of that state. There is a long string of ``Dormant Commerce 
Clause'' cases that have consistently struck down state laws attempting 
to regulate commerce (or speech) that originates or takes place outside 
the state's borders.\130\ If it is not possible for a state government 
to isolate the effects of its regulatory actions to merely those PI-
collecting site operators or users living within its jurisdiction, 
Federal courts will block such measures. Consequently, the 
extraterritorial impact of state-based COPPA expansion would likely 
result in an immediate constitutional challenge and such regulation 
would almost certainly be overturned.
---------------------------------------------------------------------------
    \130\ See Adam Thierer, The Delicate Balance: federalism, 
Interstate Commerce, and Economic Freedom in the Technological Age at 
58-61 (The Heritage Foundation, 1999).
---------------------------------------------------------------------------
    It is also possible that COPPA 2.0 proposals may already be pre-
empted by COPPA because, although COPPA authorizes state attorneys 
general to bring enforcement actions under certain circumstances,\131\ 
COPPA bars states from enacting any laws ``inconsistent'' with 
COPPA.\132\
---------------------------------------------------------------------------
    \131\ 15 U.S.C.  6504.
    \132\ ``No State or local government may impose any liability for 
commercial activities or actions by operators in interstate or foreign 
commerce in connection with an activity or action described in this 
chapter that is inconsistent with the treatment of those activities or 
actions under this section.'' 15 U.S.C.  6502(d).
---------------------------------------------------------------------------
VIII. Summary of Implementational Challenges Regarding COPPA 
        Expansion
    Even if one somehow overcame the many policy and constitutional 
arguments against COPPA 2.0, there would remain a slew of difficult, if 
not impossible, challenges to overcome in implementing such a system. 
Most critically, the threshold practical question remains the same as 
it does for most other forms of online identity verification: How do we 
verify the parent-child relationship when someone asserts they are the 
parent or guardian? But there are many other questions regarding how 
well COPPA would ``scale up'' that must be considered:

        1. Verification Mechanisms. What sort of mechanisms will need 
        to be put in place to guarantee that the parent or guardian is 
        who they claim to be (for both initial enrollment and 
        subsequent visit authentication)? Sign-and-fax forms can be 
        easily forged, so credit cards (and perhaps mandatory user 
        fees) will likely become the default solution. A third method, 
        follow-up phone calls, just doesn't seem practical. But might 
        lawmakers demand a mix of all of the above?

        2. Obtaining Consent. Regardless, how burdensome will those 
        mandates be on parents or guardians? As Parry Aftab has noted, 
        ``The more difficult we make the consent mechanism, the fewer 
        parents we will get to consent.'' \133\
---------------------------------------------------------------------------
    \133\ Aftab Comments, supra note 59, at 5.

        3. Costs to Business. How burdensome will those mandates be for 
        PI-collecting site operators? What kind of compliance costs or 
---------------------------------------------------------------------------
        legal penalties are we talking about?

        4. Costs to Users. Will those costs be passed on to users as 
        fees beyond the nominal transactions required to achieve 
        verification via credit cards? (Since most PI-collecting sites 
        websites and almost all social networking sites are free-of-
        charge today, that's not going to be a very popular mandate!) 
        \134\
---------------------------------------------------------------------------
    \134\ Aftab also notes that ``Parents do not trust a site to use 
their credit card to verify their consent. They barely trust online 
credit card use when they want to buy something.'' Id.

        5. Disparate Socio-economic Effects. How would increased fees 
        or credit card mandates impact low-income families and youth, 
---------------------------------------------------------------------------
        especially those without credit cards?

        6. Industry Consolidation. If compliance costs--in the form of 
        additional staff, insurance and litigation expenses--explode 
        for website operators, will this cause the kind of industry 
        consolidation that seems to have occurred with child-oriented 
        websites since COPPA's adoption? Would the increased hassle of 
        accessing new sites lead to consolidation by reducing adoption 
        rates by users? How would online innovation and creative 
        expression suffer as a result of such consolidation?

        7. Increased Privacy Risks. Who would collect the massive data 
        bases of information created by such a mandate? Who has access 
        to all that new data? What might government use it for if they 
        get their hands on it?

        8. Offshore Sites. Could this new regime be applied effectively 
        to offshore sites? Or, will kids flock to offshore sites as a 
        result of such mandates on domestic sites? If some do, how will 
        we stop them?

        9. Credential Transferring. Even if the parental permission 
        verification process worked during initial enrollment, how 
        would it work in the ``subsequent visit'' stage? Once minors 
        are given credentials or digital tokens, how do we prevent them 
        from sharing or selling their credentials? In particular, how 
        do we prevent older siblings from sharing their credentials 
        with younger siblings? What would be the penalty for them doing 
        so? What about older minors with independent access to credit 
        cards?

        10. Law Enforcement Priorities. How many law enforcement or 
        regulatory agencies will be tasked with administering this 
        regulatory regime? Might this be diverting resources from 
        better priorities, such as serious law enforcement efforts and 
        online safety educational programs?

IX. Conclusion
    The future of age verification battles--at least on the social 
networking front--will likely be fundamentally tied up with COPPA and 
the question of how well parental consent-based forms of age 
verification might work on a scale larger than COPPA's very limited 
scale. It is unlikely, however, that such a framework could be easily 
applied on ``Internet scale.'' There is a world of difference between a 
site like Disney's Club Penguin, for example, and sites like MySpace or 
Facebook. This ultimately reflects the uniquely insular nature of the 
under-13 age bracket and the lack of any clear line between adolescent-
oriented and ``general audience'' content.
    Moreover, as social networking capabilities become increasingly 
ubiquitous, integrated into every site and service--from Change.gov 
\135\ to the San Francisco Chronicle (sfgate.com) to CNN.com, from 
Microsoft's Xbox Live service to Linden Labs' Second Life--the costs 
and hassles of compliance with COPPA 2.0 age verification mandates will 
increase dramatically. Are parents really going to be forced to 
authenticate themselves and then their kids for every website their 
kids want to participate in that requires so much as an e-mail address? 
That mandate seems unnecessary and unworkable. Are other adults going 
to have to prove they're not adolescents? By creating such a 
requirement, COPPA 2.0 would also constitute a functional convergence 
of COPPA with COPA--a law the courts have rejected as inconsistent with 
America's tradition of anonymous speech, something central to our 
evolution as a democracy, pre-dating even the First Amendment that 
protects it from government interference.
---------------------------------------------------------------------------
    \135\ Like many social networking sites, Change.gov allows users to 
comment on news items the IntenseDebate comment platform, which allows 
users to create profiles, upload profile photos, etc.
---------------------------------------------------------------------------
    Finally, the irony of COPPA 2.0 proposals is that lawmakers would 
be applying a law that was meant to protect the privacy and personal 
information of children to gather a great deal more information about 
them, their parents, and many other adults! These privacy implications 
should make us think twice about trying to expand COPPA beyond its 
primary purpose to encourage parental involvement in what kids do 
online. Even those who support COPPA in its current form should 
recognize that there are better ways to protect adolescents 
online.\136\
---------------------------------------------------------------------------
    \136\ See Parental Controls and Online Child Protection: A Survey 
of Tools and Methods, supra note 17.
---------------------------------------------------------------------------
Related PFF Publications
   Targeted Online Advertising: What's the Harm & Where Are We 
        Heading?, Berin Szoka & Adam Thierer, Progress on Point 16.2, 
        April 2009.

   Parental Controls & Online Child Protection: A Survey of 
        Tools and Methods, Adam Thierer, Special Report, Version 3.1, 
        Fall 2008.

   Social Networking and Age Verification: Many Hard Questions; 
        No Easy Solutions, Adam Thierer, Progress on Point 14.5, March 
        21, 2007.

   Social Networking Websites & Child Protection: Toward a 
        Rational Dialogue, Adam Thierer, Progress Snapshot 2.17, June 
        2006.

   Age Verification for Social Networking Sites: Is It 
        Possible? And Desirable?, Adam Thierer, Progress on Point 14.8, 
        March 23, 2007.

   Is MySpace the Government's Space?, Adam Thierer, Progress 
        Snapshot 2.16, June 2006.

   Rep. Bean's `SAFER Net Act': An Education-Based Approach to 
        Online Child Safety, Adam Thierer, Progress on Point 14.3, Feb. 
        22, 2007.

   Online Advertising & User Privacy: Principles to Guide the 
        Debate, Berin Szoka & Adam Thierer, Progress Snapshot 4.19, 
        Sept. 2008.

    The Progress & Freedom Foundation is a market-oriented think tank 
that studies the digital revolution and its implications for public 
policy. Its mission is to educate policymakers, opinion leaders and the 
public about issues associated with technological change, based on a 
philosophy of limited government, free markets and civil liberties. 
Established in 1993, PFF is a private, non-profit, non-partisan 
research organization supported by tax-deductible donations from 
corporations, foundations and individuals. The views expressed here are 
those of the authors, and do not necessarily represent the views of 
PFF, its Board of Directors, officers or staff.

    Senator Pryor. Thank you.
    I want to thank all the witnesses for their testimony.
    And we're going to start off with Senator Rockefeller.
    The Chairman. Thank you, Mr. Chairman.
    I have this odd feeling about this panel, except you and 
you and you. It's like we're discussing some kind of--Is a 
breakfast cereal good for you, or not? And children have 
somehow already disappeared from this process. And it comes 
down, I think--I mean, and the both of you--Microsoft, 
Facebook--had good things to say, but you always ended up with 
the idea, ``Well, we can--we'll do this by ourselves, and we 
really don't need the government telling us what to do.''
    And I have to leave, very shortly, because I have to give a 
speech on cybersecurity to a business group. Cybersecurity is 
the Nation's number-one national security threat, ahead of 9/
11s, dirty bombs, weapons of mass destruction, according to all 
analysis. The private companies--this is very parallel to me--
they always said, at the beginning, ``We''--Olympia Snowe and I 
have been working on this for 2 years--``We can do this 
ourselves. We don't want government to be involved with this.'' 
We knew that couldn't happen, because we knew that they didn't 
have, really, any idea what they were doing about how to take 
on cybersecurity. Some of the larger companies did, to a 
certain extent, but, for the most part, they didn't.
    That's like parents. We want parents to make these 
judgments, and which is a little bit like saying that some 
people here don't know how average American families have to 
live, where people are trying to keep down two jobs, and they, 
themselves, may not be skilled on the Internet, and in any 
event, they're tired, they have things to do. And so, we've got 
to do this for the parents. And so, ``Well, let's not let FTC 
do this, let the Congress do that.''
    Well, maybe that was your idea, because you thought the 
Congress wouldn't be able to pass it. I thought your testimony 
was particularly unhelpful, to be honest with you. I thought 
both of your testimonies were terrific, because you were 
focused on the problem.
    And, Mr. Rotenberg, or Dr. Montgomery--either one--we 
haven't, here, discussed, really, what the problem is. And the 
problem is, kids are watching filth. They're watching filth, 
and lascivious, horrible things, and we're trying to argue 
about 13, when, as you say, it should be 18 or 22, or whatever. 
And the companies, here, are in favor of cleaning this up, but 
not at the expense of being regulated. They want to do it 
themselves. They'd appreciate working with the FTC a little 
bit, but the clear message is, they want to do it themselves.
    My clear message is, I don't really think they do. I think 
money trumps on this. Money always trumps when it comes to 
information. Money always trumps. This committee has come up 
with so many scam hearings in the last year or so. Money drives 
bad behavior, and then kids, or people, or whoever, or Internet 
users and popup--you know, all of these things are just left to 
the side.
    So, I'd like you to describe, What damage do you think is 
being done to children by the inaction? And, you know, I agree 
with you some--agree with the FTC; they're not heavily staffed, 
they're not well funded. We need to change that. We're trying 
to protect them from being wiped out altogether under this 
financial services thing. And I think we have. I think we have 
done that. But, what is the damage that you see being done to a 
generation of kids coming up, with parents who are purportedly 
hovering over, watching every move they make, when you know 
perfectly well they're not?
    Mr. Rotenberg. Senator, I think the primary problem is that 
young people are being coaxed to reveal a great deal of 
intimate information. And the data is gathered and collected 
and disclosed to strangers, for any purpose that generates 
commercial value. And, as a parent of two teenagers, I have a 
problem with that. I think technology is great, and I want, you 
know, my kids to grow up and to be technologically literate and 
to make smart decisions online. Because I can't always be 
there, they need to have the tools and the experience to make 
those decisions for themselves. But, I know that there's a 
point where, if I can't help them and they can't figure it out, 
if the business practices are designed to conceal from them 
what's really going on. And that's why I think the Congress 
needs to act. I think the Congress needs to give kids the 
ability to control how the information about them is being used 
by others.
    The Chairman. My time is up. Do you have----
    Dr. Montgomery. Senator----
    The Chairman.--one brief comment?
    Dr. Montgomery. Yes. I mean, I would agree with Marc. We 
have created--industry has created a system of ongoing 
monitoring and surveillance of teenagers, encouraging them. And 
it taps into their natural developmental needs to reach out to 
their peers and to become independent, encouraging them to give 
out a lot of information, and tracking everything they do, 
without their knowledge. It's also socializing them into a 
system where privacy is not valued. And I think that's a very 
deep loss to our society.
    And then, finally, I do want to respond to what Mr. Szoka 
said about advertising. We're not talking about traditional 
advertising, here, by the way. We're talking about viral 
advertising and branded environments and interactive games and 
Avatars and a whole lot of things that are not what you 
traditionally think about as advertising.
    And recent research has found that teenagers can be quite 
susceptible to this advertising; they're not necessarily aware 
of all of this, and we know they don't know what's being done 
behind the scenes.
    The Chairman. I thank you both very much.
    I thank you, Mr. Chairman.
    Senator Pryor. Thank you, Mr.----
    Mr. Hintze. Senator Rockefeller, could I make one brief 
comment, please?
    The Chairman. Sure.
    Mr. Hintze. I just want to--I apologize if I gave the 
impression that Microsoft does not want government involvement, 
that we want to do this on our own. That's certainly not the 
case. We have been supportive, for a long time, of a 
multifaceted approach to protecting privacy online, not just 
for kids, but for all consumers, including our support for 
comprehensive Federal privacy legislation, which we think is 
essential.
    But, self-regulation certainly plays a role. Industry best 
practices certainly play a role. But, education, law, 
regulation, and enforcement also play a role, as well, and 
we're very supportive of all of that.
    The Chairman. I hear you.
    Senator Pryor. Thank you, Mr. Chairman.
    Senator Wicker.
    Senator Wicker. Well, thank you very much. And this is a 
very, very serious topic, with implications for the next 
generation. I appreciate the Chair's willingness to get into 
the weeds on this.
    I do think that the testimony of all of our panelists has 
been helpful. I think it's important that we hear a variety of 
viewpoints, and all sides to this. And I do think that there's 
a way to--there must be a way to have it both ways, to 
encourage innovation and to protect the privacy of children's 
information at the same time.
    So, I'll ask the panel, What do they think about what I 
just said? Has the law reduced innovation and caused 
consolidation among children's websites? Have we created a 
barrier to entry into the children's website market? Has the 
law resulted in limitations on beneficial content specifically 
for children?
    So, if we could just start with Ms. Rich and go down the 
panel, that'll be my question.
    Ms. Rich. That's obviously--Tim keeps helping me with the 
button, here--that's obviously one of the key issues that we're 
going to look at in our review, especially since that was one 
of the goals of COPPA, is to preserve that access, even as kids 
were protected. We did review that issue that last time we 
reviewed COPPA, which was 2005, and we published a report. We 
sent a report to Congress, and we said, at that time, all of 
the commenters and all of the people we spoke to and the 
research we conducted indicated it had not, that children were 
being protected, and they still had access, and innovation was 
not being stifled. But, we are very interested in the answers 
to those questions today.
    Mr. Sparapani. Senator, speaking only for Facebook, I can 
say that I have seen a strange disincentive because of the law. 
My whole testimony was focused on trying to identify all of the 
innovative things that Facebook has done for the teenaged users 
of our site. But, what you didn't hear me saying was that we're 
not spending a lot of energy on the under-13 set, because 
they're typically not on our site. But, there's a line that's 
drawn between the 13-and-over and the 13-and-under, and I think 
that that line has created a disincentive for companies to work 
toward innovating on the 13-and-under side. And I think that we 
need to look at that. And I think that's the point I was trying 
to make in my testimony, Senator.
    Mr. Hintze. I look forward to seeing what comes out of the 
FTC's current rule review. I can speak for our own company, 
that, yes, some of the parental consent mechanisms required 
under COPPA can be challenging, and sometimes frustrating to 
implement. But, I think that, for the most part, it has not 
discouraged us from continuing to provide services to general 
audiences, including young children and some specifically 
tailored to children, as well. It does create additional work 
and additional cost. It's a barrier to entry, in some cases, 
because anytime you're designing a sign-up process where 
there's a speed bump or even in some cases a significant 
barrier in having to involve the parent--yes, some consumers 
will go away and go elsewhere. But, we think it's in the--for 
the most part, the right thing to do. Involving the parent is 
the right thing to do. Creating those speed bumps so that you 
can inform children about the appropriate use of these 
services, and help educate their parents, is the right thing to 
do.
    So, I would say, on the whole, COPPA has been successful in 
encouraging websites to do the right thing, even though there 
is a cost involved.
    Dr. Montgomery. One of the goals of the law was to minimize 
this massive data collection that was really becoming state-of-
the-art in the early days of the dot-com boom and e-commerce. 
And I'm telling you, that is where the business was headed. So, 
what we were able to do--and, again, I repeat that we were 
worked with industry to come up with a set of principles that 
would honor the privacy rights of young people, but, at the 
same time, not interfere with the healthy development of e-
commerce.
    But, if you're going to market to kids, what we were able 
to establish is, there need to be some operating principles, 
here. And I think the industry has done a very good job of 
working that out. It was not easy to sit around the room and 
try to figure out, ``OK, how do we do this?'' You know, the 
parental verification mechanism was a tricky one, not easy to 
do. But, the idea was, first, enable the parents to know what 
their children are doing, and, second, make the industry aware 
that they have a responsibility, when they are collecting 
personal information from children.
    We've seen a growth--a healthy growth of lots of wonderful 
websites for kids, lots of terrific content areas. And I think 
that has been a very, very good development, and I'm happy 
about it.
    As I said, I think the 13 is not--kids don't become 
automatically mature at 13, as any parent can tell you. But, at 
that time, we decided, ``Let's create this clear mark, here, 
for where we will have these guidelines.'' And now, I think 
we've seen a whole new development, with the web, that raises 
the issue about how--``OK, now what do we do about teens?'' 
Again, not the same model, but, What can we do to ensure that 
they're treated fairly in this digital marketplace?
    Mr. Rotenberg. Thank you.
    Senator I just want to say, I very much appreciate your 
question about the relationship between innovation and privacy. 
And I suspect we're going to hear a lot more about this.
    But, if I could say, directly, sir, I think the 
relationship is not generally well understood. I don't see this 
as a tradeoff. My wife is a public schoolteacher. When we talk 
about innovation in the technology field and privacy, we think 
in terms of the privacy safeguards that enable children to take 
advantage of new technology. In other words, in the absence of 
privacy protection, I think you actually diminish the 
opportunity for technical literacy and training and education 
that parents and educators would like to see happen.
    The real innovation that people are talking about, which is 
what they're not saying explicitly, is on the marketing side. 
They don't like the privacy rules, because they don't want to 
do the types of behavioral targeting, brand-based targeting, 
you know, ``get your child to friend an advertising figure'' 
targeting. That's the innovation they have in mind, and that's 
why they object to the privacy rules.
    But, if we take a step back and talk about technical 
literacy, bringing more children to the online environment, 
creating great products and services so that they get excited 
about new technology, privacy actually plays a very big part in 
helping to make that happen.
    Senator Wicker. Before we move to Mr. Szoka, let me follow 
up, Mr. Rotenberg. You mentioned that you have children. I take 
it that they are teenage?
    Mr. Rotenberg. Yes, sir.
    Senator Wicker. Do you mind telling us how old they are?
    Mr. Rotenberg. Fifteen and sixteen.
    Senator Wicker. OK. And I dare say that, in terms of 
knowledge about the protections that children need, you're 
probably in percentile 99.9----
    Mr. Rotenberg. Right.
    Senator Wicker.--nationwide. That being the case, what do 
you need the government to do for your above-age-13 children, 
that it's not doing now?
    Mr. Rotenberg. I need the government----
    Senator Wicker. Because you're a good parent.
    Mr. Rotenberg. Yes. Well, I appreciate that, sir. But, I 
need government to step in to control the things we can't 
control. In other words, if we sit down with our children and 
go through the privacy settings and say, ``This makes sense,'' 
or, ``This doesn't make sense,'' or, ``That's really your 
call,'' and that's how we understand privacy protection, and 
then, the next week, the company says, ``We've got a whole new 
approach now. We're going to do something different,'' and 
we're left with a sense that the tools that the company 
provided us to try to safeguard our privacy and the privacy of 
our children have basically become meaningless.
    So, I--I'm not saying that parents don't play an important 
role. I think parents do. But, I'm saying it can't be made so 
difficult. And the businesses can't hide the way they collect 
and use data, as they do, because there's nothing that the 
user--the parent can do to change that. That's completely on 
the business side, and it's done because there is no 
regulation. There's nothing that prevents them from saying, to 
all the teenagers who they have data on right now, ``You know, 
we've got a great idea, and we want to just go ahead and do 
this,'' or not tell them and go ahead and do it. Parents can't 
control that.
    Senator Wicker. Thank you.
    Mr. Szoka, you can respond to that, but also to the 
question about innovation versus privacy.
    Mr. Szoka. Well, thank you, Senator.
    Let me be clear about three points.
    First, there are always tradeoffs involved in regulation. 
And here, the tradeoff is not simply a question of economics 
versus privacy, but, indeed, the tradeoff involves free speech. 
And again, I stress that that's because ``collection,'' as the 
term is used in COPPA, does not just apply to collection, as we 
mean it in the colloquial sense, such as is used for 
advertising or marketing purposes. But, under the statute, it's 
any sharing of information. It is the enabling of sharing of 
user-generated content.
    So, when I talk, here, about the tradeoffs, I want to be 
very clear, I am talking about the ability of users to join 
tools, and the innovation in those tools that allow them to 
share and communicate and collaborate. And that's--this has 
been the flourishing of the Web 2.0. And that is exactly what 
is at stake here if COPPA were to be expanded in its age scope.
    So, my second point is, I wanted to emphasize that I think 
one of the beauties of COPPA is that it gives the FTC great 
flexibility in shaping the rule within the confines given to it 
by Congress. So, the FTC has the flexibility to update the 
definitions of ``personal information'' and ``Internet,'' and I 
encourage it to do so.
    My caution, however, was that we ought to be very, very 
careful about having Congress reopen the door to the one thing 
that the FTC cannot, on its own, change, which is the age 
scope. And I mentioned the financial reform legislation only 
because that could, indeed, give a future FTC the ability to 
change things like the age scope, which, again, presents an 
important tradeoff, in terms of free speech.
    My final point is, there is a rich mosaic of parental 
control tools and software and methods available today. My 
colleague, Adam Thierer, at the Progress & Freedom Foundation, 
has published a comprehensive compendium of those tools. And 
again and again, in the context of filth, as Senator 
Rockefeller referred to, wanting to prevent or censor kids from 
accessing, the courts have repeatedly said that those tools 
need not be perfect, but the government regulation must yield 
to the tools, where they exist. And so, our point has been to 
highlight that these tools exist, and that we should be 
encouraging innovation, not just in the sharing of information, 
but also innovation in the controls that are available to 
parents, as well as all users, to take, really, control over 
their own information and how it's shared.
    And so, our answer, in a nutshell, is that the solution to 
all these concerns should, first and foremost, be enforcement 
of the existing law, which applies to, again, children under 
13, and then also education and empowerment. And government has 
a role to play, a very important one--and the FTC does this 
extremely well--in highlighting those tools, methods, and 
education. And I encourage it to do so, but, again, caution 
against changing the statute, itself.
    Senator Wicker. Thank you.
    Senator Pryor. Thank you, Senator Wicker. Thank you for 
being here. And I know you have to slip out to another meeting, 
but thank you for your leadership. And we will leave the record 
open for a few days for Senators to submit their questions, if 
they want to.
    Let me, again, thank all of our witnesses, but I want to 
thank Facebook and Microsoft for being here, because I know not 
everyone in the industry chose to come today. But, let me 
start, if I can, with a question for Facebook.
    In your written testimony, you talk about ``Facebook's 
culture of authentic identity.'' Could you elaborate on that a 
little bit?
    Mr. Sparapani. Yes, Senator, and I'm glad that you asked.
    One of the really interesting things that happened when 
Facebook was first launched is, we defied conventional wisdom 
at the time about privacy and security. We decided that, at the 
beginning, we were going to ask people to put their real names 
and build their entire profile around that. And I have to tell 
you, it has been the--really, the wellspring of a number of 
advantageous security and privacy benefits for users of all 
ages of our site.
    Again, it was unconventional at the time, but what is meant 
is that we're able to really deter bad behavior; we're able to 
identify fake accounts quickly; we're able to target corrective 
action at an explicit account; and, more importantly, there's 
this community effect that takes place, where individuals feel 
some sort of reprobation when they take an action which is tied 
to their name. It tends to discourage bad speech, bullying, bad 
behavior, et cetera. And so, we've really been the beneficiary 
of this decision of, what we refer to as, a real-name culture.
    Senator Pryor. That's good.
    And you also mentioned in your testimony that you didn't 
want to see any changes to COPPA.
    Mr. Sparapani. We're not really needing changes at this 
point, because we feel we've done, really, a very good job of 
implementing the statute----
    Senator Pryor. Let me interrupt, right there.
    Mr. Sparapani. Please.
    Senator Pryor. You're saying that's true for your company.
    Mr. Sparapani. It is.
    Senator Pryor. Are you saying that's true industrywide? I 
mean, is everybody a good actor out there?
    Mr. Sparapani. No, of course not. And, you know, there 
certainly are companies which are outliers, there always will 
be. And that's, frankly, why we need stepped-up FTC 
enforcement, to find those bad actors and take action.
    Senator Pryor. So, your view is, leave the statute as is, 
but beef up the enforcement?
    Mr. Sparapani. Yes, I think that's the right approach, 
Senator. I think the FTC folks do a generally good job, and 
they would do better if they had more resources.
    It's really easy to focus on the Microsofts and the 
Facebooks, the Googles, and the Apples, because we're here, and 
we can show up and testify. It's the companies that don't have 
people here in Washington, that don't have lawyers on staff, 
that probably deserve the lion's share of attention; they don't 
get it, because the press can't focus on them, and they can't 
be found.
    Senator Pryor. Tell me why you like the age 13, and why you 
think that shouldn't change.
    Mr. Sparapani. Well----
    Senator Pryor. My, just general inclination would be, 
``Hey, this is a children's issue, you should make it, 18 and 
under,'' or, something like that, move it up a few years. But, 
tell me why you like 13.
    Mr. Sparapani. Well, first of all, Senator, my expertise is 
in privacy, and it's not really in child psychology or social 
development. So, I can only speak from this perspective. We 
have found that teenaged users have really had a, really, very 
successful experience on Facebook. They're socialized well, 
they learn good rules of behavior, they are able to actually 
advance themselves and learn about the world around them.
    So, what--I would not want to see us deny teenagers the 
opportunities of living in a digital society. I think it would 
hamper kids around our country, and set them back, vis-a-vis 
children of the same age in other countries, if we were able--
if we were to prevent them from having access to these sites or 
services.
    Senator Pryor. OK.
    I think--Dr. Montgomery, did you have a comment on that?
    Dr. Montgomery. Yes. And I would agree that social 
networks, and the Internet in general, are terrific tools for 
young people. I'm also the mother of a teenager, and I can see 
what a great role these new digital technologies are playing in 
her life, and they really do tap into the key developmental 
tasks of adolescence, when adolescents are exploring their 
identities and they're trying to reach out to their peers and 
really separate from their parents, which is something that 
they need to do, and be more autonomous. So, I can really see 
that. And a number of my colleagues have done terrific research 
that documents all of that; I think that's great.
    And I--but, I think the problem is that teens are out there 
in very public and very transparent--in many ways that 
sometimes alarms parents, on these social networks. But, the 
business practices of data collection and surveillance that's 
taking place on Facebook and other social networks is not 
transparent. It is really a black box, in many ways.
    And I would not be talking about restricting teens from 
having access to these platforms. I think we need to give them 
that access; they're very important. But, I--what I would be 
calling for, and what I do call for, is for the government to 
play a role in ensuring that all of these social networks, and 
all of the platforms, mobile and otherwise, that young people 
are engaged in, are operating by a set of rules. These rules 
can be crafted in a way that will balance free speech, that 
will balance business and innovation.
    When we started talking about COPPA, a lot of people said, 
``Well, we'll never be able to do this, this is impossible.'' 
We were able to work it out. And again, not the model that we 
have for COPPA, not the model of parental verification and 
restricting access, but a separate set of principles that I 
think we could work out together that would apply to teenagers.
    Senator Pryor. Let me ask you, Dr. Montgomery, are there a 
set of principles that exist right now? Is there a model rule 
out there that we could apply here? Or do we have to start this 
from scratch?
    Dr. Montgomery. Well, I think at the very least, the--some 
of the international principles--OECD principles, for example, 
that Marc can talk to about data minimization and transparency 
and other things that we would expect--you know, I don't see a 
model out there, as yet. I think we're inventing some of these 
things, as we did with COPPA, but I think this is the right 
moment to do so.
    Senator Pryor. And while I'm on you, Dr. Montgomery, should 
we leave age 13 as is, or should we change it?
    Dr. Montgomery. I think COPPA operates well as it is. I'm 
not necessarily talking about revisiting the actual 
legislation, but I do think we ought to think about what 
protections we could provide for teens. And again, I think we 
need to be careful about the model that we create, that I don't 
want to see teens totally ignored.
    Senator Pryor. OK, Mr. Sparapani, let me ask you, you all 
apparently have a ``report'' button. And how often is that 
used? I mean, do you track that? What are the numbers on that?
    Mr. Sparapani. Well, Senator, I don't have the numbers, 
here, immediately in front of me. But, I have to tell you, it's 
enough to keep a huge team of employees busy, all day, day and 
night, from around the world. When you have 400 million users, 
which we do, and they're trained, because they've become 
comfortable with self-reporting, what they consider to be 
inappropriate behavior by others on the site, it does produce a 
large quantum of reports.
    And, of course, we triage those. We take the ones that 
might have a law enforcement component, we put those at the top 
of the list, in terms of responding. We put the ones that 
concern potential threats to life and limb--and it only happens 
rarely--but, we put those, and we prioritize those. And so, 
these other reports about other malicious behavior or 
inappropriate speech drop down a certain notch.
    Senator Pryor. And does your company have policies that go 
beyond COPPA? I mean, it sounds like you all have a set of 
policies that really go beyond the law.
    Mr. Sparapani. Well, I guess the one place where I would 
suggest this is in--with respect to our marketing practices. I 
want to distinguish Facebook from virtually all other companies 
I know, and from some of the generalized discussion that has 
been happening about marketing to teenagers.
    With respect to marketing to teenagers, Facebook never, 
ever shares information with the advertiser about individual 
users; doesn't matter the age of the user. What we do is, when 
we get a request to advertise on our site by a company, we 
offer the ad, but we never share the actual personal 
identifiable information with that advertising company. And I 
think it's important that people recognize----
    Senator Pryor. You give them aggregate information about 
your users, but not specific information?
    Mr. Sparapani. That's exactly right. I think it's an 
important protection. And I think it has really helped our 
company succeed. And I hope other companies will follow our 
lead on that.
    Senator Pryor. Mr. Hintze, let me ask you, I know that 
Microsoft, through, you know, your various software products, 
offers a lot of parental controls. Do you know what percentage 
of your users actually utilize the parental controls? Do you 
have a sense of--even a kind of rough percentage of what that 
might be?
    Mr. Hintze. Yes, I don't have the actual numbers with me, 
and I think it probably depends on the service itself.
    Things like Xbox Live, for example, the parental controls 
are really built in as part of the account creation process. 
So, when a parent buys an Xbox and signs up for an Xbox Live 
subscription, part of that transaction of creating secondary 
accounts for their children put those parental-controls choices 
in front of the user. So, it's quite a high percentage of users 
who are children, where their parents are utilizing those 
controls to some level. And there are all kinds of different 
knobs and dials in there; and how deep the parents go probably 
depends on the parent. But, a large percentage of users are 
using that.
    Other services, you know, we've got this Windows Live 
Family Safety, which is a free download for people to use to 
help control how kids are surfing the Net and using search 
services.
    You know, there's a challenge of educating parents and 
making them aware of these tools, and it's something that we 
try to do, but it's always hard to reach those parents. One of 
the reasons why we have implemented parental consent processes, 
even in cases where we think COPPA doesn't explicitly require 
it because it's a general audience site, for example, we think 
that's an opportunity to provide that kind of education to 
parents, to get some of these tools and information in front of 
them.
    So, it really depends across the service, I think.
    Senator Pryor. Let me ask about your--you call it Windows 
Live Family Safety?
    Mr. Hintze. Yes.
    Senator Pryor. Let me ask about that product. That's free?
    Mr. Hintze. Yes, it is.
    Senator Pryor. And how do parents find out about that?
    Mr. Hintze. We provide messaging in a variety of different 
ways. We have worked with a number of organizations--children's 
organizations--to provide information through those, the Boys 
and Girls Clubs and other organizations like that. We've 
provided information through our own sites; we've got dedicated 
Web pages around privacy and children's safety on our websites 
to provide information to parents. So, there are a variety of 
means about how we try to get, sort of, the word out on these 
different tools that are available to parents, get them 
educated about the risks of children online and the risks that 
those children face and the tools available to them, to help 
protect them.
    Senator Pryor. Yes, I think it would be helpful for 
parents--and you may already be doing this, I'm just not aware 
of it with this product--but, I think it would be helpful for 
parents if you guys could take the offensive and aggressively, 
periodically, from time to time, whatever's appropriate, offer 
almost like a parent's toolkit on how to stay safe online.
    And there are a lot of aspects of that. I mean, there's 
identity theft; there are a lot of fraud issues; there are just 
privacy issues with kids or with--I mean, you know, just really 
kind of runs of the gamut. And does Microsoft offer that, kind 
of in one place, these kind of, you know, semi-regular 
reminders that these tools are available, and, ``You need to 
update your settings,'' et cetera, et cetera? Do you all do 
that, or is that not----
    Mr. Hintze. We do have----
    Senator Pryor.--proper etiquette----
    Mr. Hintze. Yes.
    Senator Pryor.--you know, in your company?
    Mr. Hintze. We do have the equivalent of tool kits 
available. We've got a website that has a list of resources 
available to parents, and information available to them, to 
help educate themselves and their children about the risks 
online. Again, the challenge is making them aware of that. 
And----
    Senator Pryor. Yes.
    Mr. Hintze.--and there are certainly things that we have 
done in the past, sort of, quasi-marketing campaigns to 
parents, to try to get that information in front of them. And 
there's obviously more we can do in the future.
    Senator Pryor. Yes, I'm not a--personally, I'm not a huge 
Internet user. I mean, I use it probably every day, but not 
extensively every day, and usually not very extensively at all, 
but, you know, I wasn't aware of that. So, if I'm kind of like 
Average John Q. Parent, here, I didn't know that was out there. 
So, I would hope that Microsoft and other companies would think 
about ways to be a little more aggressive in letting people 
know.
    Let me go ahead and ask Mr. Szoka about the age 13. You 
want to keep 13 where it is?
    Mr. Szoka. Senator, yes, I think you've asked the most 
important question of the day. The point that I've tried to 
raise is--this is perhaps the least well understood aspect of 
COPPA. And the point, here, is not necessarily just to deal 
with child psychology, although 13 does happen to be the age at 
which Jewish kids are Bat Mitzvahed, the Confirmation is given 
in the Catholic Church. Romeo and Juliet were 13. There are 
reasons why 13, historically, has been an age of transition 
and, indeed, was chosen by Congress.
    But, the point that we've tried to stress in our work at 
PFF has been that the far more important reason for keeping it 
at 13 is that, when you raise that age above 13, the COPPA 
framework breaks down. Because, again, as I said, COPPA 
basically applies, in two ways: It applies to sites that are 
required to presume that all of their users might be a child, 
and then again where sites have actual knowledge. And so, if 
you were to set that at 18, for example, you would end up in a 
situation where sites that were--that might be considered 
directed at adolescents, or might be afraid that the FTC would 
find them to be so, are sites that differ profoundly from sites 
that are, today, like Club Penguin, really, truly directed only 
at kids under 13. And the difference is, adults use those sites 
that teens use, as well.
    And so, as a practical matter, if you extended the COPPA 
framework to a higher age, you would, for the first time, have 
the government be requiring age verification of large numbers 
of adult users. And we've already been down that road before. 
The courts have very clearly held, in the litigation about the 
Child Online Protection Act, or COPA, that to do so would be 
unconstitutional because it would infringe on the free speech 
rights of users to access content without having to identify 
themselves, such as through use of a credit card, but also the 
free speech rights of the sites themselves, to reach an 
audience, which is diminished by the roadblock of age 
verification.
    So, I want to be clear that, from my perspective, this is 
the most important issue that we've talked about here today, 
understanding why that age for COPPA must be kept at 13 for the 
framework of the--of what I think is a really great statute, 
otherwise, to function effectively.
    Senator Pryor. Thank you.
    Mr. Rotenberg, do you agree that COPPA breaks down if you 
change the 13-year-old threshold?
    Mr. Rotenberg. Yes, I've been sitting here, listening to 
Mr. Szoka's comments, and I'm just very confused. I actually 
helped litigate against the COPA, which was the Act that raised 
the First Amendment concerns. And on that side, he and I are 
actually on the same page.
    But, it is almost completely unrelated to the discussion 
we're having about age verification and COPPA. As Mr. Sparapani 
explained, every person of any age who wants a Facebook account 
has to, in the first instance, provide information about their 
actual date of birth; that's how they make the determination 
whether someone's above 13 or below 13. And presumably, they 
could do the exact same line drawing exercise at age 18. So, 
this argument actually doesn't make any sense to me.
    But, what I--what Mr. Sparapani said, which I think is 
something that needs to be considered more carefully--and I 
understand where he's coming from--he said, basically, Facebook 
made a decision, for children under 13, ``We just don't want to 
have them as users.'' In other words, ``It's too complicated; 
and because of the COPPA obligations, we're just going to say, 
you know, `Wait a few years,' basically.'' And he suggested, in 
his answer, that if Congress were to extend the line to 18, 
perhaps they would make the same decision now for kids between 
the ages of 13 and 18, which is obviously not what we're 
suggesting. We're not saying that teenagers shouldn't be on 
social network services. We're saying that companies that 
provide social network services to teenagers should have some 
legal restrictions on the collection and use of data about 
those children. And I think that can be done without too much 
difficulty. It would probably be based on COPPA; you probably 
want to make some changes.
    But, that's the main legislative recommendation I would 
make: create some legal protections for teenagers. Don't 
discourage them; I agree with others, it's a good service. But, 
as it is right now, it's not providing adequate protection.
    Senator Pryor. Let me ask about age verification. I know 
some companies may differ with me on this, but my impression is 
that there's really not a way that exists, yet, to truly get 
rock-solid age verification. And filling in your birthday--
obviously, kids can just put in a different date and, you know, 
they may be off to the races. So, am I wrong on that? Is--that 
there's not a really good, solid way to do age verification 
yet? Or, tell me--tell me what--the state-of-the-art right now.
    Mr. Rotenberg. Well, it has always been a challenge. And I 
think you're exactly right to say that there is no, you know, 
rock-solid way to do it. There are a number of different 
techniques. Facebook itself, I think, has developed some pretty 
good systems to do age verification. I think they probably get 
it right at a very high level, which is to say, I would be very 
surprised if there were a large number of accounts for kids 
under 13. There may be some out there; I suspect that's true. 
But, I don't think it's a very large number.
    And I think a similar, you know, effort to move the age 
line to 18, there will probably be some people who get, you 
know, in under. But, I don't think that's a reason not to do 
it. And I think it would be a mistake, actually, to say, 
``Well, because we can't get it, you know, 100 percent, we 
should just give up.''
    Senator Pryor. Right.
    Mr. Szoka.
    Mr. Szoka. Senator, if I may respond, you are exactly right 
that there is no perfect method of age verification. But, there 
is another important distinction we have to understand, here. 
And it's as simple as the fact that when you sign up for a 
site, like Facebook, today you are indeed, as Marc has 
mentioned, required to provide your age. But, you can, indeed, 
Senator, as you have mentioned, simply lie. And the critical 
difference here is, that as it--as these sites function today, 
sites like Facebook and the many other sites--because this is 
not just about Facebook, but indeed about every site that 
potentially allows sharing and posting of comments, such as the 
blog that I run, for example--that when you sign up for those 
sites, you are not required to verify your age through the use 
of a credit card. This is the key issue.
    My point here is that, if we were to move to a world where 
COPPA applied to children under 18, you would have large 
numbers of sites that enable the sharing of--by users, of 
information about themselves--so-called user-generated 
content--to have to actually age-verify. And that's a 
fundamental difference from the current regime in which sites 
simply ask for age, and if you admit that you're under a 
certain age, they block you, as they're required to do. And 
it's at that point that you start to run into precisely the 
same constitutional issues as were raised in COPA. Because 
COPA, in a nutshell, required certain sites to assume, again, 
that all their users might be children, and therefore require 
all users to verify themselves with a credit card, or similar 
tool.
    Senator Pryor. Dr. Montgomery, let me ask you about the 
state of academia on this. And that is, Are there studies out 
there, where people have really analyzed, maybe the child 
psychology or, how the industry really operates? I mean, is 
there a body of academic work on this that the Subcommittee can 
look at to, you know, get some insights on how things really 
work out there?
    Dr. Montgomery. Well, there's a growing body of research 
about how young people are interacting with online social 
networks and other digital media; the MacArthur Foundation has 
funded a good deal of work in that area. None of it, I have to 
say, has really taken into account, or looked at, the 
commercial dimensions of the digital media.
    Senator Pryor. And privacy doesn't----
    Dr. Montgomery. Or the privacy.
    Senator Pryor. Yes.
    Dr. Montgomery. Now, there are some studies emerging on 
privacy, but they're not looking at the whole picture of 
digital marketing.
    I will say, also, that the experts in the food marketing 
area--and I'm working very closely with a number of them--
because of the concerns about childhood obesity and the role of 
food marketing in that crisis, have begun to pay more attention 
to the digital marketplace. And I've been doing a lot of 
research in that area and am working with experts who are 
looking at adolescent development and the role of adolescents 
in the digital marketplace, because they're very much at risk 
for childhood obesity, and they're not necessarily in a 
position to be asking their parents about their decisions about 
food.
    And we know that many of those food marketers are using 
behavioral targeting and behavioral profiling to target, in 
interactive games and in other kinds of online settings, 
precisely those kids who may be most vulnerable to that kind of 
marketing.
    So, we are working with a number of people to conduct more 
research in that area. I'd be happy to supply the Committee 
with some of that research.
    Senator Pryor. Yes, I'd like to see that.
    And so, when you're talking about, say, fast-food 
marketing, give me a scenario where that works. It sounds like, 
to me, that some kid may be walking down the street, and 
there's a fast-food restaurant, and he may get a message on his 
or her phone that they should go in there, they get a coupon or 
something. I mean, tell me how that works.
    Dr. Montgomery. That is where location marketing is going. 
And that is--you know, first of all, you know who the 
individual consumer is. And as we're finding, you know, it 
isn't always necessary to even know the name. You simply know--
need to know who that person is who is using that particular 
mobile phone, and, you know, what the age is, and the other 
demographic characteristics, as well as the behavioral 
characteristics--what kinds of sites they go to, and masses of 
amount of data that are being pulled together by various 
tracking technologies.
    And, yes, the idea--and we've seen some trials with this, 
with some of the fast-food companies--would be, you know, that 
you're--when you're near that restaurant, you would get a 
coupon that could say, you know, ``You can get a discount for 
this particular kind of product.''
    We're also looking at interactive games and the kinds of 
behavioral profiling and targeting that's going on there. So, 
let's say you're a pizza lover, you're also addicted to 
interactive games, and interactive games online can then target 
you when you're most, you know, aroused by the game and offer 
you pizza, and even provide you with direct access to an online 
site to order that pizza. And we know of--also, that we're 
looking--a lot of apps on phones--I have an iPhone--that enable 
you to order things right away. So, it's this kind of impulse 
buying. All of that is tied into behavioral targeting.
    Senator Pryor. And so, let me ask a follow-up there. You 
mentioned the iPhone, which is an Apple product; so you have 
the manufacturer of the phone, but you also--what about the 
wireless companies? The cell phone companies themselves, the 
AT&Ts and Verizons of the world? Are they providing this type 
of information to marketers? I mean, are they giving age and 
things like that? Do we know that?
    Dr. Montgomery. It's my----
    Senator Pryor. Has anybody looked at that, that we know of?
    Dr. Montgomery. Yes, I mean, Marc, you may be able to 
answer that better, but they fall under a certain set of 
policies----
    Senator Pryor. Right.
    Dr. Montgomery.--you know, that are--that apply to those 
companies, that are----
    Senator Pryor. Right.
    Dr. Montgomery.--separate from what some of the online 
companies would.
    Do you want to answer that one?
    Senator Pryor. Do you know?
    Mr. Rotenberg. We're not specifically aware of how the 
telephone companies collect the data on customers. But, there 
was a very interesting proposal to do a so-called ``deep packet 
inspection'' by Internet service providers which would actually 
reach much more deeply into the personal activity of people 
online, literally looking at all the e-mail traffic they were 
sending, and trying to take, you know, pointers to commercial 
activity out of that.
    I do want to make, just on this point, one further comment. 
I think Mr. Sparapani was correct when he said, earlier, that 
Facebook doesn't disclose user data to advertisers. That's 
right. But, Facebook does disclose user data to application 
developers so that when a Facebook user installs a Facebook 
app--you know, favorite cities or snowball fight, or whatever 
it is--Facebook, at that point, is making a decision to send a 
lot of the user's social graph over to that company. And what 
they announced, just recently, is to do something very similar 
with third-party websites, like CNN and Pandora.
    So, it's not the whole story, I think, at least in this 
situation, to say, in terms of Facebook, that the data doesn't 
go to advertisers. There are other ways that the data is 
released.
    Senator Pryor. Thank you.
    And, Ms. Rich, I haven't forgotten about you.
    Ms. Rich. I'm listening, here.
    [Laughter.]
    Senator Pryor. Let me ask you a few questions. First, did 
you have any follow-ups on any of this that you heard that you 
wanted to clarify?
    Ms. Rich. Well, I do have one follow-up from something Marc 
Rotenberg said, in his first statement, which is, I agree 
whole-heartedly that enforcement by the FTC, both of COPPA and 
generally in privacy, is very important. And we are very proud 
of our enforcement record. Just in the last year, or even 6 
months, we brought four data-security cases, which puts us at 
close to 30 data-security cases that we've brought. We've 
issued an Online Behavioral Advertising Report, and done at 
least one case involving deceptive tracking. We've done eight 
cases designed to promote the integrity of self-regulation. And 
I could go on and provide the--provide you, Mr. Chairman, with 
more. But, I did want to comment on that.
    Senator Pryor. Yes.
    In your statement, you said--let me--I think I have this 
right--whether the rule's definitions of ``Internet'' 
adequately encompasses certain technologies, like mobile 
communications. I don't know if you remember that. And is the 
FTC looking at what we even mean by ``Internet'' today, and--
the definition of ``Internet'' and ``mobile technology''? I 
mean, are you reevaluating all of that, in light of the 
technological innovations?
    Ms. Rich. Yes, the--there was the standard definition that 
was very sci-fi-sounding, back--that they were using in all of 
the statutes when COPPA was passed, you know, ``the World Wide, 
you know, Infrastructure,'' and--you know, it's a strange 
definition. And it's not clear whether that encompasses just 
traditional online activities or whether it would extend to 
interactive activities that don't actually go through the 
Internet. So, we're very--looking at that very seriously.
    Senator Pryor. Knowing what you know now, in terms of the 
state of technology, but also what FTC has to deal with, with 
the statute, and looking at the statute, would you recommend 
that the Senate revisit some of those definitions in the 
underlying law right now?
    Ms. Rich. Well, we're taking a hard look at that, and in a 
few months we'll have the benefit of, hopefully, many, many 
comments on it. And at that point, we'll figure out what our 
next move is, whether it's something we can address, or not 
address, in the rule--meaning, we have the authority under the 
statute--or whether it's something we'd have to come back to 
Congress on.
    Senator Pryor. OK.
    You know, one of my staff guys, here, just gave me a little 
device that's a Nintendo DS, which is interesting. I don't know 
if it's his or his child's, but it has a Pokeman attached to 
it, so----
    [Laughter.]
    Senator Pryor. Anyway, but it has a phone on it, and I 
don't know if it plays music or exactly what. But, you know, 
obviously it's a little game; it has a little game cartridge in 
there. But, it also, very easily and very quickly, allows the 
child to connect to the Internet. And, you know, it has the 
camera, you can do shopping and that type of thing. So, you 
know, this is a device that obviously didn't exist, just a few 
years ago. And I guess I would encourage FTC, as you're looking 
at this, to think through all the applications and--maybe not, 
you know, the--I think it's probably hard to make a list of all 
of the devices, but just the functionality of it. If it's 
connecting to the Internet, and if it's mobile and things like 
that--because hopefully the electronics industry will continue 
to innovate, and will continue to do great things, and bring 
things on the market, and, you know, hopefully when the FTC 
goes through your process, you'll define things in such a way, 
and you'll work with us to define things in such a way, that 
when new products like this come onto the market, you know, the 
statute captures that and we don't get out of date.
    I----
    Ms. Rich. Can I just say----
    Senator Pryor. Yes, please.
    Ms. Rich.--that we have two of those in our house; one for 
my 12-year-old and one for my 9-year-old, and they----
    Senator Pryor. So, they're----
    Ms. Rich.--talk to each other. And when it does access the 
Internet, I think we would be safe to say that's covered, 
because it's accessing the Internet.
    Senator Pryor. Right.
    Ms. Rich. But the question is, if they're just speaking to 
each other, and not through the Internet--there's functionality 
that just can go, you know, machine to machine.
    Senator Pryor. Right.
    Ms. Rich. Is that covered?
    Senator Pryor. Right.
    Well, it is just an example of things that I know the 
Federal Trade Commission has to think through.
    I could, actually, spend a lot more time asking questions, 
because this is very interesting. And I know that we've had--
our members here had to move on to either speaking on the floor 
or other committee meetings they had to get to.
    So, let me just do this, at this point, let me just ask the 
panel if there's anything anyone would like to say before we 
close down the hearing, because we've had a little bit of back-
and-forth, and I just wanted to give everybody a chance to 
respond or to make one last final point.
    So, is there anybody that wants to add anything?
    Mr. Rotenberg. Very briefly, Mr. Chairman, I just wanted to 
thank you for holding this hearing. I mean, I think there are a 
lot of people who appreciate COPPA and believe it plays an 
important role in safeguarding online privacy, but also feel 
that, given new technologies and new business practices, 
something more probably needs to be done. So, this is a very 
good place to start that discussion.
    Senator Pryor. Thank you.
    Mr. Szoka. Sir, if I may say, just briefly, I wanted to 
stress in my testimony that COPPA is device-neutral. And that's 
one of the great things about the statute. The example you 
gave, I think, Ms. Rich, is exactly right, here. We may not 
need changes to the statute, the FTC will look at that, but I 
think that the FTC probably has the flexibility to apply ``the 
Internet'' very broadly to all of those services that touch 
upon, and are integrated into, the Internet.
    So, again, I want to stress, here, my concerns are not with 
the FTC updating the rules consistent with the statute, but 
simply about making broad changes to the statute that have 
greater consequences for speech.
    Senator Pryor. OK, thank you.
    Yes, ma'am.
    Dr. Montgomery. Yes, I again thank the Committee for 
holding this hearing. It's very heartening for me to hear, 
having struggled with many others in the 1990s to get this law 
passed, that it has been a success. And I'm very pleased about 
that, and I'm very pleased to be working with the FTC to ensure 
that COPPA is able to address the continuing rapid changes in 
the digital marketplace.
    But, again, I would just like to make a plea that we, as a 
society, and that the government and the industry, not ignore 
the needs of the Nation's teenagers.
    Senator Pryor. Right.
    Mr. Hintze. I'd, again, like to thank you for holding this 
hearing today, and the members of the Committee for 
participating.
    A lot of discussion today around kids, and a lot of 
discussion today around teens and the ages not covered, 
currently, by COPPA. I think our position, and a number of the 
other panelists, is that COPPA may not be the right vehicle to 
address the teen issues. The issues that teens face online are 
somewhat different from those that younger children face, the 
types of sites they use are quite different, in many cases. 
But, others have expressed the need for some legal protections 
of teens, and we agree. And so, we would encourage the 
Committee to continue to look at the privacy issue more 
generally, maybe not in the framework of COPPA, but looking at 
privacy legislation, at the Federal level, that would address 
privacy protections for not only teens, but adults, as well.
    Senator Pryor. Good.
    Yes, sir.
    Mr. Sparapani. What's new from our perspective, since the 
dawn of COPPA, is that we're entering a moment, I think, in the 
Information Age, for the first time, when we actually have the 
opportunity for technology to reinstill privacy into people's 
online lives through new tools. And there's this sort of user-
control model that Facebook and a number of our--companies like 
us are trying to put forward, is a really new thing, and it 
actually holds real promise for user privacy.
    What's more difficult is getting users to understand the 
new tools and use them in a wise manner, and to, frankly, find 
them and exercise them. And it's especially hard with 
teenagers. So, that's someplace there where I think we're going 
to spend some energy.
    But, again, thank you, Senator, for holding this hearing.
    Senator Pryor. Thank you.
    Ms. Rich. And I'll echo the thanks to you, Mr. Chairman, 
and to the other panelists, for engaging on these important 
issues.
    And also say that we should have a lot more to report after 
our comment period closes and after we have our workshop in 
June. So, I look forward to talking some more.
    Senator Pryor. Thank you, Ms. Rich.
    Let me ask the FTC one last question, and that is, As part 
of your evaluation are you also looking at your manpower, 
slash, resources there at the Commission? I mean, some of the 
witnesses have said that if you had more resources, you could 
do more enforcement and be more effective in enforcing COPPA. 
Are you all evaluating that, as well?
    Ms. Rich. Yes, we are.
    Senator Pryor. And will you come back to the Senate with a 
recommendation on that?
    Ms. Rich. Sure.
    Senator Pryor. OK. Thank you very much.
    [Laughter.]
    Senator Pryor. And I guess, in closing, I'd like to say, 
we're going to leave the record open for 2 weeks. So, don't be 
surprised if some of the Senators or the staff here want to 
submit some more questions, because there are some I didn't go 
into because I've taken too much of your time already. But, 
we'll probably submit some of these over the next couple of 
weeks. We would ask you to get those back as quickly as you 
can, and always work with our staff.
    But, in closing, I'd like to say, this may be one of those 
areas that I think that Senator Wicker kind of alluded to 
earlier. There's an old Abraham Lincoln quote that says, 
``Government should do for people what people can't do for 
themselves.'' And this is an area where we want people 
participating in the marketplace, and using this technology, 
and enhancing their lives, and doing all of these great things. 
But, we just have to make sure that that marketplace is secure, 
that the right privacy parameters are there, the right legal 
structure is there, we have the right enforcement. I mean, we 
just have to make sure that that marketplace is working, 
because the people can't do this for themselves. I think 
there's a level of government, and certainly private sector, 
the private industry has a lot of good actors in it, but there 
are some bad actors, as well. So, we're trying to find that 
balance.
    But, anyway, thank you all for your participation today. I 
know Chairman Rockefeller appreciates it, and I do, too, and 
all the Subcommittee.
    So, thank you very much.
    And, with that, we'll adjourn the meeting.
    Thank you.
    [Whereupon, at 11:52 a.m., the hearing was adjourned.]


                            A P P E N D I X

     Response to Written Questions Submitted by Hon. Mark Pryor to 
                              Jessica Rich

    Question 1. Do you think the age limit in COPPA is appropriate? And 
if so, why?
    Answer. After looking closely at whether adolescents should be 
covered for purposes of the COPPA statute, Congress chose to define a 
``child'' as an individual under age 13. This choice was based in part 
on the sense that most young children do not possess the level of 
knowledge or judgment to determine whether to divulge personal 
information over the Internet. The FTC supported this assessment at the 
time the COPPA statute was introduced.* The staff 
anticipates it will receive comments on this issue during the FTC's 
COPPA Rule review.
---------------------------------------------------------------------------
    \*\ See September 23, 1998 Testimony of the Federal Trade 
Commission before the Subcommittee on Communications, Senate Committee 
on Commerce, Science, and Transportation, available at http://
www.ftc.gov/os/1998/09/priva998.htm.

    Question 2. Do you think COPPA should be strengthened?
    Answer. The FTC currently is reviewing the COPPA Rule in its 
entirety in light of significant changes in the online environment, 
including the rise of social networking and the proliferation of 
interactive technologies, and the increasing use of the mobile web and 
interactive gaming. Through the FTC's March 2010 request for written 
public comment, as well as its June 2 roundtable, the agency intends to 
explore what's working optimally, and where changes might be warranted. 
Once we have completed the public roundtable and the comment period has 
closed, the Commission will carefully evaluate whether any 
modifications to the Rule are warranted.

    Question 3. Should the FTC reexamine what constitutes ``personal 
information'' in its review of COPPA? Or do you believe that the online 
space and the definition of personal information should remain the same 
as it was when the law was created over 10 years ago?
    Answer. The FTC is reexamining whether the Rule's current 
definition of ``personal information'' needs to be revised, consistent 
with the COPPA statute (i.e., permitting the physical or online 
contacting of a specific individual), to include, for example, other 
types of information such as user or screen names and/or passwords, zip 
code, date of birth, gender, persistent IP addresses, mobile geo-
location information, or information collected in connection with 
online behavioral advertising. The FTC has asked for written comments 
on this issue and the FTC staff has dedicated a panel at the June 2 
COPPA roundtable to the question (see agenda, at http://www.ftc.gov/
bcp/workshops/coppa/Agenda_2010COPPARoundtable.pdf). At this time, it 
would be premature to conclude whether the FTC is likely to amend the 
Rule's current definition of personal information.

    Question 4. In your opinion, what is the biggest threat to 
children's privacy and safety in today's online world?
    Answer. For many young people, socializing and communicating online 
can be a rewarding experience, but those activities come with risks, 
including:

   Inappropriate conduct, including online harassment, 
        cyberbullying, and sexting. The online world can feel 
        anonymous. Young people sometime forget that they are still 
        accountable for their actions and do not realize that they may 
        lose the ability to control the dissemination of information 
        and photos once they are shared online.

   Inappropriate contact. Some people online have bad 
        intentions, including bullies, predators, hackers, and 
        scammers.

   Inappropriate content. Young people may find pornography, 
        violence, or hate speech online.

    It is difficult to determine what the ``biggest threat'' might be, 
because every child has unique circumstances that affect his or her 
personal risk profile. The FTC is closely following research conducted 
by the Pew Internet & American Life Project and the Crimes Against 
Children Research Center, among others, so that we may better 
understand the interplay between children's experiences and the risks 
they face online. Such research helps us craft useful advice for 
parents and children, such as the advice for parents in our recent 
publication, Net Cetera: Chatting with Kids About Being Online.

    Question 5. What do you think is the most urgent update to COPPA 
needed?
    Answer. As stated above, the FTC currently is reviewing the COPPA 
Rule in its entirety. Through the FTC's Rule review process, the agency 
intends to take a careful and comprehensive look at the Rule, with 
input from many sources. The agency is keeping an open mind, therefore, 
on what the most pressing modifications, if any, might be to the 
Commission's Rule or to the underlying statute.

    Question 6. In your opinion, what would constitute the most 
appropriate definition of ``sensitive data'' in the context of 
children's online privacy?
    Answer. The COPPA statute does not define or use the term 
``sensitive data.'' However, the statute does contain an enumeration of 
what type of individually identifiable information is considered to be 
``personal,'' the collection of which requires an operator to obtain 
prior verifiable parental consent. ``Personal information'' is defined 
as:

        individually identifiable information about an individual 
        collected online, including--(A) a first and last name; (B) a 
        home or other physical address including street name and name 
        of a city or town; (C) an e-mail address; (D) a telephone 
        number; (E) a Social Security number; (F) any other identifier 
        that the Commission determines permits the physical or online 
        contacting of a specific individual; or (G) information 
        concerning the child or the parents of that child that the 
        website collects online from the child and combines with an 
        identifier described in this paragraph.

    In promulgating the COPPA Rule in 1999, the FTC used the open-ended 
authority granted under subpart F of the definition of personal 
information to add ``other online contact information, including but 
not limited to an instant messaging user identifier, or a screen name 
that reveals an individual's e-mail address.'' The Commission also 
added to the definition ``a persistent identifier, such as a customer 
number held in a cookie or a processor serial number, where such 
identifier is associated with individually identifiable information; or 
a combination of a last name or photograph of the individual with other 
information such that the combination permits physical or online 
contacting.'' Since promulgating the COPPA Rule, the FTC has not 
further expanded upon the definition of personal information. However, 
as noted in our response to the previous question, the FTC is 
reexamining the definition of ``personal information'' as part of its 
overall Rule review.

    Question 7. You mentioned major tenets of children's privacy the 
FTC will consider in its reexamination of the effectiveness of COPPA. 
Specifically, you address ``whether the Rule's definition of `Internet' 
adequately encompasses [certain] technologies'' like mobile 
communications. Will the FTC consider in its review the impact of data 
and location tracking devices, such as GPS systems, on children's 
safety?
    Answer. Yes. The FTC's March 2010 request for public comment seeks 
input on whether the Rule's current definition of personal information 
needs to be revised, consistent with the COPPA statute (i.e., 
permitting the physical or online contacting of a specific individual), 
to include mobile geo-location information, among other things.

    Question 8. How does the Commission enforce whether operators have 
``actual knowledge'' that their sites are used by children under 13? Is 
this scienter requirement an issue that merits additional scrutiny in 
your opinion?
    Answer. As explained in the Statement of Basis and Purpose 
accompanying the COPPA Rule, actual knowledge will be present where the 
operator obtains direct information about a child's age or grade, for 
example, from a child's registration at a website or from a concerned 
parent who has learned that the child is participating at the site. In 
addition, the FTC has explained that it will examine closely websites 
that do not directly ask age or grade, but instead ask ``age 
identifying'' questions, such as ``what type of school do you go to: 
(a) elementary; (b) middle); (c) high school; (d) college'' and that 
through such questions, operators may acquire actual knowledge that 
they are dealing with a child under age 13.
    The FTC has stated that the COPPA statute's actual knowledge 
standard does not require operators of general audience sites to 
investigate the ages of their website's visitors or to monitor their 
chat rooms. However, an operator may be considered to have actual 
knowledge with respect to a specific child if someone from the 
operator's organization views a revealing post, or if someone alerts 
the operator to such a post (e.g., a concerned parent who learns that 
his child is participating on the site).
    Thus far, all of the FTC's COPPA cases involving ``actual 
knowledge'' center on an operator's direct receipt of information about 
a child's age input during the registration process.
    The FTC staff has dedicated a panel at its June 2 COPPA roundtable 
to exploring the COPPA statute's actual knowledge standard.

    Question 9. Are there any restrictions on state AGs enforcing 
compliance with the COPPA rule?
    Answer. The COPPA statute permits state attorneys general to file 
civil actions on behalf of their residents in U.S. District Court to 
enjoin an operator's practices, enforce compliance with the FTC's COPPA 
Rule, obtain damages, restitution, or other compensation on behalf of 
their residents, or to obtain such other relief as the court deems 
appropriate. The statute places several minor limitations on a state 
attorney general's right to enforce COPPA. First, unless it would be 
infeasible to do so, an attorney general intending to enforce COPPA 
must provide the FTC with written notice and a copy of the complaint 
prior to filing the state action. Upon receipt of notice of a state's 
intent to enforce COPPA, the FTC has the right to intervene, to be 
heard, and to file a petition for appeal in the action. The statute 
also provides that any person or organization that has been approved by 
the FTC as a COPPA safe harbor program and whose guidelines are relied 
upon by a defendant as a defense may file as amicus curiae in a state 
COPPA proceeding.
    To date, only one state--Texas--has provided notice to the FTC of 
its intention to enforce COPPA. In December 2007, Texas filed two COPPA 
actions, one against The Doll Palace Corp., and the other against 
Future US, Inc. (a/k/a gamesradar.com). Information about the Texas 
actions can be found at http://www.oag.state.tx.us/oagNews/
release.php?id=2288.

    Question 10. How is the Net Cetera distribution and education 
campaign working? Have the materials and the FTC's efforts to reach out 
to teachers and parents been effective?
    Answer. The FTC issued a report to Congress about the Net Cetera 
campaign in March 2010, available at http://www.ftc.gov/os/2010/03/
100331netcetera-rpt.pdf. This report discusses the creation of Net 
Cetera, how the FTC is getting the word out about the guide, and 
distribution highlights.
    The Net Cetera education campaign continues to be a success. Since 
October 2009, the FTC has received orders for the Net Cetera guide from 
every state in the nation, for a total of over 3 million copies ordered 
in English and Spanish. Other outreach highlights include:

   Prince George's County Public Schools--the 2nd largest 
        school district in Maryland and 18th largest in the Nation--
        distributed approximately 150,000 copies of Net Cetera.

   Public and school libraries across Massachusetts have 
        received copies of the guide and are now placing orders, and 
        every member of the Young Adult Library Services Association 
        (YALSA) has received a copy.

   The National Association of School Nurses will distribute 
        the guide to attendees at their upcoming annual conference.

   FTC staff are attending and speaking at conferences this 
        summer to promote Net Cetera, including the widely-attended 
        International Society for Technology in Education Annual 
        Conference and the National School Public Relations Association 
        National Seminar.

   Schools, police departments, and organizations in Arkansas 
        have ordered over 34,000 copies of the guide.

    Question 11. You mention 14 cases brought by the Commission over 
the past 10 years alleging COPPA violations. From your perspective, 
have those cases served to deter repeat violations or additional COPPA 
violations?
    Answer. The FTC has been strategic in bringing cases that 
illustrate different core requirements. We have garnered widespread 
interest and significant leverage from each COPPA enforcement action 
addressing a particular type of violation. The FTC's early COPPA 
enforcement actions focused on children's sites that collected 
extensive amounts of personal information without providing notice to 
parents and obtaining their consent. Most recently, the FTC has focused 
on operators of both general audience and child-directed social 
networking sites and sites with interactive features that permit 
children to publicly divulge their personal information online.
    Although law enforcement is a critical part of the Commission's 
COPPA program, the FTC's COPPA program is comprised of several 
effective integrated components--rulemaking, self-regulation, routine 
outreach to businesses and consumers, and law enforcement--that work in 
tandem to enhance overall COPPA compliance. The FTC believes that this 
integrated approach has served to deter repeat or additional 
violations.

    Question 12. What should the FTC or Congress do to strengthen 
children's safety and privacy online in conjunction with advanced 
technologies and mobile devices?
    Answer. The COPPA statute applies to operators of commercial 
``websites located on the Internet'' and ``online services'' that 
collect, maintain or disclose children's personal information on the 
Internet. Where children connect to websites or online services through 
mobile devices, the statute clearly applies. Where children are not 
connecting to or through websites or online services, COPPA may not 
apply. Thus, many, but not all, mobile communications may be covered by 
the statute. The FTC's Rule review will examine how the definitions of 
Internet, websites, and online services may affect COPPA's application 
to different mobile and other technological uses.

    Question 13. [Do you agree with the direction the FTC is taking as 
it reexamines the implementation and effectiveness of COPPA?]
    Answer. N/A

    Question 14. How do you propose to improve parental supervision and 
control of children's online activity to prevent the inappropriate or 
illegal collection and use of their information?
    Answer. The FTC will continue to focus on educating parents, 
through tools such as Net Cetera and the agency's online safety portal, 
OnGuardOnline.gov, about the rights and protections provided by COPPA, 
and about children's online privacy and safety more generally.

    Question 15. If you support a regime granting rules of the road for 
adolescents' privacy, how do you envision this sort of regime working? 
How would you propose it be structured? If you do not support a regime 
governing adolescents' privacy, please explain your reasoning.
    Answer. The FTC's current review is focused on the COPPA Rule, and 
on the online privacy of individuals defined as children under that 
statute. The FTC has not yet had the opportunity to formulate an 
opinion on a possible regime to protect adolescents' privacy. The 
agency looks forward, however, to reviewing any proposals that may be 
put forward. In addition, last year, the agency released a set of 
principles relating to online behavioral advertising. Moreover, the 
Commission currently is examining privacy more broadly and hopes to 
develop a general privacy framework in the coming months.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                           Timothy Sparapani

    Question 1. What steps is Facebook taking to promote the 
advancement of children's privacy?
    Answer. Facebook provides users with innovative privacy controls to 
give users control of their information online. We have recently 
provided users with additional steps for controlling sharing both on 
Facebook and with third parties such as other websites or applications.
    Facebook takes additional steps specifically targeted to minors. 
For example, we provide specialized privacy settings so that minors may 
further control their sharing through Facebook. In part, this 
eliminates the potential of minors sharing with everyone. Even minors 
who want to share with the maximum number of people may only share with 
users under 18 years of age. Additionally, Facebook provides special 
educational materials for minors. Furthermore, Facebook imposes rules 
requiring Facebook Pages and applications built by third parties on 
Facebook to impose age ``gates'' that work to prevent minors from 
accessing content that is inappropriate for their age or to be accessed 
through these Pages or Applications by non-minors.

    Question 2. Do you think the age limit in COPPA is appropriate? And 
if so, why?
    Answer. Facebook takes no position on the age limitations imposed 
by COPPA. We are not experts on the appropriate age to set for online 
activity, but our experience informs us that teenagers 13 years of age 
generally act in a responsible manner on Facebook.

    Question 3. Do you think COPPA should be strengthened?
    Answer. COPPA could be strengthened by providing incentives for 
companies to innovate without fear of liability to develop new 
technologies. The current legislative and regulatory structure should 
encourage, not discourage continuing technological innovation.

    Question 4. Should the FTC reexamine what constitutes ``personal 
information'' in its review of COPPA? Or do you believe that the online 
space and the definition of personal information should remain the same 
as it was when the law was created over 10 years ago?
    Answer. At this time, Facebook is not recommending an amendment to 
the definition of ``personal information.''

    Question 5. In your opinion, what is the biggest threat to 
children's privacy and safety in today's online world?
    Answer. The U.S. Congress has failed to appropriate sufficient 
funds to ensure that the KIDS Act of 2008 actually is fully 
implemented. In particular, the KIDS Act requires the creation of a 
Federal list of Registered Sex Offenders (RSOs) but that list has not 
been completed. Because of this, Facebook prepares its own list--at 
Facebook's own expense--to help us periodically review our list of 
users and terminate accounts that might have been established by RSOs. 
Smaller companies, particularly application developers, do not have 
such resources and are unlikely to expend scarce resources to obtain a 
list of RSOs from all 50 states. Congress should encourage the Federal 
Government to build and maintain an up-to-date list of RSOs and 
distribute it to any company that asks for the list.
    Furthermore, the U.S. Government should negotiate with foreign 
governments to obtain lists of those countries' RSOs to further support 
responsible companies' attempts to prevent access by RSOs to online 
services where minors may be present.

    Question 6. What do you think is the most urgent update to COPPA 
needed?
    Answer. Congress should explicitly create a safe harbor expressly 
permitting companies to explore technological and policy innovations to 
further limit the access of minors to sites that are inappropriate for 
their age, and to do so without fear of regulatory or legislative 
sanction. The current model discourages innovations that could advance 
the privacy, safety, and security of minors.

    Question 7. In your opinion, what would constitute the most 
appropriate definition of ``sensitive data'' in the context of 
children's online privacy?
    Answer. Facebook does not categorize data as sensitive. Rather, all 
information is treated as sensitive and subject to disclosure subject 
to a user's privacy settings and only at the user's direction. Because 
we recognize that minors are special, we explicitly prohibit minors 
from sharing with groups of individuals wider than the classification 
of Friends of Friends and Networks, where minors' Networks are 
typically their classmates at their schools.

    Question 8. Recent press reports have indicated that Facebook is 
making available to the Web user information that has been previously 
contained within closed networks. Which pieces of user information are 
or will be made publicly available without the user proactively making 
any changes to her privacy policy?
    Answer. Contrary to press reports, Facebook does not make available 
to third parties information that was previously contained within 
closed networks. In December of 2009, Facebook eliminated Regional 
Networks that were established when Facebook's user base was much 
smaller. These Regional Networks provided any members of a particular 
network the opportunity to view content of any other participants. By 
eliminating these Regional Networks, Facebook enhanced minors' privacy 
substantially.
    Further, in part to respond to this misinformation contained in 
press reports, Facebook recently provided our users with a single 
``global opt out'' option to eliminate even any voluntary sharing with 
third parties.

    Question 9. How does Facebook verify or authenticate its users' 
identities or ages?
    Answer. As explained at length in our written and oral testimony, 
no company can actually ``verify'' any users' age. Instead, Facebook 
uses a series of novel, proprietary technologies to draw assumptions 
about the likelihood that a user is of age. Moreover, our users are 
required to provide us with their ages at the moment they create an 
account.

    Question 10. Is Facebook tied or affiliated in any way with 
location-based advertising? Is it possible for a 14-year-old Facebook 
user to be tracked by other companies, devices or data gatherers 
without her knowledge or consent?
    Answer. Facebook provides ads targeted to users based on their 
hometown. We never provide this piece of information to advertisers. To 
our knowledge, it is not possible for other companies, devices or data 
gatherers to track Facebook users using the users' Facebook information 
wither any users knowledge or consent.

    Question 11. Could you describe your company's efforts to educate 
parents and teachers about online safety?
    Answer. Since our inception, Facebook has worked assiduously to 
educate parents and teachers about online safety. Just last week, we 
were awarded an award from Wired Kids that we received, in part, due to 
our ongoing efforts to educate our users. Our staff speaks at an 
extraordinary number of events per year that are intended to perform 
this function. Our Safety and Privacy pages provide full explanations 
of how our users may fully utilize our innovative privacy settings and 
has been recently revised to offer specific sections with content 
tailored to different audiences, including parents, educators and 
teens.

    Question 12. How do you work with law enforcement to combat 
Internet crime?
    Answer. Our Chief Security Officer and the team he supervises work 
closely with governments throughout the U.S. and around the world to 
comply with lawful requests for assistance. Recently, Facebook provided 
the key information that helped secure the two largest CAN-SPAM Act 
judgments in history, leading to a substantial reduction in the amount 
of spam messaging our users are subjected to. On the rare occasion that 
Facebook identifies illegal material being circulated through our site 
we prevent the disbursement of that information and then report the 
content and the user account attempting to distribute that material to 
the National Center on Missing and Exploited Children and appropriate 
law enforcement. We would be happy to brief the Subcommittee at length 
about other assistance provided, within the scope of the law, to law 
enforcement.

    Question 13. What should the FTC or Congress do to strengthen 
children's safety and privacy online in conjunction with advanced 
technologies and mobile devices?
    Answer. In addition to fully implementing the KIDS Act, the FTC 
should negotiate with foreign governments to encourage the sharing of 
foreign governments' RSOs with the U.S. Government and U.S. companies.

    Question 14. Do you agree with the direction the FTC is taking as 
it reexamines the implementation and effectiveness of COPPA?
    Answer. Facebook supports the second five-year review of COPPA.

    Question 15. How do you propose to improve parental supervision and 
control of children's online activity to prevent the inappropriate or 
illegal collection and use of their information?
    Answer. We recommend that parents insist on being made friends on 
Facebook of their children, or, alternatively, that another adult 
friend or family member be made a friend of teenage users. Further, as 
mentioned previously, we have recently created additional educational 
materials targeted to parents to help them become more conversant with 
Facebook and tools to help safeguard minors' information.

    Question 16. If you support a regime granting rules of the road for 
adolescents' privacy, how do you envision this sort of regime working? 
How would you propose it be structured? If you do not support a regime 
governing adolescents' privacy, please explain your reasoning.
    Answer. Facebook prohibits users less than 13 years of age from 
using our service. We limit minors' sharing to reduce the scope of that 
sharing. Further, we give our users privacy controls to control 
virtually all of their information online. Any modification to COPPA or 
the regulations implementing it should recognize effective regimes such 
as that created by Facebook.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                           Michael D. Hintze

    Question 1. What percentage of your parental users take advantage 
of the parental controls offered by your software and services?
    Answer. Although we know for the sites and services where we ask 
for age whether a user is under 13, we are unable to determine how many 
of our total users are parents. While reliable data specific to 
Microsoft's products and services is not available, research by the 
Henry J. Kaiser Family Foundation found that 41 percent of parents 
report using parental controls to block their children's access to some 
websites.\1\
---------------------------------------------------------------------------
    \1\ Henry J. Kaiser Family Foundation, Parents, Children & Media, 
at 11 (June 2007), http://www.kff.org/entmedia/upload/7638.pdf.

    Question 2. You said in your written statement that ``Microsoft 
proactively requests age information and seeks parental consent for 
children's use of many of its services even when those services are not 
specifically targeted to children.'' What formula do you use to 
determine whether to seek parental consent for children's use of 
services that are not specifically targeted to children? (How do you 
make that determination and could you give the Committee some examples 
of those services?)
    Answer. Our approach goes beyond COPPA in that we screen for age 
and obtain parental consent for under-13 users not only on our sites 
and services that are ``targeted'' to children, but also on our general 
audience sites that are ``attractive'' to children.\2\ We do not have 
an exact formula for determining which sites or services may be 
attractive to children, but some examples of general audience services 
where we have decided to screen for age and seek parental consent for 
users under 13 include Hotmail, Messenger, Windows Live Spaces and Xbox 
Live.
---------------------------------------------------------------------------
    \2\ See Microsoft Corp., Privacy Guidelines for Developing Software 
Products and Services, Section 1.11 and Scenario 8, available at http:/
/download.microsoft.com/download/0/8/2/082448
D8-2AED-45BC-A9A0-094840E9E3A2/
Microsoft_and%20Privacy_guidelines_for_developers
.doc.

    Question 3. Do you think the age limit in COPPA is appropriate? And 
if so, why?
    Answer. Yes, we believe the age limit in COPPA is appropriate. It 
is certainly true that COPPA's stated goals of increasing parental 
involvement and protecting privacy are important with respect to 
teenagers. But COPPA's existing structure and parental consent 
processes are not well suited to deal with this age group. For example, 
teens are too sophisticated to be deterred by age gates, and existing 
parental consent mechanisms--such as the toll-free number and print and 
send methods--may not be reliable in ensuring it is the parent rather 
than the teen who is giving consent.
    In addition, teens' use of the Internet raises somewhat different 
privacy and safety issues than for children under thirteen. For 
example, while older teens may be more likely to understand the 
implications of online advertising than young children, teenagers may 
be more likely to be faced with instances of cyberbullying online.\3\
---------------------------------------------------------------------------
    \3\ See Amanda Lenhart, Pew Internet & American Life Project, 
``Cyberbullying 2010: What the Research Tells Us'' (May 6, 2010), 
http://www.pewinternet.org//media//Files/Presentations/
NCMEC_Cyberbullying%20talk%20050610release.ppt.
---------------------------------------------------------------------------
    We believe there are alternative ways to protect the privacy of 
teens online that are better than simply expanding COPPA's age limit. 
For instance, Microsoft provides parents with a number of educational 
resources and technology tools so that they can talk to their teens 
about the importance of privacy and safety online and be more involved 
in their online activities. Additionally, Microsoft has long supported 
comprehensive Federal privacy legislation that would establish baseline 
protections and enhance the privacy of all individuals--including 
teens.\4\ We are committed to working with Congress to advance these 
important efforts.
---------------------------------------------------------------------------
    \4\ See, e.g., http://www.microsoft.com/presspass/features/2005/
nov05/11-03Privacy.mspx.

    Question 4. Do you think COPPA should be strengthened?
    Answer. We do not believe that amending the statute is necessary at 
this time. The statute provides the FTC with sufficient authority and 
flexibility to address children's privacy issues in light of evolving 
technologies and business models. We commend the Commission for 
launching its review of the COPPA Rule, which had been planned for 
2015, 5 years early in order to account for new technologies. At the 
very least, we believe it would be prudent to allow the FTC to complete 
its Rule review before determining whether legislative action is 
necessary.

    Question 5. Should the FTC reexamine what constitutes ``personal 
information'' in its review of COPPA? Or do you believe that the online 
space and the definition of personal information should remain the same 
as it was when the law was created over 10 years ago?
    Answer. Yes, the FTC should reexamine the definition of ``personal 
information,'' and we are pleased that they have indicated an intent to 
do so. With its flexible definition of personal information, the COPPA 
statute is sufficiently forward-looking and gives the FTC the 
rulemaking authority to address evolving circumstances and needs. 
Therefore, we believe that the FTC, within the parameters of the 
existing statute, can update the definition of ``personal information'' 
included in the COPPA Rule to address the wide range of factors that 
have changed over the last decade.

    Question 6. In your opinion, what is the biggest threat to 
children's privacy and safety in today's online world?
    Answer. Criminals who prey on children and families are the biggest 
threat to children's privacy and safety. To help thwart these 
criminals, Microsoft works with lawmakers in many countries to promote 
stronger online safety and privacy legislation and Internet safety 
education in schools. We help train law enforcement personnel in using 
technology to help combat online child pornography, child predators, 
and child exploitation. We use a filtering tool to review images 
uploaded to Windows Live Spaces and other Microsoft online properties 
to detect potential instances of child exploitation. And we are working 
with law enforcement officials in several countries to deploy the Child 
Exploitation Tracking System (``CETS''), a software tool to help 
investigators share and analyze information for tracking child 
exploitation on the Internet. We are committed to working with 
Congress, Federal and state agencies, nonprofit organizations, and 
other industry leaders to help protect children's privacy and safety in 
today's online world.

    Question 7. What do you think is the most urgent update to COPPA 
needed?
    Answer. We do not believe that the COPPA statute needs to be 
updated at this time. As explained in my testimony, we believe that the 
best course is for the FTC to update the COPPA Rule by providing clear 
guidance on how companies can better meet both the letter and the 
spirit of the law in light of changing technologies and by addressing 
the weaknesses of the currently approved approaches to obtaining 
verifiable parental consent.

    Question 8. In your opinion, what would constitute the most 
appropriate definition of ``sensitive data'' in the context of 
children's online privacy?
    Answer. Under COPPA, any personal information collected from 
children under the age of 13 triggers the obligations of the Act, 
including the requirements for verifiable parental consent. We believe 
this broad approach is appropriate given the unique sensitivities 
involved with the collection and disclosure of data from young 
children.

    Question 9. How does Microsoft handle location information? And 
what is the company's relationship with location tracking applications?
    Answer. Microsoft is a leader in developing privacy standards to 
protect users of location-based services. In 2004, Microsoft partnered 
with TRUSTe and AT&T Wireless to form the Wireless Advisory Committee, 
which works with companies providing wireless data and wireless web 
services to ensure that specific standards regarding consumer notice 
and consumer consent are achieved.\5\
---------------------------------------------------------------------------
    \5\ TRUSTe, ``TRUSTe Announces First Wireless Privacy Standards to 
Protect Mobile Users'' (Feb. 18, 2004), http://www.truste.com/
about_TRUSTe/press-room/news_truste_announces
_first_wireless_privacy_standards.html.
---------------------------------------------------------------------------
    We expect to offer some location-based services on our platforms in 
the upcoming months. These location-based services may include local 
search, camera, mapping, and phone finder applications and services 
that utilize a user's current location.
    Microsoft is committed to providing users control over their 
location-based data. On our platforms, users must first agree to allow 
Microsoft to access or use their current location, and users can always 
disable the sending of location information if they change their minds. 
Microsoft does not currently offer any services that disclose a user's 
location to others or that allow users to be tracked by third parties.

    Question 10. You mention a ``digital identity card'' as one 
technology that could enhance authentication and streamline parental 
consent processes? Could you elaborate upon your idea?
    Answer. Over time robust digital identity cards may become 
analogous to tangible cards in a person's wallet. In much the same way 
that a person might use a student ID card to get free admission to a 
museum, one or more digital identity cards may be used to verify the 
card owner's identity or an identity attribute, such as age or parental 
status.
    To accomplish these types of verification, one way that digital 
identity cards could be issued is through offline processes where 
approved verification of a parent-child relationship already occurs. 
Website operators and online service providers could verify age and 
obtain parental consent by requesting that parents and children provide 
their digital identity cards before a child may access interactive 
services and features. These types of technologies still require that 
robust proofing and authentication processes occur, but can facilitate 
the online use and reuse of the proofing. Like with other solutions, 
they are not foolproof and should be used in conjunction with education 
and other online safety tools, including technologies that help balance 
against the disclosure of information that is not needed to verify the 
identity of the child or the parent.

    Question 11. Does Microsoft have any other ideas for new parental 
control methods that would not cause additional privacy concerns or be 
tied to an IP address?
    Answer. Microsoft recommends that the FTC expand its list of 
approved parental consent methods to include other reliable approaches 
that minimize burdens on parents, leverage existing technologies, and 
scale for millions of users. Because children are increasingly using 
mobile phones and other mobile devices, we also urge the FTC to 
consider the types of parental consent mechanisms that are appropriate 
for online services that are accessed through these devices.
    Microsoft is working on technology that enables parents and 
children to better manage their identities online in a privacy 
enhancing way. When combined with the use of digital identity cards, 
these technologies could allow parents and children to disclose only 
that information that is necessary (such as parental status or age, but 
not name or other personal information) to enable children's access to 
and use of websites and online services.

    Question 12. In your ``Family Safety at Microsoft'' attachment 
submitted to the Committee, you state, ``In the United States, 71 
percent of teens with online access have a social networking profile.'' 
What are the implications of this statistic for our discussion? Are 
children using common sense when using the Internet? Do trends indicate 
that young children are disclosing information they shouldn't and what 
are companies doing with that information?
    Answer. Given the percentage of teens that are using social 
networks, it is important that teens with online access be taught how 
to use such services wisely and safely. To this end, Microsoft is a 
member of the Ad Council's Internet Safety Coalition, which is working 
to help kids understand that the Internet is a public place and to 
explain the risks of ill-considered Internet posting. Microsoft also 
provides parents with a number of educational resources and technology 
tools so that they can talk to their teens about the importance of 
privacy and safety online and be more involved in their online 
activities.\6\ We are committed to working with Congress to make sure 
parents, educators, and children are aware of these resources and take 
advantage of them. Microsoft has no special insight into the types of 
information that children are disclosing online in general or into the 
privacy practices of other companies.
---------------------------------------------------------------------------
    \6\ See http://www.microsoft.com/protect/family.

    Question 13. Could you describe your company's efforts to educate 
parents and teachers about online safety?
    Answer. While Microsoft has created a number of tools and 
technologies to help promote child privacy and safety on the Internet, 
we believe that educating parents, teachers, and children is one of the 
most effective ways to respond to online risks. To this end, we offer a 
number of educational resources for parents, teachers, and children 
regarding the importance of online privacy and safety.\7\ We also 
support numerous family safety educational organizations and outreach 
efforts. For example, Microsoft is a sponsor of i-SAFE America's i-
LEARN program, which provides free online curriculum for educators, 
parents, and teens.\8\ We helped to create, along with other technology 
companies, the National CyberSecurity Alliance, whose mission is to 
educate all users, including parents and children, about how to stay 
safe online.\9\ Microsoft also supports GetNetWise, a public education 
organization that offers Internet users resources for making informed 
decisions about safer Internet use.\10\ A representative list of 
Microsoft's educational efforts is provided in the attachment to my 
written testimony.\11\
---------------------------------------------------------------------------
    \7\ See http://www.microsoft.com/protect/family.
    \8\ See http://www.ilearn.isafe.org.
    \9\ See http://www.staysafeonline.org/.
    \10\ See http://www.getnetwise.org.
    \11\ See pp. 7-8, available at http://download.microsoft.com/
documents/uk/education/home
accessprogramme/FamilySafety-US.pdf.

    Question 14. How do you work with law enforcement to combat 
Internet crime?
    Answer. Microsoft is committed to helping make the Internet safer 
for all users--including children and families--but we can't do it 
alone. Therefore, Microsoft partners with law enforcement agencies to 
combat Internet crime.\12\ For example, Microsoft has partnered with 
the National Center for Missing and Exploited Children (``NCMEC'') to 
develop and deploy technology solutions that disrupt the ability of 
online predators to exploit children or traffic in child pornography. 
We also have worked with Interpol and the International Centre for 
Missing and Exploited Children (``ICMEC'') to sponsor worldwide 
training sessions for law enforcement personnel on computer-facilitated 
crimes against children. In addition, Microsoft works extensively with 
the Department of Justice's Internet Crimes Against Children Task Force 
and has worked with a number of state Attorneys General to provide 
comprehensive training for law enforcement on computer-facilitated 
crimes.
---------------------------------------------------------------------------
    \12\ See id. at 9-10.

    Question 15. What should the FTC or Congress do to strengthen 
children's safety and privacy online in conjunction with advanced 
technologies and mobile devices?
    Answer. One of the advantages of the COPPA statute is that it 
provides a flexible framework by which the FTC can quickly adapt its 
rules to accommodate advanced technologies, including mobile devices. 
The FTC recently launched a proceeding to look into this issue, and 
Microsoft will be participating in that process. We believe that the 
FTC can strengthen children's safety and privacy online by providing 
clear guidance on how companies can better meet not only the letter, 
but also the spirit, of the law in light of advanced technologies and 
by addressing the weaknesses of the currently approved approaches to 
obtaining verifiable parental consent. We do not believe that amending 
the statute is necessary at this time. At the very least, we believe it 
would be prudent to allow the FTC to complete its Rule review before 
determining whether legislative action is necessary.

    Question 16. Do you agree with the direction the FTC is taking as 
it reexamines the implementation and effectiveness of COPPA?
    Answer. Yes, we agree with the direction the FTC is taking for its 
COPPA Rule review. We commend the FTC for taking the initiative to 
launch its review 5 years early in light of children's increasing use 
of new technologies to access the Internet. We expect that the FTC's 
comprehensive review process will produce a strong public record that 
will help inform the FTC as it considers whether modifications of the 
COPPA Rule are needed.

    Question 17. How do you propose to improve parental supervision and 
control of children's online activity to prevent the inappropriate or 
illegal collection and use of their information?
    Answer. We recommend that the FTC update two key aspects of the 
COPPA Rule in order to improve parental supervision and control of 
children's online activity. First, we hope that the FTC will use its 
review process to encourage companies that provide sites and services 
that are attractive to children to be more proactive about creating 
opportunities for parental engagement in their children's online 
activities. Second, we urge the FTC to work with technology companies 
and consumer advocates to develop more consumer-friendly, effective, 
and scalable methods for obtaining parental consent, especially in the 
context of mobile devices.
    We also believe in empowering parents through parental controls. To 
this end, we make available tools for a number of our services, such as 
Windows Live and Xbox Live, that help parents make granular choices 
about how their children may share personal information online. For 
example, Microsoft's parental controls enable parents to limit their 
children's searches, block (or allow) websites based on the type of 
content, restrict with whom their children can communicate, and access 
detailed activity reports that show the websites their children visited 
and the games and applications they used.

    Question 18. If you support a regime granting rules of the road for 
adolescents' privacy, how do you envision this sort of regime working? 
How would you propose it be structured? If you do not support a regime 
governing adolescents' privacy, please explain your reasoning.
    Answer. Microsoft has long supported comprehensive Federal privacy 
legislation that would establish baseline protections and enhance the 
privacy of all individuals--including adolescents.\13\ In addition, we 
believe that a key element of protecting privacy for adolescents is to 
find ways to effectively encourage parental involvement in their online 
activity. Microsoft provides parents with a number of educational 
resources and technology tools so that they can talk to their teens 
about the importance of privacy and safety online and be more involved 
in their online activities. We are committed to working with Congress 
to advance these important efforts.
---------------------------------------------------------------------------
    \13\ See, e.g., http://www.microsoft.com/presspass/features/2005/
nov05/11-03Privacy.mspx.
---------------------------------------------------------------------------
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                         Kathryn C. Montgomery

    Question 1. Do you think the age limit in COPPA is appropriate? And 
if so, why?
    Answer. The regulations that were put in place for COPPA are 
appropriate for children under the age of 13, and were designed to 
provide protections specifically for this age group. They are part of a 
long tradition of advertising policy safeguards that are based on 
social science research dating back to the 1970s. However, because 
COPPA only covers young children, online marketers have developed a 
spectrum of techniques for data collection and targeting focused on 
adolescents, with virtually no government oversight. Recent research in 
neuroscience and adolescent development has identified a number of ways 
in which adolescents are vulnerable to new forms of marketing, 
particularly in the digital context (See articles by Professors Frances 
Leslie and Constance Pechmann at the University of California, Irvine 
at digitalads.org. See also Kathryn C. Montgomery and Jeff Chester, 
``Interactive Food and Beverage Marketing: Targeting Adolescents in the 
Digital Age,'' Special supplement to Journal of Adolescent Health. 
September, 2009: 1-12.) New legislation is needed to provide 
adolescents with substantive protections from unfair data collection 
and marketing practices.

    Question 2. Do you think COPPA should be strengthened?
    Answer. Under its current review of COPPA, the FTC needs to ensure 
that the rules are updated to apply to evolving data collection and 
targeting practices. These include: behavioral profiling, ad networks, 
social networking platforms, location targeting and other mobile 
practices, etc. COPPA legislation was drafted with sufficient 
flexibility to accommodate these new practices, but they need to be 
articulated clearly in the updated FTC rules to ensure that the law is 
implemented effectively.

    Question 3. Should the FTC reexamine what constitutes ``personal 
information'' in its review of COPPA? Or do you believe that the online 
space and the definition of personal information should remain the same 
as it was when the law was created over 10 years ago?
    Answer. The FTC should reexamine the definition of Personal 
Information in COPPA. Its current definition only covers a few examples 
of what constitutes personally identifiable information. However, the 
law includes a clause (SEC. 1302 8, F) that was designed to ensure that 
evolving practices are included in the definition of personal 
information: ``any other identifier that the Commission determines 
permits the physical or online contacting of a specific individual.'' 
With the growth in behavioral profiling practices, digital marketers 
can now use a variety of new identifiers, including IP address, 
cookies, and other ``passive'' forms of data collection, to easily 
identify and target an individual child. As the work of Professor Paul 
Ohm at the University of Colorado shows, the ability of data bases to 
re-identify individuals is growing. Narrow definitions of PII do not 
capture how industry treats data about individuals.
    The FTC has already recognized the need to expand the definition of 
personally identifiable information in some of its other documents, 
including the FTC Staff Report on Self Regulatory Principles for Online 
Behavioral Profiling (Feb, 2009), which recognizes that Personal 
Information can include the tracking of given devices, computers or 
browsers. The European Commission's Article 29 Working Party has also 
articulated the need to redefine personal information.

    Question 4. In your opinion, what is the biggest threat to 
children's privacy and safety in today's online world?
    Answer. The biggest threat is the creation of a vast infrastructure 
for data collection in a variety of networked technologies and 
platforms used by children and adolescents. Current and emerging 
industry practices are designed to maximize data collection while 
minimizing transparency. Each new technology available to the public 
brings with it a new way for data collection to occur, and little if 
any discussion about the impact or planned uses of this data.

    Question 5. What do you think is the most urgent update to COPPA 
needed?
    Answer. As outlined above, the most urgent need is to ensure that 
current regulatory and self-regulatory safeguards are applied to new 
platforms and practices for data collection and targeted marketing.

    Question 6. In your opinion, what would constitute the most 
appropriate definition of ``sensitive data'' in the context of 
children's online privacy?
    Answer. Any data about children and teens should be considered 
sensitive. In many ways, both children and adolescents are ``sensitive 
users,'' who should be afforded special protections. Teens and children 
have limited developmental capacities for understanding fully the 
trade-offs involved in today's data collection and marketing 
environment.

    Question 7. Do you think any incentives exist for children to 
refrain from revealing information about themselves or do you think 
there is momentum encouraging young people to surrender their privacy?
    Answer. Revealing information is necessary for even the most basic 
of social and developmental interactions online. The most insidious 
data collection that occurs is the through surveillance by marketers of 
interactions that teens have with their friends, family, schools etc. 
(particularly on social networks). Policy should focus on protecting 
data, involving parents, and regulating data collectors, rather than 
discouraging children from interacting.

    Question 8. You helped negotiate COPPA when it was created and so 
you are familiar with its bipartisan nature and flexibility. Do you 
believe the statute is sufficiently responsive to the challenges facing 
young people as much of their information appears to be mined and 
collected?
    Answer. Those of us who negotiated COPPA understood that we were 
dealing with a new system of online marketing and data collection that 
would be undergoing dramatic growth and change during the ensuing 
years. One of the law's purposes, from my vantage point, was to ensure 
that a system of safeguards was put in place during the earliest stage 
of ecommerce in order to guide the development of future practices and 
to establish a clear set of principles that young people needed 
protections from unfair marketing and data collection. The language in 
the original statute provides a mechanism for ongoing review by the FTC 
to ensure that these safeguards are adapted to take into account the 
evolving practices and platforms of the growing digital media and 
marketing environment. However, these FTC reviews must be thorough, 
accurate, and timely enough to ensure that this original intent is 
carried out.

    Question 9. Researchers have suggested that marketers today can 
identify in real time where kids are, who their friends are, and what 
they are doing--representing some real privacy issues. Could you 
elaborate upon how this tracking works and what it could mean for young 
people's security and privacy?
    Answer. Advances in what is called ``computational advertising'' 
now permit real-time tracking and targeting of online consumers 
(including youth) across a variety of platforms, employing a range of 
data collection and analysis techniques through cookies, tracking 
pixels, location and social networking data. ``Social media marketing'' 
applications, for example, can tap into social networks to identify a 
particular individual and his or her networks of friends (through what 
is called the ``social graph.'') Sophisticated data mining tools enable 
stealth analysis of the content and communications people post to their 
social networking profiles, including videos, photos, music, etc. These 
practices not only subject young people to increasing numbers of third 
party marketers, but also make them vulnerable to others who may be 
able to learn their location, interests and relationships. Social media 
marketing is growing very rapidly, raising a number of serious 
questions about the need for additional safeguards to protect children 
and adolescents.

    Question 10. Your testimony includes the following remark: ``Ads on 
mobile phones will be able to reach young consumers when they are near 
a particular business and offer electronic pitches and discount 
coupons.'' Does this mean that a 13-year old with a mobile device could 
receive undesired targeted ads based on her geographic location and 
proximity to a specific business? Do you believe that is problematic?
    Answer. Location targeting permits tracking and targeting of 
consumers (including youth) via their mobile devices. Increasingly as 
individuals' locations are made available to third parties, mobile 
users will be marketed to in ``real-time'' via mobile coupons and other 
offers based on where they may be at a particular time (or based on 
analysis of their moves from and to various locations over time). 
Federal policies are needed to regulate mobile marketing to both 
children adolescents, and to ensure that real-time location and other 
behavioral information is kept private. Rules are also required to 
ensure meaningful opt-in policies that clearly and prominently explain 
how the data are collected and used, as well as limits on the duration 
of location targeting consent.

    Question 11. The extent to which children understand how their 
information is being used is worth discussing. You state in your 
testimony, ``When COPPA was created, one of our concerns was to ensure 
that the ability to identify, track, and target a child--whether online 
or off--was mediated through Congressional safeguards mandating parent 
involvement. And while young people--and adults--today are being 
continually urged to make more of their personal information available 
in real-time, including their location, research indicates [that] few 
people understand how that information is being collected and used.'' 
How is young people's information being used and to what extent are 
they aware of its use and collection?
    Answer. Research at UC Berkeley and the Annenberg School for 
Communication at the University of Pennsylvania has documented that the 
majority of the public, including youth, care very much about 
protecting their privacy in the online environment. However, all online 
consumers confront a non-transparent, pervasive, and largely 
unaccountable data collection system. Many youth oriented commercial 
sites encourage youth to give up large amounts of information about 
themselves and their friends without fully explaining how that 
information will be used. A growing number of specialized data mining 
and behavioral targeting companies are tracking the behaviors of 
individuals as they conduct their daily activities on the Internet, 
including searching for health or other information, and interacting 
with friends on social networks, with very little disclosure of how the 
marketing apparatus functions.

    Question 12. You wrote in your written statement: ``Social networks 
have created privacy settings that create a false sense of security for 
teens.'' What did you mean by that remark?
    Answer. Social network privacy settings often are aimed at limiting 
how data is shared or made available to other social network users. 
They do not address how the social network, its advertisers, or third 
party applications retain and use the data. Nor may the settings be 
that effective, allowing someone who may be a casual acquaintance, but 
listed as a ``friend,'' gain access to your information. Companies such 
as Facebook and MySpace may enable users to restrict who has access to 
their profiles and activities, but these companies do not adequately 
inform users about the nature and extent of commercial practices on 
these networks, involving data collection, surveillance, and behavioral 
profiling.

    Question 13. You advocated for a regime to protect adolescents' 
privacy. How do you envision this sort of regime working? How would you 
propose it be structured?
    Answer. Adolescents should receive protections in line with the 
Fair Information Practices principles created by the OECD, as well as a 
set of more granular safeguards developed specifically for this age 
group. (See below for additional information in response to this 
question.)

    Question 14. What should the FTC or Congress do to strengthen 
children's safety and privacy online in conjunction with advanced 
technologies and mobile devices?
    Answer. The recent oversight hearing by the subcommittee chaired by 
Sen. Pryor (along with the participation of Commerce Committee 
Chairman, Sen. Rockefeller) has already helped underscore why ensuring 
protecting the privacy of young people is a key public policy concern. 
I urge the Committee to oversee the work of the FTC in this area, and 
to conduct additional hearings, including a review of the final 
recommendations made by the FTC on new COPPA implementation rules. I 
also urge the Subcommittee to conduct hearings and introduce new 
legislation designed to protect adolescent privacy online.

    Question 15. Do you agree with the direction the FTC is taking as 
it reexamines the implementation and effectiveness of COPPA?
    Answer. Through its 2010 evaluation of COPPA, the FTC is working to 
address how the implementation of the law can better protect children 
under 13. I believe the FTC should also conduct independent research to 
document how young people's data is being collected from new practices, 
including behavioral targeting and mobile marketing. Because so many of 
these practices are not transparent, the Commission should be 
encouraged and, if need be, specifically authorized, to conduct 
investigations of contemporary advertising and data collection in the 
children's digital marketplace, and should use its subpoena power to 
solicit data from industry about how it interacts with children.

    Question 16. How do you propose to improve parental supervision and 
control of children's online activity to prevent the inappropriate or 
illegal collection and use of their information?
    Answer. The FTC should include in its current review an analysis of 
how well parents are able to rely on the current parental verification 
mechanisms and whether any of these mechanism have created loopholes 
that enable marketers to target individual children inappropriately. 
This should include reviewing currently approved safe harbor regimes to 
determine whether outside parties may have access to young people's 
data.

    Question 17. If you support a regime granting rules of the road for 
adolescents' privacy, how do you envision this sort of regime working? 
How would you propose it be structured? If you do not support a regime 
governing adolescents' privacy, please explain your reasoning.
    Answer. I would support broad legislation to protect all consumers, 
based on a framework of fair information principles. Within that 
framework, additional safeguards should be established to address 
specifically the needs of youth age 13-17, who are not covered by 
COPPA. A Fair Marketing Digital Bill of Rights for Teens would balance 
the ability of young people to participate fully in the digital media 
culture--as producers, consumers, and citizens--with the governmental 
and industry obligation to ensure adolescents are not subjected to 
unfair and deceptive surveillance, data collection, and behavioral 
profiling by marketers. The onus of responsibility should not only be 
placed on youth to protect themselves, but also on the companies that 
market to them. Fair marketing and data collection rules are needed to 
help ensure that young people are socialized to be responsible 
consumers in the growing digital marketplace, and to understand their 
rights to privacy.
    While some elements of COPPA could serve as a useful model for 
adolescent online privacy policy, I do not believe the mechanism for 
parental approval is appropriate or advisable in the case of teens. The 
legislation should include:

   The principle of maximizing user control over their 
        information while minimizing data collection.

   Congressional authorization that directs the FTC to conduct 
        research, hold workshops, and develop rules to ensure consumer 
        protections for teens in digital marketing, with a special 
        focus on data collection and behavioral profiling.

   Effective, full disclosure of marketing and data collection 
        practices with meaningful opt-in:

    User-friendly, granular information that is prominently 
            displayed at times and in places where teens will read and 
            understand it.

    Opt-in mechanisms that are tailored to a variety of 
            digital platforms, including mobile, social networks, etc.

   Limitations on the amount of data, types of data, and 
        retention of data collected from adolescents for digital 
        marketing purposes.

   Limitations on behavioral profiling and targeting of 
        adolescents, as well as restrictions on other practices that 
        may take advantage of under age youth, such as sharing with 
        third parties, retargeting, location targeting, and 
        computational advertising.

   Special privacy rules for social networks, mobile, and 
        interactive games.

   Like COPPA, a government regulatory framework, along with 
        self-regulatory regimes that create a level playing field for 
        both consumers and businesses by implementing ``rules of the 
        road'' for marketing to teens.

   Mechanisms for accountability and independent assessment, 
        and fines for failure to comply with rules.

   Built in flexibility of rules to ensure continued 
        effectiveness as digital marketing practices evolve and expand.
                                 ______
                                 
     Response to Written Questions Submitted by Hon. Mark Pryor to 
                              Berin Szoka

    Thank you, Chairman Pryor, for the opportunity to supplement my 
written testimony from this hearing by responding to your questions.\1\ 
In my responses, I have incorporated some of the material found in the 
comprehensive survey of the perils of expanding COPPA's scope beyond 
its original, limited purposes (what we have called ``COPPA 2.0'') that 
my colleague Adam Thierer and I published in May 2009: COPPA 2.0: The 
New Battle over Privacy, Age Verification, Online Safety & Free 
Speech.\2\ Further detail on many of the points below can be found in 
that paper.
---------------------------------------------------------------------------
    \1\ Written Testimony of Berin Szoka, Hearing on ``An Examination 
of Children's Privacy: New Technologies & the Children's Online Privacy 
Protection Act'' before the Subcommittee on Consumer Protection, 
Committee on Commerce, Science, and Transportation, U.S. Senate, April 
29, 2010, www.pff.org/issues-pubs/testimony/2010/2010-04-29-
Szoka_Written_COPPA_Testimo
ny.pdf.
    \2\ Berin Szoka & Adam Thierer, COPPA 2.0: The New Battle over 
Privacy, Age Verification, Online Safety & Free Speech, Progress on 
Point 16.11, May 2009, http://pff.org/issues-pubs/pops/2009/pop16.11-
COPPA-and-ageverification.pdf (``COPPA 2.0'').
---------------------------------------------------------------------------
I. A Reexamination of COPPA
    It bears repeating at the outset that the Federal Trade 
Commission's (FTC) current proceeding is not examining the Children's 
Online Privacy Protection Act (``COPPA'') itself (the statute ),\3\ but 
rather the ``COPPA Rule'' (the regulations mandated by the agency 
pursuant to COPPA).\4\ The agency is well aware of this distinction--
and, indeed, far more precise about it than probably any interested 
party. For example, the agency's recent inquiry is titled ``Request for 
Public Comment on the Federal Trade Commission's Implementation of the 
Children's Online Privacy Protection Rule.'' \5\ But it is a 
distinction that is far too often lost on many advocates who are 
lobbying for change.
---------------------------------------------------------------------------
    \3\ 15 U.S.C.  6501-6506.
    \4\ 16 C.F.R. Part 312.
    \5\ Federal Trade Commission, Children's Online Privacy Protection 
Rule: Request For Public Comment on the Federal Trade Commission's 
Implementation of the Rule, 75 Fed. Reg. 17,089, April 5, 2010, http://
www.ftc.gov/os/2010/03/100324coppa.pdf (COPPA Implementation Review).
---------------------------------------------------------------------------
    Congress, of course, retains the authority to change the COPPA 
statue at any time, and it is well within the jurisdiction of this 
committee to consider doing so. But in re-examining COPPA, lawmakers 
should tread carefully. Any attempts to reopen COPPA to expand the 
statute beyond its original, limited purposes could raise serious 
constitutional questions about the First Amendment rights of adults as 
well as older teens and site and service operators, and also have 
unintended consequences for the health of online content and services 
without necessarily significantly increasing the online privacy and 
safety of children.

A. Do you think the age limit in COPPA is appropriate? And if so, why?
    Yes, and understanding why is the key to understanding the delicate 
balance of COPPA in general. The COPPA Rule's requirements are 
relatively easy for site and service operators to implement, and for 
the government to enforce, because they apply only to the collection of 
information about children under 13 by commercial operators (or the 
public sharing of information by children themselves) only when: (i) 
the operator's site or service is ``directed to children'' or (ii) the 
operator has actual knowledge that they are collecting personal 
information from a child. But the key practical difficulty in 
implementing a COPPA 2.0 system for adolescents 13 and above is in the 
anonymity inherent in the technical architecture of the Internet. To 
quote a memorable cartoon from The New Yorker: ``On the Internet, 
nobody knows you're a dog.'' \6\ Because website operators generally do 
not know who is accessing their site, requiring any special treatment 
of minors is tantamount to requiring age-verification of all users.\7\ 
Again, COPPA's ingenious solution to this problem is that the law 
applies only to the limited ``Internet Jr.'' of sites ``directed at 
children,'' or in cases where an operator has ``actual knowledge'' that 
it is dealing with a child.
---------------------------------------------------------------------------
    \6\ Peter Steiner, On the Internet, Nobody Knows You're a Dog, The 
New Yorker, July 5, 1993, at 61, available at www.unc.edu/depts/jomc/
academics/dri/idog.html (cartoon of a dog, sitting at a computer 
terminal, talking to another dog).
    \7\ Of course, the COPPA's second prong of age-verification 
requirement applies only when the website operator has ``actual 
knowledge'' that the user is a minor. 16 C.F.R.  312.3.
---------------------------------------------------------------------------
    Because ``child-oriented'' websites are generally easy to define 
and are very rarely used by adults, COPPA's age verification mandate 
has not significantly impacted the free speech rights of adults because 
few adults other than parents ever want to use these sites, and parents 
essentially are already age verifying themselves in the process of 
providing ``verifiable trial consent'' for their children (those under 
13). But it is far more difficult to define a class of ``adolescent-
oriented'' websites (i.e., ``directed at'' kids age 13-17, as proposed 
in New Jersey in 2008 \8\) that are not also used by significant 
numbers of adults. The practical result of such COPPA expansion efforts 
would be the same as simply specifying that a certain category of 
websites (such as those with a public ``wall,'' as proposed in Illinois 
in 2008 \9\) must age-verify of a large number of adults to distinguish 
adults (who do not require verifiable parental consent) from children 
(who do require verifiable parental consent). This raises profound 
First Amendment concerns--particularly about the right of Americans to 
speak and receive information anonymously online.\10\
---------------------------------------------------------------------------
    \8\ A.B. 108, Gen. Assem., 213th Leg. Sess. (N.J. 2008), 
www.njleg.state.nj.us/2008/Bills/A0500/108_I1.HTM.
    \9\ H.B. 1312, 96th Gen. Assem., Synopsis as Introduced (Il. 2007) 
[hereinafter SNWARA], available at www.ilga.gov/legislation/
billstatus.asp?DocNum=1312&GAID=10&GA=96&DocTypeID=
HB&LegID=43038&SessionID=76.
    \10\ See infra at 3-9.; see generally, COPPA 2.0, supra note 2; 
Adam Thierer, The Progress & Freedom Foundation, USA Today, Age 
Verification, and the Death of Online Anonymity, PFF Blog, Jan. 23, 
2008, http://blog.pff.org/archives/2008/01/usa_today_doesn.html. 4
---------------------------------------------------------------------------
    It was at least in part in recognition of the difficult First 
Amendment questions discussed below that Congress removed the 
requirement in the initial legislative draft of COPPA that would have 
required operators to ``use reasonable efforts to provide the parents 
with notice and an opportunity to prevent or curtail the collection or 
use of personal information collected from children over the age of 12 
and under the age of 17.'' \11\
---------------------------------------------------------------------------
    \11\ This requirement was contained in the original bill, 
Children's Online Privacy Protection Act, S. 2326, 105th Cong.  
3(a)(2)(A)(iii), (1998), but was removed when that bill was 
reintroduced in its final form. In the interim, Congress held a hearing 
at which testimony was offered by, among others, Deirdre Mulligan, on 
behalf of the Center for Democracy and Technology, which generally 
supported COPPA but argued for the very revisions that were ultimately 
made. In particular, Mulligan argued that:

    under the bill each time a 15 year old signs-up to receive 
information through e-mail his or her parent would be notified. For 
example if a 15 year old visits a site, whether a bookstore or a 
women's health clinic where material is made available for sale and 
requests information about purchasing a particular book or merely 
inquires about books on a particular subject (abuse, religion) using 
their e-mail address the teenager's parent would be notified. This may 
chill older minors in pursuit of information.

    Testimony of Deirdre Mulligan, Staff Counsel, Center for Democracy 
and Technology, before the Senate Committee on Commerce, Science, and 
Transportation Subcommittee on Communications, Sept. 23, 1998, http://
web.archive.org/web/20080327000913/http://www.cdt.org/testimony/
980923mulligan.shtml.
---------------------------------------------------------------------------
    These First Amendment concerns are not conjectural: The courts have 
already struck down precisely this kind of broad age verification 
mandates--specifically, as found in the Children's Online Protection 
Act (COPA),\12\ another 1998 law sometimes confused with COPPA. In 
essence, COPPA is focused on certain kinds of potentially harmful 
contacts while COPA is focused on potentially harmful content.\13\ COPA 
attempted to prevent children from accessing material deemed ``harmful 
to minors'' by requiring all users attempting to access such content to 
provide a credit card, on the theory that only adults have credit 
cards. But the courts concluded that, ``payment cards cannot be used to 
verify age because minors under 17 have access to credit cards, debit 
cards, and reloadable prepaid cards'' and, although ``payment card 
issuers usually will not issue credit and debit cards directly to 
minors without their parent's consent because of the financial risks 
associated with minors . . . there are many other ways in which a minor 
may obtain and use payment cards.'' \14\
---------------------------------------------------------------------------
    \12\ 47 U.S.C.  231.
    \13\ COPA makes it illegal to ``knowingly . . . make[ ] any 
communication for commercial purposes that is available to any minor 
and that includes any material that is harmful to minors.'' 47 U.S.C. 
231.
    \14\ ACLU v. Gonzales, 478 F. Supp. 2d 775, 801 (E.D. Pa. 2007) 
[hereinafter Gonzales]. COPA would have prohibited the online 
dissemination of material deemed harmful to minors under 17 for 
commercial purposes, 47 U.S.C.  231(a)(1), subject to a safe harbor 
for sites that made a ``good faith'' effort to restrict access by 
minors: ``(A) by requiring use of a credit card, debit account, adult 
access code, or adult personal identification number; (B) by accepting 
a digital certificate that verifies age; or (C) by any other reasonable 
measures that are feasible under available technology,'' 47 U.S.C.  
231(c)(1).
---------------------------------------------------------------------------
1. COPPA's Current Age Range Respects the First Amendment Rights of 
        Adults
    Besides the fact that credit cards were simply inadequate for 
proving that someone was not a child (a very different problem from 
obtaining verifiable parental consent, as discussed below), the court 
held that requiring adults to prove that they were not children by 
providing credit card information violated the First Amendment in a 
number of ways.
    First, COPA burdened the speech rights of adults to access 
information subject to age verification requirements, both by making 
speech more difficult and by stigmatizing it. In 2003, the Third 
Circuit noted that age verification requirements ``will likely deter 
many adults from accessing restricted content, because many Web users 
are simply unwilling to provide identification information in order to 
gain access to content, especially where the information they wish to 
access is sensitive or controversial .'' \15\ In 2008, in striking down 
COPA for the third and final time, the Third Circuit approvingly quoted 
the district court, which had noted that part of the reason age 
verification requirements deterred users from accessing restricted 
content was ``because Internet users are concerned about security on 
the Internet and because Internet users are afraid of fraud and 
identity theft on the Internet.'' \16\ The Supreme Court has recognized 
the vital importance of anonymous speech in the context of traditional 
publication.\17\ By imposing broad age verification requirements, COPPA 
2.0 would restrict the rights of adults to send and receive information 
anonymously just as COPA did. If anything, the speech burdened by COPPA 
2.0 deserves more protection, not less, than the speech burdened by 
COPA: Where COPA merely burdened access to content deemed ``harmful to 
minors'' (viz., pornography), COPPA 2.0 would burden access to material 
by adults as well as minors, not because that material is harmful or 
obscene, but merely because it is ``directed at'' minors! Thus, the 
content covered by COPPA 2.0 proposals could include not merely 
pornography, but communications of a political nature, which deserve 
the highest degree of First Amendment protection.
---------------------------------------------------------------------------
    \15\ ACLU v. Ashcroft, 322 F.3d 240, 259 (3d Cir. 2003) (ACLU II).
    \16\ ACLU v. Ashcroft, 534 F.3d 181, 196 (3d Cir. 2008) (ACLU III) 
(citing Gonzales, 478 F. Supp. 2d 775 at 806).
    \17\ McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 342 (1995) 
(striking down law that prohibited distribution of anonymous campaign 
literature); see also Talley v. California, 362 U.S. 60 (1960) 
(striking down a state law that forbade all anonymous leafletting).
---------------------------------------------------------------------------
    Second, COPA burdened the speech rights of operators because the 
necessary corollary of blocking adults from accessing certain content 
anonymously--and thereby deterring some users from accessing that 
content--is reducing the audience of those sites. Similarly, if COPPA's 
age ceiling were raised to cover adolescents, some websites would self-
censor themselves to avoid offering content they fear could be 
considered ``directed at'' adolescents because doing so might subject 
them to an age verification mandate for all users--or to legal 
liability if they failed to implement age verification. The substantial 
cost of age verification could significantly impact, if not make 
impossible, the razor-thin business models of many sites, which 
generally do not charge for content and rely instead on advertising 
revenues. The Third Circuit cited all of these burdens on the free 
speech rights of website operators in striking down COPA.\18\
---------------------------------------------------------------------------
    \18\ See ACLU III, 534 F.3d at 196-97 (citing Gonzales, 478 F. 
Supp. 2d 775 at 804). The Court held that websites ``face significant 
costs to implement *COPA's age verification mandates+ and will suffer 
the loss of legitimate visitors once they do so.'' Id. at 197.
---------------------------------------------------------------------------
    Third, courts held that ``[b]locking and filtering software is an 
alternative that is less restrictive than COPA, and, in addition, 
likely more effective as a means of restricting children's access to 
materials harmful to them.'' \19\ Similarly, parental control software 
already empowers parents to restrict their kids' access to websites and 
similar software is evolving for mobile services and smartphone 
software (i.e., applications or ``apps'') that would offer parents 
control over what services kids use that allow them to share their 
personal information, either with operators or with other users.
---------------------------------------------------------------------------
    \19\ Id. at 198 (quoting ACLU v. Mukasey, 534 F.3d 181, 198 
(2008)).
---------------------------------------------------------------------------
    Finally, it's worth noting that COPPA 2.0 would restrict the 
ability of adolescents to access content (in interactive contexts where 
they might also share personal information), not because it could be 
harmful to them or because it is obscene, but merely because it is 
``directed to'' them. While the First Amendment rights of minors may 
not be on par with those of adults, adolescents do have the right to 
access certain types of information and express themselves in certain 
ways.\20\ The Supreme Court has held that ``constitutional rights do 
not mature and come into being magically only when one attains the 
state-defined age of majority.'' \21\ It remains unclear how an 
expanded COPPA model might interfere with the First Amendment rights of 
adolescents, but it is clear that privacy and speech rights would come 
into conflict under COPPA 2.0, as they do in other contexts.\22\
---------------------------------------------------------------------------
    \20\ See Theresa Chmara & Daniel Mach, Minors' Rights to Receive 
Information Under the First Amendment, Memorandum from Jenner & Block 
to the Freedom To Read Foundation, Feb. 2, 2004, www.ala.org/ala/
aboutala/offices/oif/ifissues/issuesrelatedlinks/minorsrights.cfm 
(summarizing case law regarding minors' first amendment rights, 
especially in schools and in the context of mandates that public 
libraries filter Internet content); United States v. Am. Library Ass'n, 
123 S. Ct. 2297 (2003), available at laws.findlaw.com/us/000/02-
361.html (upholding the constitutionality of a filtering software 
system applicable to minors); see generally, Tinker v. Des Moines Ind. 
Comm. School Dist., 393 U.S. 503 (1969) (upholding students' rights to 
wear protest armbands and affirming that minors have speech rights), 
available at www.oyez.org/cases/1960-1969/1968/1968_21; cf. Morse v. 
Frederick, 551 U.S. 393 (2007), available at www.oyez.org/cases/2000-
2009/2006/2006_06_278/ (holding that the First Amendment rights of 
students in school and at school-supervised events are not as broad as 
those of adults in other settings).
    \21\ Planned Parenthood of Cent. Mo. v. Danforth, 428 U.S. 52, 74 
(1976) (minors' right to abortion). See also Bellotti v. Baird, 443 
U.S. 622, 635 n.13 (minors possess close to the ``full capacity for 
individual choice which is the presupposition of First Amendment 
guarantees''); Catherine Ross, An Emerging Right for Mature Minors to 
Receive Information, 2 U. Pa. J. Const. L. 223 (1999); Lee Tien & Seth 
Schoen, Reply Comments of the Electronic Frontier Foundation filed in 
Implementation of the Child Safe Viewing Act; Examination of Parental 
Control Technologies for Video or Audio Programming, MB Docket No. 
0926, Federal Communications Commission, May 18, 2009, http://
fjallfoss.fcc.gov/prod/ecfs/retrieve.cgi?native_or_pdf=pdf&id_document
=6520216901.
    \22\ See generally Solveig Singleton, Privacy Versus the First 
Amendment: A Skeptical Approach, 11 Fordham Intell. Prop. Media & Ent. 
L.J. 97 (2000), available at http://law.fordham.edu/publications/
articles/200flspub6588.pdf; Eugene Volokh, Freedom of Speech and 
Information Privacy: The Troubling Implications of a Right to Stop 
People from Speaking About You, 52 Stan. L. Rev. 1175 (2000), available 
at www.law.ucla.edu/volokh/privacy.htm.
---------------------------------------------------------------------------
    For example, how might the parental-consent based model limit the 
ability of adolescents to obtain information about ``safer sex'' or how 
to deal with trauma, depression, family abuse, or addiction? Would an 
abusive father authorize a teen to visit a website about how to report 
child abuse? Would parents of adolescents struggling with their sexual 
identity let their children participate in a self-help social 
networking page for gay and lesbian youth? \23\ The rights are at play 
here are critically important and must be balanced carefully.
---------------------------------------------------------------------------
    \23\ ``There are parents who, for a variety of reasons (political, 
cultural, or religious beliefs, ignorance of the facts, fear of being 
exposed as abusers, etc.), would deliberately prevent their teens from 
accessing social-network sites (SNS).'' Internet Safety Technical Task 
Force, Enhancing Child Safety & Online Technologies: Final Report of 
the Internet Safety Technical Task Force to the Multi-State Working 
Group on Social Networking of State Attorneys General of the United 
States, Dec. 31, 2008, Appendix F, Statement of Connect Safely, at 262, 
http://cyber.law.harvard.edu/pubrelease/isttf (listing examples of 
unintended consequences of age verification mandates) [hereinafter 
ISTTF Final Report]. Full disclosure: Adam Thierer was a member of this 
task force.
---------------------------------------------------------------------------
    Preserving the ability of adolescents to participate in online 
interactions goes beyond content that most people would recognize as 
``serious''--from the perspective of both First Amendment values and 
the education of children. As a recent MacArthur Foundation study of 
the youth Internet use concluded:

        Contrary to adult perceptions, while hanging out online, youth 
        are picking up basic social and technological skills they need 
        to fully participate in contemporary society. Erecting barriers 
        to participation deprives teens of access to these forms of 
        learning. Participation in the digital age means more than 
        being able to access ``serious'' online information and 
        culture.\24\
---------------------------------------------------------------------------
    \24\ John D. and Catherine T. MacArthur Foundation, Living and 
Learning with New Media: Summary of Findings from the Digital Youth 
Project, at 2 [hereinafter MacArthur Study] http://
digitalyouth.ischool.berkeley.edu/files/report/digitalyouth-
WhitePaper.pdf.

    Even if parents have an absolute right to block their adolescents' 
access to such data, they can better exercise that right by applying 
strict controls on the computers in their home. As discussed below, 
there are ways to encourage innovation in such parental empowerment 
tools without changing COPPA itself. But COPPA 2.0 proposals go well 
beyond recognizing parents' rights by making parental consent a 
``default'' requirement for adolescents to access a wide range of 
content--meaning that parents must ``opt-in'' on behalf of their 
children before their children can participate in sites and services 
covered by COPPA. This, in turn, burdens the ability of adolescents to 
communicate, because their parents might censor (rightly or wrongly) 
certain information, or simply fail to understand the technologies 
involved or be responsive to the opt-in requests when their kids want 
to access a new interactive site or service. But whatever the free 
speech rights of adolescents, if anyone should be interfering with 
those rights, it should be their parents--not the government.

2. COPPA's Current Age Range Allows Beneficial Communication between 
        Adolescents and Adults
    Finally, COPPA 2.0 could infringe on the free speech rights of 
adults to communicate with adolescents online by driving operators to 
segregate users by age or to attempt to block access by adolescents. As 
explained below, for the sake of marginal (if any) gains in child 
protection, we would be excluding beneficial interaction between adults 
and minors.
    The vast majority of online interactions between adults and minors 
are not of a harassing, predatory or otherwise harmful nature--indeed, 
they generally involve adults looking to help or assist minors in 
various ways. As the MacArthur Foundation study cited above concluded:

        In contexts of peer-based learning, adults . . . have an 
        important role to play, though it is not the conventionally 
        authoritative one. In friendship-driven practices, direct adult 
        participation is often unwelcome, but in interest-driven groups 
        we found a much stronger role for more experienced participants 
        to play. Unlike instructors in formal educational settings, 
        however, these adults are passionate hobbyists and creators, 
        and youth see them as experienced peers, not as people who have 
        authority over them. These adults exert tremendous influence in 
        setting communal norms and what educators might call ``learning 
        goals,'' though they do not have direct authority over 
        newcomers.\25\
---------------------------------------------------------------------------
    \25\ MacArthur Study, supra note 24, at 2.

    A substantial portion of those interactions involve parents talking 
to their own kids, older and younger siblings communicating with one 
another, teachers and mentors talking to their students, or even co-
workers of different ages communicating. Even when adult-minor 
communications involve complete strangers, there is typically a 
socially-beneficial purpose. Examples include debating politics on a 
discussion board, or collaboratively editing a Wikipedia entry, or 
communicating and collaborating on a common purpose on a Presidential 
campaign website involving millions of volunteers of all ages. There 
are countless other examples. Such interactions could be severely 
curtailed by COPPA 2.0 proposals. Restricting such interactions would 
raise profound First Amendment concerns about freedom of speech as well 
as of association.
    In any First Amendment analysis, a court must consider not only the 
free speech rights at stake and the availability of less restrictive 
alternatives to regulation, but the governmental interest being 
advanced. Again, neither COPPA nor the COPPA 2.0 proposals recently 
contemplated at the state level require exclusion of older users from a 
website, nor directly govern the sharing of personal information among 
users (where that sharing does not also constitute collection by the 
site itself). But separation of adolescents from adults is likely to be 
an indirect effect of COPPA 2.0 requirements--as COPPA 2.0 advocates 
probably realize--because, once operators are required to age-verify 
users, they will face reputational, political and potentially legal 
pressure to make interactions between adolescents and children more 
difficult in the name of ``child safety.'' More subtly, if site 
operators have an incentive to avoid having their sites be considered 
``directed at'' adolescents, they will also have an incentive to 
discourage adolescent participation on their sites--which achieves a 
similar result.
    Given the lack of strong identity records for minors, it's much 
easier for an adult to pretend to be a minor than vice versa. Thus, one 
must further ask if attempting to quarantine children from adults 
(however indirectly) actually advances, on net, a strong governmental 
interest in child protection. Such a quarantine is unlikely to stop 
adults with truly nefarious intentions from communicating with minors, 
as systems designed to exclude participation by adults in a ``kids-
only'' or ``adolescents-only'' area can be easily circumvented. The 
effect of age stratification on truly bad actors is likely to be 
marginal at best--or harmful at worst: Building walls around 
adolescents through age-verification might actually make it easier for 
predators to target teens, since a predator who gains access to a 
supposedly teen-only site will be less likely to be exposed as a 
predator than by targeting an adult the predator thinks is a teen.
    To hear some of the advocates of COPPA expansion talk about how 
teens currently behave online, one might think that online environments 
in which adolescents were left to their own devices--imagine a ``Teen 
MySpace'' for the 13-17 crowd, walled off from the rest of MySpace--
would be far worse, perhaps an online version of Lord of the Flies. 
These concerns are clearly exaggerated: The critics frequently complain 
about ``the way kids talk to each other these days'' while looking at 
their own past adolescent banter with rose-tinted glasses. What is 
clear is that adolescents (and young adults) behave better in online 
environments where adults are present, too. Perhaps the best 
demonstration of this fact has been the uproar from adolescents and 
young adults that has accompanied Facebook's explosive growth in 
popularity among older users.\26\ Many kids hate the idea of adults 
joining Facebook precisely because the presence of adults encourages 
kids to ``self-regulate'' by exercising better judgment and following 
better netiquette.\27\
---------------------------------------------------------------------------
    \26\ Justin Smith, Number of U.S. Facebook Users Over 35 Nearly 
Doubles in Last 60 Days, Inside Facebook Blog Mar. 25, 2009, 
www.insidefacebook.com/2009/03/25/number-of-us-facebook-users-over-35-
nearly-doubles-inlast-60-days/.
    \27\ See e.g., Lori Aratani, When Mom or Dad Asks To Be a Facebook 
``Friend,'' The Washington Post, Mar. 9, 2008, www.washingtonpost.com/
wp-dyn/content/article/2008/03/08/AR2008030801034.html. `` `I do not 
know if this has happened to anybody, but this morning I log on to 
Facebook and I have a new friend request!' wrote 19-year-old Mike 
Yeamans, a sophomore at James Madison University, on one of several `No 
Parents on Facebook' groups that have popped up on the site. `I am 
excited to make a new friend so I click on the link. I could not 
believe what I saw. My father! This is an outrage!' '' Id.
---------------------------------------------------------------------------
    Anne Collier, founder and executive director of the child safety 
advocacy organization Net Family News, Inc. and editor of 
NetFamilyNews.org and ConnectSafely.org, suggests that the push for 
``segregation'' by age (e.g., creating a teen-only version of Second 
Life) for safety's sake is ``losing steam'' because:

        It's a response to the predator panic teens and parents have 
        been subjected to in U.S. society, not to the realities of 
        youth on the social Web. What nearly a decade of peer-reviewed 
        academic research shows is that peer-to-peer behavior is the 
        online risk that affects many more youth, the vast majority of 
        online kids who are not already at-risk youth offline. 
        Segregating teens from adults online doesn't address 
        harassment, defamation, imposter profiles, cyberbullying, etc. 
        It may help keep online predators away from kids (even though 
        online predation, or abuse resulting from online communication, 
        constitutes only 1 percent of overall child sexual exploitation 
        . . .), which is a great outcome, but it's not enough unless 
        all that parents are worried about is predators.\28\
---------------------------------------------------------------------------
    \28\ Anne Collier, Where Will OnlineTeens Go Next?, May 1, 2009, 
www.netfamilynews.org/2009/05/where-will-online-teens-go-next.html 
(internal citations omitted). For evidence of at-risk youth, Collier 
sites the ISTTF Final Report, supra note 47. Regarding the percentage 
of all child sexual exploitation that results from online 
communication, she cites Janis Wolak, David Finkelhor & Kimberly 
Mitchell, Crimes Against Children Research Center, Trends in Arrests of 
Online Predators, 2009) www.unh.edu/ccrc/pdf/CV194.pdf; see also, Anne 
Collier, Major Update on Net predators: CACRC study, March 31, 2009, 
www.netfamilynews.org/2009/03/majorupdate-on-net-predators-mostly.html 
(summarizing study).

    Of course, adults play a critical role in disciplining interaction 
among the 0-12 age bracket, but not as direct participants in on-site 
interaction. Again, how many adults actually want to use Club Penguin, 
a site clearly geared toward the Net's youngest users? Instead, parents 
can supervise what their kids do online through parental control 
software. Parents could, of course, use that same software to monitor 
what their adolescent kids do, too. But as kids get older, most parents 
realize that the training wheels have to come off at some point. Few 
parents will want to spy on their 17-year-old until the day before the 
kid starts college (or enlists in the military or gets married). But 
most parents probably would prefer that, if their kids are interacting 
in an online environment, they think twice about what they do and say 
online. It is by no means clear that restricting online interaction 
between teens and adults will serve that end.

B. Do you think COPPA should be strengthened?
    I have seen no evidence of a need for Congress to reopen COPPA, and 
to the extent that some changes may be necessary in the implementation 
of COPPA, I believe the statute affords the FTC great flexibility in 
its definition of ``Internet,'' as discussed below, as well as in 
allowing the agency to update the definition of ``personal 
information.'' Thus, while there may be ways to improve implementation 
of the statute, I do not see a need for changing COPPA itself today.
    Moreover, Congress must be cognizant of the downsides of reopening 
COPPA and--to the extent it is expanded along the lines some of have 
advocated--raising the prospect of the entire law being struck down as 
unconstitutional because it essentially converges with COPA, as Adam 
Thierer and I have explained in our work.\29\ Again, COPPA is one of 
the few Internet laws Congress has passed over the last 15 years that 
was not challenged, blocked from taking effect, or overturned.
---------------------------------------------------------------------------
    \29\ See generally supra note 2.
---------------------------------------------------------------------------
C. Should the FTC reexamine what constitutes ``personal information'' 
        in its review of COPPA? Or do you believe that the online space 
        and the definition of personal information should remain the 
        same as it was when the law was created over 10 years ago?
    As I noted in my testimony, COPPA already gives the FTC the 
flexibility to update the definition of ``personal information'' to 
include ``any other identifier that the Commission determines permits 
the physical or online contacting of a specific individual.'' \30\ 
Because the definition of personal information also includes 
``information concerning the child or the parents of that child that 
the website collects online from the child and combines with [any of 
these identifiers],'' the statute already covers essentially all 
information tied to a particular user where it is possible to contact 
that user. This dynamic definition is broad enough to keep pace with 
technological change because it is not simply a static listing of the 
``personal information'' that was at issue in the late 1990s. For 
example, if the lodestar of ``personal information'' is the ability to 
contact a child, instant messaging screen names or social networking 
pseudonyms might qualify as ``personal information.'' In your opinion, 
what is the biggest threat to children's privacy and safety in today's 
online world?
---------------------------------------------------------------------------
    \30\ 15 U.S.C.  6501(8)(F).
---------------------------------------------------------------------------
    The biggest threat to children's online privacy and safety has 
always been, and will likely remain, the ignorance and naivete that 
necessarily comes with youth. Though children may be quite 
technologically adept, far more so than many parents, they still lack 
the real-world experience necessary to appreciate the potential privacy 
and safety implications of heedlessly giving personal information away 
to site operators or, especially, making personal information publicly 
available to other Internet users. No amount of Federal legislation or 
regulation is going to keep children from divulging personal 
information if they aren't aware of its dangers. So, as discussed 
below, if a lack of knowledge or sophistication is the problem, the 
primary answer must be education, education and more education, not 
regulation, regulation, and more regulation.\31\
---------------------------------------------------------------------------
    \31\ See infra at III.A.4.
---------------------------------------------------------------------------
D. What do you think is the most urgent update to COPPA needed?
    Again, the FTC should remove any doubt about the fundamental 
technological agnosticism of COPPA's potential coverage (actual 
coverage depending on whether, in any particular context, 
``collection'' occurs and whether the site is directed at children or 
the operator has actual knowledge that it is ``collecting'' personal 
information from a child). The FTC should also encourage the 
development of mechanisms for verifying parental consent appropriate to 
these technologies, either by recognizing additional mechanisms or 
through certifying innovative safe harbor operators. Congress could 
direct, and fund, the FTC to conduct more education about COPPA, online 
privacy and online safety.

E. In your opinion, what would constitute the most appropriate 
        definition of 
        ``sensitive data'' in the context of children's online privacy?
    COPPA already includes an excellent list of personal information:

        (A) a first and last name;

        (B) a home or other physical address including street name and 
        name of a city or town;

        (C) an e-mail address;

        (D) a telephone number;

        (E) a Social Security number; \32\
---------------------------------------------------------------------------
    \32\ 15 U.S.C.  6501(8)(A-E).

    As I noted in my testimony, COPPA already gives the FTC the 
flexibility to update the definition of ``personal information'' to 
include ``any other identifier that the Commission determines permits 
the physical or online contacting of a specific individual.'' \33\ 
Because the definition of personal information also includes 
``information concerning the child or the parents of that child that 
the website collects online from the child and combines with [any of 
these identifiers],'' the statute already covers essentially all 
information tied to a particular user such that it is possible to 
contact that user. Thus, there should be no need to specify additional 
categories of sensitive data to achieve COPPA's purposes.
---------------------------------------------------------------------------
    \33\ 15 U.S.C.  6501(8)(F).
---------------------------------------------------------------------------
F. You said in your written testimony that a ``COPPA expansion would 
        undermine privacy.'' Would you mind explaining to the Committee 
        your meaning?
    Sites that implement age verification technologies (even through 
COPPA's ``verifiable parental consent'' loose form of age verification) 
require users to share personal information about themselves. 
Specifically, adults attempting to access sites behind an age 
verification wall would have to provide information adequate to 
establish that they are not, in fact, younger than whatever the higher 
age threshold of COPPA 2.0 might be. Similarly, children attempting to 
access such sites would have to provide information about themselves 
and their parents sufficient to establish the parent-child relationship 
so that a site can reasonably evaluate documentation purporting to 
establish ``verifiable parental consent.'' Both forms of age 
verification (by adults, and by children/parents) could be accomplished 
by a number of means, but seem to be most commonly done today through 
use of a credit card.
    Today, because COPPA requires age verification only for sites 
``directed at'' children under 13 (or, in cases where an operator has 
``actual knowledge'' that a particular user is under 13), the law in 
practice requires only the second sort of age verification. But if 
COPPA were expanded to cover, say, all sites ``directed at'' 
adolescents (however defined), the law would very likely require 
certain website operators to presume that all their users might be 
``children'' whose parents' ``verifiable parental consent'' must be 
obtained prior to collection. This, in turn, would mean that large 
numbers of adults would, for the first time since COPA, be required by 
law (or at least, the website operator's interpretation of the law, 
which might tend to err on the side of caution) to age verify 
significant numbers of adults. As discussed below, this creates a 
significant burden on the First Amendment rights of adults to anonymous 
communication through interactive services that could allow public 
sharing of personal information. This would also significantly burdens 
website operators whose audience might be reduced by the apprehension 
caused by age verification mandates among users worried about having to 
provide information for certification purposes or simply by the hassle 
of having to do so. In both respects, COPPA 2.0 would raise precisely 
the same constitutional problem that caused the courts to strike down 
COPA (but that are not raised by COPPA 1.0).\34\
---------------------------------------------------------------------------
    \34\ See supra at 3-9.
---------------------------------------------------------------------------
    But such an expansion of COPPA's age scope would also undermine 
privacy by requiring the sharing of more personal information in order 
to age-verify newly covered users. The same would be true of any 
attempts to expand COPPA by specifying that it applies to certain 
categories of websites (effectively disposing of the law's ``directed 
at'' analysis). Thus, the irony of COPPA expansion is that lawmakers 
would be applying a law that was meant to protect the privacy and 
personal information of children to gather a great deal more 
information about kids, their parents, and many other adults.
    As the district court that struck down COPA noted:

        Requiring users to go through an age verification process would 
        lead to a distinct loss of personal privacy. Many people wish 
        to browse and access material privately and anonymously, 
        especially if it is sexually explicit. Web users are especially 
        unlikely to provide a credit card or personal information to 
        gain access to sensitive, personal, controversial, or 
        stigmatized content on the Web. As a result of this desire to 
        remain anonymous, many users who are not willing to access 
        information non-anonymously will be deterred from accessing the 
        desired information.\35\
---------------------------------------------------------------------------
    \35\ Gonzales, 478 F. Supp. 775, 805 (E.D. Pa. 2007).

    The same is true even for non-explicit material, such as would be 
covered by COPPA if the law's age range were expanded.

G. Do you support the FTC's review of COPPA? Do you believe it is 
        necessary?
    Yes, the FTC was well within its general operating procedures to 
accelerate its review of the COPPA Rules from 2015, the originally set 
date, to this year,\36\ and it made sense for the agency to do so, 
given the pace of change in this area. In particular, it appears from 
comments made by many in industry that the FTC needs to do more to make 
clear that COPPA is, by original Congressional design, platform-
agnostic, applying to any ``collection'' (including publication or 
sharing by users themselves) of ``personal information'' through a 
website or online service--regardless of the device used to access that 
site or service.
---------------------------------------------------------------------------
    \36\ See Federal Trade Commission, Staff Report, Beyond Voice: 
Mapping the Mobile Marketplace, April 2009, at 3, www.ftc.gov/reports/
mobilemarketplace/mobilemktgfinal.pdf; see also FTC Operating Manual,  
7.5, at 33, http://www.ftc.gov/foia/ch07rulemaking.pdf (The FTC ``has 
adopted a policy of reviewing each of its legislative rules (i.e., 
trade regulation rules and rules promulgated under special statutes) at 
least once every 10 years.'').
---------------------------------------------------------------------------
H. If you oppose expanding COPPA, do you believe it is working 
        properly? Do you believe it is sufficient to protect children's 
        privacy?
    The original goals of COPPA, as expressed by its Congressional 
sponsors, were to:

        (1) to enhance parental involvement in a child's online 
        activities in order to protect the privacy of children in the 
        online environment; (2) to enhance parental involvement to help 
        protect the safety of children in online fora such as 
        chatrooms, home pages, and pen-pal services in which children 
        may make public postings of identifying information; (3) to 
        maintain the security of personally identifiable information of 
        children collected online; and (4) to protect children's 
        privacy by limiting the collection of personal information from 
        children without parental consent.\37\
---------------------------------------------------------------------------
    \37\ 144 Cong. Rec. S11657 (daily ed. Oct. 7, 1998) (statement of 
Rep. Bryan).

    Thus, as its name implies, COPPA is generally concerned with 
protecting the privacy of children. But COPPA's primary means for 
achieving this goal is enhancing parental involvement or, as the FTC 
has put it, ``provid[ing] parents with a set of effective tools . . . 
for becoming involved in and overseeing their children's interactions 
online.'' \38\ However admirable, ``protect[ing] the safety of 
children'' is merely an indirect goal of COPPA--something to be 
achieved through the means of enhancing parental involvement (COPPA's 
direct goal).
---------------------------------------------------------------------------
    \38\ Federal Trade Commission, Implementing the Children's Online 
Privacy Protection Act: A Report to Congress at 28, Feb. 2007, 
www.ftc.gov/reports/coppa/07COPPA_Report_to_Con
gress.pdf (2007 COPPA Implementation Report).
---------------------------------------------------------------------------
    Viewed in this light, COPPA has probably been about as successful 
as could be expected given the fundamental technical reality of the 
Internet: In general, users and operators cannot, across the 
essentially infinite expanse of the digital chasm, definitively know 
how old other users are or even who they are.
    The FTC asserts COPPA ``has provided a workable system to help 
protect the online safety and privacy of the Internet's youngest 
visitors.'' \39\ Yet many of those advocating expansion of COPPA do so 
on the grounds that COPPA makes children safer from sexual predators. 
What these advocates fail to acknowledge is that, to the extent COPPA 
has enhanced child safety--indeed, to the extent that COPPA can be 
effectively administered at all--it is because of the unique 
circumstances of the under-13 age bracket and the operators that have 
evolved to serve that community. In particular:
---------------------------------------------------------------------------
    \39\ Id. at 28.

        1. The functionality of child-oriented sites is usually tightly 
---------------------------------------------------------------------------
        limited: They are walled gardens;

        2. Many smaller websites catering to children charge a fee for 
        admission--even as fee-based models have withered away on the 
        rest of the Internet; and

        3. There are relatively few sites that cater exclusively to the 
        under-13 crowd, which may be an unintended consequence of COPPA 
        itself.

I. Would you support any changes to the rule or to the statute?
    I would support changes to the statute if:

        1. It were shown that those changes were necessary to prevent a 
        demonstrable and substantial harm (not just a fear of potential 
        harm), were narrowly tailored to that harm, and were the least 
        restrictive means available for addressing that harm;

        2. Those changes could reduce the difficulty and expense of 
        complying with COPPA, thus promoting competition in the 
        marketplace for children's content and services; or

        3. Those changes could further empower parents to make 
        decisions about their children's participation in online sites 
        and services, without unduly burdening those sites and 
        services.

    But as explained throughout, I believe the FTC already has the 
tools it needs under COPPA in its current form. If the FTC needs 
anything more from Congress, it might be additional funding for 
educational efforts, encouraging new safe harbor programs, and targeted 
enforcement.

II. Privacy Implications of New Technologies

A. You said in your written statement, ``the reality is that the 
        technology for reliable age verification simply doesn't 
        exist.'' Could it exist in the future? If your claim is valid, 
        does that mean the business community, the FTC or Congress 
        should not strive to find enhanced age verification methods?
    In a February 2007 report to Congress about the status of COPPA and 
its implementation, the FTC said that no changes to COPPA were then 
necessary because the law had ``been effective in helping to protect 
the privacy and safety of young children online.'' \40\ In discussing 
the effectiveness of the parental consent verification methods 
authorized in the FTC's sliding scale approach, however, the agency 
acknowledged that ``none of these mechanisms is foolproof.'' \41\ The 
FTC attempted to distinguish these parental consent verification 
methods from other kinds of age verification tools in noting that ``age 
verification technologies have not kept pace with other developments, 
and are not currently available as a substitute for other screening 
mechanisms.'' \42\ This makes it clear that the FTC does not regard the 
methods the agency has prescribed for obtaining parental consent under 
COPPA as equivalent to strict age verification.
---------------------------------------------------------------------------
    \40\ Id., at 1.
    \41\ Id. at 13.
    \42\ Id. at 12.
---------------------------------------------------------------------------
    After years of searching for a technological ``silver bullet,'' 
especially by state attorneys general, the practical limitations and 
dangers of age verification mandates are now widely recognized. Few 
continue to argue for directly mandating verification of the age of 
minors online--or that such verification, in its strictest sense, is 
even technically feasible. Federal courts have found that there is ``no 
evidence of age verification services or products available on the 
market to owners of websites that actually reliably establish or verify 
the age of Internet users. Nor is there evidence of such services or 
products that can effectively prevent access to Web pages by a minor.'' 
\43\ Few public data bases exist that could be referenced to conduct 
such verifications for minors, and most parents do not want the few 
records that do exist about their children (e.g., birth certificates, 
Social Security numbers, school records) to become more easily 
accessible.\44\ Indeed, concerns about those records being compromised 
or falling into the wrong hands have led to legal restrictions on their 
accessibility.\45\
---------------------------------------------------------------------------
    \43\ Gonzales, 478 F. Supp. 2d 775, 806 (E.D. Pa. 2007).
    \44\ See Adam Thierer, The Progress & Freedom Foundation, Age 
Verification Debate Continues; Schools Now at Center of Discussion, PFF 
Blog, Sept. 25, 2008, http://blog.pff.org/archives/2008/09/
age_verificatio_1.html.
    \45\ Various laws and regulations have been implemented that shield 
such records from public use, including various state statutes and the 
Family Educational Rights and Privacy Act of 1974, 20 U.S.C.  1232g, 
www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.
---------------------------------------------------------------------------
    There are a host of other concerns about age verification 
mandates.\46\ Some of these concerns were summarized in a recent report 
produced by the Internet Safety Technical Task Force, a blue ribbon 
task force assembled in 2008 by state attorneys general to study this 
issue:
---------------------------------------------------------------------------
    \46\ For a fuller exploration of these issues, see Adam Thierer, 
The Progress & Freedom Foundation, Social Networking and Age 
Verification: Many Hard Questions; No Easy Solutions, Progress on Point 
No. 14.5, Mar. 2007; Adam Thierer, The Progress & Freedom Foundation, 
Statement Regarding the Internet Safety Technical Task Force's Final 
Report to the Attorneys General, Jan. 14, 2008, www.pff.org/issues-
pubs/other/090114ISTTFthiererclosingstatement.pdf; Nancy Willard, Why 
Age and Identity Verification Will Not Work--And is a Really Bad Idea, 
Jan. 26, 2009, www.csriu.org/PDFs/digitalidnot.pdf; Jeff Schmidt, 
Online Child Safety: A Security Professional's Take, The Gardian, 
Spring 2007, www.jschmidt.org/AgeVerification/Gardian_JSchmidt.pdf.

        Age verification and identity authentication technologies are 
        appealing in concept but challenged in terms of effectiveness. 
        Any system that relies on remote verification of information 
        has potential for inaccuracies. For example, on the user side, 
        it is never certain that the person attempting to verify an 
        identity is using their own actual identity or someone else's. 
        Any system that relies on public records has a better 
        likelihood of accurately verifying an adult than a minor due to 
        extant records. Any system that focuses on third-party in-
        person verification would require significant political backing 
        and social acceptance. Additionally, any central repository of 
        this type of personal information would raise significant 
        privacy concerns and security issues.\47\
---------------------------------------------------------------------------
    \47\ ISTTF Final Report, supra note 23, at 10.

    But even if far more robust age verification solutions could be 
developed, they would not solve the central constitutional problem 
faced by efforts to expand COPPA's age range or scope of sites 
otherwise covered by COPPA regardless of age. This is because, in 
essence, the practical challenge under COPPA is not that children have 
to prove that they are in fact under a certain age, but two far more 
complicated problems.
    First, once the verifiable parental consent requirement is 
triggered, either because a site is ``directed at'' children or because 
the operator knows that a particular user is a child (for example, 
because they have volunteered the fact that they are under 13 years 
old), the operator must make a ``reasonable effort (taking into 
consideration available technology)'' to verify parent-child 
relationship to ensure that adequate notice is given to, and 
authorization is obtained from, someone who is in fact the parent of 
that child.\48\ This is more complicated than simply verifying the age 
of any particular user, and the statute's flexibility in exactly how 
operators are to fulfill this requirement is indicative of the 
difficulty involved.
---------------------------------------------------------------------------
    \48\ See 16 C.F.R.  312.1 (definition of ``Obtaining verifiable 
consent'').
---------------------------------------------------------------------------
    Second is the very different problem of trying to ensure that a 
particular user is not a child. This is essentially the problem faced 
by COPA, where the solution was simply to require certain kinds of 
websites to age verify all users. Again, that solution is clearly 
unconstitutional, even though the material at issue was that deemed 
``harmful to minors'' (increasing the government's interest in 
regulating communications). COPPA's ingenious way of sidestepping this 
problem is to limit broad verification mandates to sites that are 
``directed at'' children or to situations where the operator has 
``actual knowledge'' that a user is a child. (Furthermore, the 
verification required by COPPA is fundamentally different, being 
verification of ``verifiable parental consent'' rather than of the 
actual identity or age of a user.) This difference is profound, because 
it means that COPPA, in its present form, does not subject significant 
numbers of adults to age verification mandates. But, again, if the 
COPPA framework were expanded to cover older children or certain 
websites based on their functionality, COPPA would essentially converge 
with COPA by requiring large numbers of users to prove a negative: that 
they are not children.
    It is difficult to see how that problem can ever be solved because 
even if there were a reasonably reliable solution for authenticating a 
user's identity, the constitutional analysis does not hinge on the 
accuracy of age or identity verification mechanisms, but on the 
chilling effects caused by government mandates that users provide more 
information about themselves than they otherwise would have to do in 
order to access certain interactive sites or services (that could 
potentially allow sharing of personal information). Simply put, this 
does not appear to be a problem that can be solved by any amount of 
technological innovation.

III. Policy Recommendations

A. What should the FTC or Congress do to strengthen children's safety 
        and privacy online in conjunction with advanced technologies 
        and mobile devices?

1. The FTC Should Clarify COPPA's Technological Breadth
    As noted above, the FTC should remove any lingering doubt that 
COPPA is platform-agnostic. While new technologies may indeed present 
unique challenges and opportunities for ``enhancing parental 
involvement'' in the online activities of children, it should be 
uncontroversial and clear to everyone that COPPA applies to any 
technology that facilitates the ``collection'' of personal information 
over the Internet (which, again, means not only collection by operators 
for advertising or other purposes but also simply enabling users to 
make personal information publicly available). This is simply the plain 
reading of the statute. COPPA defines the key term ``Internet'' broadly 
to mean:

        collectively the myriad of computer and telecommunications 
        facilities, including equipment and operating software, which 
        comprise the interconnected world-wide network of networks that 
        employ the Transmission Control Protocol/Internet Protocol, or 
        any predecessor or successor protocols to such protocol, to 
        communicate information of all kinds by wire or radio.\49\
---------------------------------------------------------------------------
    \49\ 15 U.S.C.  6501(6).

---------------------------------------------------------------------------
    In its 1999 COPPA rulemaking, the Commission declared that:

        The proposed Rule's definition of ``Internet'' made clear that 
        it applied to the Internet in its current form and to any 
        conceivable successor. Given that the technology used to 
        provide access to the Internet will evolve over time, it is 
        imperative that the Rule not limit itself to current access 
        mechanisms.\50\
---------------------------------------------------------------------------
    \50\ Children's Online Privacy Protection Rule, 64 Fed. Reg. 
59,888, 59,891 (Nov. 3, 1999), available at www.ftc.gov/os/1999/10/
64fr59888.pdf.

    The Commission rejected a commenter's suggestion that the agency 
``clarify that the definition `clearly includes networks parallel to or 
supplementary to the Internet such as those maintained by the broadband 
providers . . . [and] intranets maintained by online services which are 
either accessible via the Internet or have gateways to the Internet.''' 
The Commission concluded that its ``definition of `Internet' was 
[already] sufficiently broad to encompass such services and adopts that 
definition in the final Rule.\51\ The Commission has subsequently 
incorporated this language into its FAQ, which serves as its primary 
interpretive guide for those interested in understanding application of 
the rule (especially small site operators):
---------------------------------------------------------------------------
    \51\ Id.

        The Rule's Statement of Basis and Purpose makes clear that the 
        term Internet is intended to apply to broadband networks, as 
        well as to intranets maintained by online services that either 
        are accessible via the Internet, or that have gateways to the 
        Internet.\52\
---------------------------------------------------------------------------
    \52\ Federal Trade Commission, Frequently Asked Questions about the 
Children's Online Privacy Protection Rule, Question 6 (``What types of 
online transmissions does COPPA apply to?''), www.ftc.gov/privacy/
coppafaqs.shtm.

    As a matter of statutory construction, this interpretation is 
probably correct and would probably receive deference from a court 
under the Chevron doctrine if challenged.\53\ This interpretation would 
allow the FTC to apply COPPA's requirements to services like text 
messaging and Massively Multiplayer Online (MMO) games like World of 
Warcraft and Second Life that are ``accessible via the Internet,'' 
regardless of the device used to access them.
---------------------------------------------------------------------------
    \53\ Chevron U.S.A., Inc. v. Natural Res. Defense Council, Inc., 
467 U.S. 837 (1984) (required Federal courts to defer to an agency's 
interpretation of a statute, so long as the interpretation was 
``reasonable'').
---------------------------------------------------------------------------
2. The FTC Should Promote Flexibility in COPPA Compliance
    The FTC should take into consideration the unique challenges and 
opportunities raised by new devices and services in deciding how to 
implement COPPA. Alternative means of establishing verifiable parental 
consent may work much better for the technologies, devices, and 
services of tomorrow, and the FTC will probably hear in great detail 
about this issue at its roundtable and in comments filed in response to 
its Implementation Review. In deciding how to respond to those 
suggestions, the FTC should aim to maximize the flexibility available 
to online operators to comply with COPPA, and to simplify the process 
wherever possible for parents and children. Where parents have already 
given effective consent for their children to use a particular 
service--for example, by paying for a text message plan as part of the 
monthly service for a cell phone--there may be no need to impose 
additional requirements because COPPA's goal of ``enhancing parental 
involvement'' through parental consent has already been achieved. More 
granular controls (say, blocking texting to a particular number) may be 
quite valuable to parents but they are probably beyond the purview of 
COPPA and, in any event, are already being offered by many service 
providers in response to parental demand.\54\ This suggests the 
marketplace is already working to empower parents, which is, after all, 
COPPA's primary purpose.
---------------------------------------------------------------------------
    \54\ See, e.g., Verizon Wireless, Usage Controls, https://
wbillpay.verizonwireless.com/vzw/nos/uc/uc_home.jsp (describing 
parental control tools available to parents including blocking numbers, 
time restrictions and usage filters); https://
wbillpay.verizonwireless.com/vzw/nos/uc/uc_content_filter.jsp (content 
filters); see generally http://parentalcontrolcenter.com/#_self; http:/
/www.wireless.att.com/learn/articles-resources/parentalcontrols/
index.jsp; http://shop.
sprint.com/en/services/safety_security/parental_control.shtml.
---------------------------------------------------------------------------
    In particular, the FTC could use the discretion afforded to it by 
the statute to certify more ``safe harbor'' operators, whose self-
regulatory guidelines would be deemed to be sufficient to establish 
compliance with COPPA. For example, as children under 13 increasingly 
have their own ever more sophisticated mobile phones,\55\ wireless 
carriers and mobile operating system developers might collaborate on a 
standardized system that requires verifiable parental consent upon the 
initial purchase of a mobile phone service plan or addition of certain 
options, like text messaging or data service but that also provides 
parents control over which applications their children install on their 
phones. Such a system might work by, for instance, giving parents a 
password-protected account upon the initial verification of their 
consent for the service plan, and then allowing them to easily grant 
consent for their children to install applications in the future, keep 
track of those applications for which they have already granted 
consent, access information collected by those applications, review the 
privacy policies of those applications, or revoke their consent as they 
see fit. Such a system is, at least in theory, exactly what 
policymakers should aim to enable, but it may should be required by 
COPPA. The ultimate goal should be to encourage companies to empower 
parents to manage, as easily as possible, their children's 
participation in online activities that could entail the sharing of 
personal information--which is what parents are already demanding in 
the marketplace. But such a highly complex system should be designed 
and managed by the private sector, not the government, and this is 
precisely what the safe harbor program provided for by COPPA would 
allow the FTC to do to the extent consistent with COPPA's scope.
---------------------------------------------------------------------------
    \55\ Amanda Lenhart, Rich Ling, Scott Campbell, Kristen Purcell, 
Teens and Mobile Phones, April 20, 2010, http://www.pewinternet.org/
Reports/2010/Teens-and-Mobile-Phones.aspx.
---------------------------------------------------------------------------
    Concretely, lawmakers might encourage the FTC to issue a call to 
industry for new safe harbor proposals, to work with industry to 
support the development of these proposals, and then perhaps issue a 
consolidated notice about these proposals in order to expedite the 
notice and comment process required by the statute before the agency 
may grant approval to any new safe harbor program. More such 
suggestions will, no doubt, come out of the COPPA Roundtable and 
comments, and Congress should encourage the FTC to heed such 
suggestions.
    Or, the FTC could, as the Implementation Review contemplates, allow 
operators, at least in some circumstances, to use ``an automated system 
of review and/or posting'' to satisfy the existing ``deletion exception 
to the definition of collection.'' \56\ In other words, sites could 
potentially allow children to communicate with each other through chat 
rooms, message boards, and other social networking tools without having 
to obtain verifiable parental consent if they had in place algorithmic 
filters that would automatically detect personal information such as a 
string of seven or ten digits that seems to correspond to a phone 
number, a string of eight digits that might correspond to a Social 
Security number, a street address, a name, or even a personal photo--
and prevent children from sharing that information in ways that make 
the information ``publicly available.'' Such a technology would, of 
course, not be foolproof, and might be circumvented by children smart 
enough to find other ways to share information that the algorithm will 
prevent them from sharing. Yet despite these limitations, the FTC 
should encourage the development of such technologies because they 
could allow sites to meet COPPA's central goal of limiting the sharing 
of information that could allow the contacting or identification of a 
child without going through COPPA's intentionally (or at least, 
necessarily) cumbersome parental consent verification procedures. This 
would benefit kids and operators alike by facilitating communication 
with less risk to children's online privacy or safety.
---------------------------------------------------------------------------
    \56\ COPPA Implementation Review, supra note 5, Question 9a.
---------------------------------------------------------------------------
3. Enhanced Enforcement Is Generally Preferable to Expanded Regulation
    Besides promoting empowerment solutions, the FTC should of course 
be vigilant about a second ``E-word'': enforcement. As a general 
matter, before rushing to change an existing regulatory regime or give 
an agency new powers, Congress should always ask whether the laws on 
the books are being given a chance to succeed. Specifically, Congress 
should consider whether the FTC has the staffing, technological and 
financial resources it needs to enforce COPPA's requirements 
effectively.

4. Education is Vitally Important
    Finally, the FTC should be encouraged--and funded--to make maximum 
use of the final ``E-word'': education. We can and should provide 
parents with more and better tools to make informed decisions about 
media and communications tools in their lives and the lives of their 
children. But technical tools can only supplement--they can never 
supplant--education, parental guidance, and better mentoring. Education 
and mentoring are the most essential part of the solution to concerns 
about online child privacy and safety. We can, and must, do more as 
parents and as a society to guide our children's behavior and choices 
online. The FTC has a track record of great success in this area, 
including:

   OnGuard Online, the website intended to educate all Internet 
        users about online safety

   NetCetera, the FTC's excellent child safety effort

   The ``You Are Here'' virtual mall launched by the FTC last 
        year to educate kids in 5th-8th grade (ages 10-14) about 
        marketing both online and offline.

   AdMongo, a game-tutorial website intended to teach kids 
        about advertising and marketing, both online and offline, to 
        help them become smarter consumers. The service includes a 
        discussion of how information is used for advertising purposes 
        online.

    In addition, Congress could fund a number of grants for educational 
efforts intended to educate kids and parents about online privacy and 
safety. This approach is exemplified by Rep. Wasserman Schultz's 
currently pending ``Adolescent Web Awareness Requires Education Act 
(AWARE Act)'' (H.R. 3630), which would create a education grant program 
to address issues of cybercrime affecting children, including cyber 
bullying, in schools and communities.\57\ Indeed, The ``Protecting 
Children in the 21st Century Act,'' which was signed into law by 
President Bush in 2008 as part of the ``Broadband Data Services 
Improvement Act,'' \63\ required that the Federal Trade Commission 
(FTC) ``carry out a nationwide program to increase public awareness and 
provide education'' to promote safer Internet use and:
---------------------------------------------------------------------------
    \57\ Adolescent Web Awareness Requires Education Act, H.R. 3630, 
111th Cong. (2009), available at www.opencongress.org/bill/111-h3630/
show.

        utilize existing resources and efforts of the Federal 
        Government, State and local governments, nonprofit 
        organizations, private technology and financial companies, 
        Internet service providers, World Wide Web-based resources, and 
        other appropriate entities, that includes: (1) identifying, 
        promoting, and encouraging best practices for Internet safety; 
        (2) establishing and carrying out a national outreach and 
        education campaign regarding Internet safety utilizing various 
        media and Internet-based resources; (3) facilitating access to, 
        and the exchange of, information regarding Internet safety to 
        promote up to-date knowledge regarding current issues; and, (4) 
        facilitating access to Internet safety education and public 
        awareness efforts the Commission considers appropriate by 
        States, units of local government, schools, police departments, 
---------------------------------------------------------------------------
        nonprofit organizations, and other appropriate entities.

    Education-based approaches are vital because they can help teach 
kids how to behave in--or respond to--a wide variety of situations. 
Education teaches lessons and builds resiliency, providing skills and 
strength that can last a lifetime. That was the central finding of a 
blue-ribbon panel of experts convened in 2002 by the National Research 
Council of the National Academy of Sciences to study how best to 
protect children in the new, interactive, ``always-on'' multimedia 
world. Under the leadership of former U.S. Attorney General Richard 
Thornburgh, the group produced a massive report that outlined a 
sweeping array of methods and technological controls for dealing with 
potentially objectionable content and online dangers. Ultimately, 
however, the experts used a compelling metaphor to explain why 
education was the most important strategy on which parents and 
policymakers should rely:

        Technology--in the form of fences around pools, pool alarms, 
        and locks--can help protect children from drowning in swimming 
        pools. However, teaching a child to swim--and when to avoid 
        pools--is a far safer approach than relying on locks, fences, 
        and alarms to prevent him or her from drowning. Does this mean 
        that parents should not buy fences, alarms, or locks? Of course 
        not--because they do provide some benefit. But parents cannot 
        rely exclusively on those devices to keep their children safe 
        from drowning, and most parents recognize that a child who 
        knows how to swim is less likely to be harmed than one who does 
        not. Furthermore, teaching a child to swim and to exercise good 
        judgment about bodies of water to avoid has applicability and 
        relevance far beyond swimming pools--as any parent who takes a 
        child to the beach can testify.\58\
---------------------------------------------------------------------------
    \58\ Computer Science and Telecommunications Board, National 
Research Council, Youth, Pornography, and the Internet (National 
Academy Press, 2002) at 224, www.nap.edu/
openbook.php?isbn=0309082749&page=224.

    Regrettably, we often fail to teach our children how to swim in the 
``new media'' waters. Indeed, to extend the metaphor, it is as if we 
are generally adopting an approach that is more akin to just throwing 
kids in the deep end and waiting to see what happens. Educational 
initiatives are essential to rectifying this situation.

B. Do you agree with the direction the FTC is taking as it reexamines 
        the implementation and effectiveness of COPPA?
    It's still probably too early to say with any certainty what that 
direction is--especially on the eve of the FTC's COPPA Roundtable. In 
general, I am encouraged by the tone of the FTC's official statements 
in this proceeding, and also by the oral statements of FTC staff at 
recent events. They appear to have a healthy understanding of the 
limitations as well as the advantages of COPPA, as well as a healthy 
sensitivity to the potential effects on the competitiveness of the 
landscape for children's content and services.
    I'm particularly encouraged to see that the implementation review 
begins by asking about the ongoing need for the rule, its costs and 
benefits, and its unintended effects. This is precisely the right way 
to begin any inquiry into the implementation of regulations. COPPA has 
undoubtedly succeeded in its primary goal of enhancing parental 
involvement in their child's online activities in order to protect the 
privacy and safety of children online.\59\ Yet these benefits have come 
at a price, since the costs of obtaining verifiable parental consent 
and otherwise complying with COPPA have, on the one hand, discouraged 
site and service operators from allowing children on their sites or 
offering child-oriented content, and, on the other hand, raised costs 
for child-oriented sites. The average cost of compliance may well have 
fallen from the estimate provided to the FTC in 2005 ($45/child),\60\ 
but even substantially lower costs on the order of $5-10 per child 
could represent a significant barrier to entry by sites that must rely, 
as most online sites and services do, on advertising revenues of 
scarcely more than that--and profit margins far less than that--per 
user per year. We must be realistic about these costs and the trade-
offs involved in regulation. At some point, raising the cost of age 
verification for sites is simply no longer worth the marginal benefit 
to enhanced parental involvement and, indirectly, online child privacy 
and safety, because these values must compete with other values of 
parents and children, such as the competitiveness, creativity, 
innovation and diversity in media and tools available to children 
online. COPPA in its current form probably strikes a reasonable 
balance, but as noted above, there may indeed be things that the FTC 
can do to lower the costs of compliance for operators, thus allowing us 
to achieve COPPA's goals at a lower cost to kids and parents in 
foregone content and services. I am also pleased that the 
Implementation Review asks about the need to update the ``sliding 
scale'' of parental consent verification methods and to offer greater 
flexibility to site operators, as noted above.
---------------------------------------------------------------------------
    \59\ See COPPA 2.0, supra note 2 at 11.
    \60\ See Comments of Parry Aftab, Request for Public Comment on the 
Implementation of COPPA and COPPA Rule's Sliding Scale Mechanism for 
Obtaining Verifiable Parental Consent Before Collecting Personal 
Information from Children at 2, June 27, 2005, www.ftc.gov/os/comments/
COPPArulereview/516296-00021.pdf.
---------------------------------------------------------------------------
    But I do worry that the Commission has explicitly invited proposals 
for legislative changes to the statute itself. Two questions from the 
Review are particularly troubling:

        6. Do the definitions set forth in Part 312.2 of the Rule 
        accomplish COPPA's goal of protecting children's online privacy 
        and safety? . . .

        28. Does the commenter propose any modifications to the Rule 
        that may conflict with the statutory provisions of the COPPA 
        Act? For any such proposed modification, does the commenter 
        propose seeking legislative changes to the Act?

    Note that question #6 does not include the critical limitation 
``consistent with the Act's requirements,'' which appears no less than 
17 times in subsequent questions about specific aspects of the current 
rules. Whatever the FTC intended by this omission, when combined with 
question #28, it will be taken as an open invitation by many commenters 
to propose not just changes in how the COPPA rules are implemented, but 
wholesale revisions to the COPPA statute itself.
    Ultimately, it is the responsibility of Congress, not the FTC, to 
make decisions about modifying the statute. If Congress wants an agency 
to spend taxpayer resources evaluating whether a substantial change to 
the agency's statutory authority is warranted, Congress is perfectly 
capable of authorizing, and appropriating funds for, such an inquiry. 
This is precisely what Congress recently did in the Child Safe Viewing 
Act, when it specifically asked the Federal Communications Commission 
(FCC) to prepare a report on online child safety issues.\61\ Similarly, 
the Recovery Act of 2009 charged the FCC with preparing a national 
broadband plan.\62\ Or, where less substantial statutory changes are at 
issue, the Congressional Committee with jurisdiction could request that 
an agency prepare a report to advise that committee. But as a general 
matter, regulatory agencies should not be in the business of 
reassessing the adequacy of their own powers, since the natural impulse 
of all bureaucracy is to grow, and it is through our elected 
representatives in Congress, not regulatory agencies--even those with 
the best of intentions--that ``We People'' are ultimately represented 
in deciding how to regulate the online (and offline) world.\63\
---------------------------------------------------------------------------
    \61\ Child Safe Viewing Act, S. 602, 110th Cong. (2007).
    \62\ American Recovery and Reinvestment Act of 2009, Pub. L. No. 
111-5, 123 Stat. 115 (2009) (codified at 47 U.S.C. 1305) (``2009 
Recovery Act''); see also, A National Broadband Plan for Our Future, GN 
Docket No. 09-51, Notice of Inquiry, 24 FCC Rcd. 4342 (2009) (``NOI'').
    \63\ See, e.g., Super-Sizing the FTC & What It Means for the 
Internet, Media & Advertising, PFF Briefing, at 22-23, April 16, 
www.pff.org/issues-pubs/pops/2010/pop17.6-transcript.pdf.
---------------------------------------------------------------------------
    Finally I was surprised not to find a single mention of the word 
``education'' in the FTC's Implementation Review Request for Comments. 
As explained above, just about everyone involved in debates about 
online child safety and privacy would agree that the solution begins 
with education--even if it doesn't end there. One might have thought 
the FTC would ask about whether effective implementation of COPPA's 
goals required more education efforts rather than (or perhaps in 
combination with) ``stronger'' regulations. Again, a layered approach 
of education, empowerment and enforcement is the best way to enhance 
the privacy and safety of children online, but education is truly the 
key.

Related PFF Publications
    Written Testimony to the Senate Committee on Commerce, Science, and 
Transportation's Subcommittee on Consumer Protection on ``An 
Examination of Children's Privacy: New Technologies & the Children's 
Online Privacy Protection Act'', April 29, 2010.
    COPPA 2.0: The New Battle over Privacy, Age Verification, Online 
Safety & Free Speech, Berin Szoka & Adam Thierer, Progress on Point 
16.11, May 2009.
    Written to Maine Legislature on Act to Protect Minors from 
Pharmaceutical Marketing Practices, LD 1677, Berin Szoka, March 4, 
2010.
    Parental Controls & Online Child Protection: A Survey of Tools & 
Methods, Adam Thierer, Special Report, Version 4.0, Fall 2008.
    Five Online Safety Task Forces Agree: Education, Empowerment & 
Self-Regulation Are the Answer, Adam Thierer, Progress on Point 16.13, 
July 8, 2009.
    The Perils of Mandatory Parental Controls and Restrictive Defaults, 
Adam Thierer, Progress on Point 15.4, April 11, 2008.
    Written Testimony to House Committee on the Judiciary on Cyber 
Bullying and other Online Safety Issues for Children, Berin Szoka & 
Adam Thierer, Sept. 30, 2009.
    Privacy Trade-Offs: How Further Regulation Could Diminish Consumer 
Choice, Raise Prices, Quash Digital Innovation & Curtail Free Speech, 
Comments of Berin Szoka to FTC Exploring Privacy Roundtable, Nov. 2009.
    Privacy Polls v. Real-World Trade-Offs, Berin Szoka, Progress 
Snapshot 5.10, Oct. 2009.
    Online Advertising & User Privacy: Principles to Guide the Debate, 
Berin Szoka & Adam Thierer, Progress Snapshot 4.19, Sept. 2008.
    Targeted Online Advertising: What's the Harm & Where Are We 
Heading?, Berin Szoka & Adam Thierer, Progress on Point 16.2, April 
2009.
    How Financial Overhaul Could Put the FTC on Steroids & Transform 
Internet Regulation Overnight, Berin Szoka, Progress Snapshot 6.7, 
March 2010.

                                 ______
                                 
                               Attachment
                     Do Smart Phones = Smart Kids?

  The Impact of the Mobile Explosion on America's Kids, Families, and 
                                Schools

                    A Common Sense Media White Paper

                     April 2010/Common Sense Media

    Mobile technology is dramatically changing life for all of us, but 
especially for the earliest adopters of all things digital--our kids. 
Mobile phones and devices give kids many new opportunities for 
entertainment, engagement, and creativity, and make it easier to stay 
connected--including with mom and dad. Unfortunately, the 24/7 access-
anywhere world of mobile also makes parenting even more complicated, 
and many adults worry about the growing challenge of managing the 
content, applications, and connections kids now have at their 
fingertips.
    In 1983, the first cell phones weighed 28 ounces, measured 10 
inches high, and sold for thousands of dollars. Today's mobile phones 
are often smaller than a deck of cards, weigh less than four ounces, 
and are often free as part of a one- or two-year contract. 
Increasingly, they offer touchscreens, GPS navigation, music, video, 
cameras, e-mail, and Internet browsing, not to mention the ability to 
download hundreds of thousands of applications and games.
    In 1985, there were about 200,000 cell phone subscribers in the 
United States. Today, there are more than 286 million subscribers,\1\ 
and nearly nine in 10 (87 percent) Americans own a cell phone.\2\ More 
than 50 million of them own smartphones and wireless enabled PDAs.\3\ 
In addition, purchases of WiFi-enabled devices such as cameras, game 
players, and media players, are expected to increase from 108 million 
in 2009 to 177 million in 2013.\4\
---------------------------------------------------------------------------
    \1\ http://www.ctia.org/media/press/body.cfm/prid/1936.
    \2\ http://www.marketingcharts.com/interactive/employment-age-top-
factors-in-cell-phone-pda-use-9678/.
    \3\ http://www.ctia.org/media/press/body.cfm/prid/1936.
    \4\ http://www.instat.com/press.asp?ID=2694&sku=IN0904521WBB.
---------------------------------------------------------------------------
    Increasingly, these handheld devices are becoming miniature 
computers, enabling users to access information and resources from 
anywhere. One sign of this change is the growth of mobile 
applications--2.3 billion apps were downloaded in the past year alone, 
and more than five billion will be downloaded per year by 2014.\5\
---------------------------------------------------------------------------
    \5\ http://news.softpedia.com/news/Five-Billion-Mobile-Apps-
Downloaded-by-2014-130189.shtml.
---------------------------------------------------------------------------
Mobile Kids
    In 2004, 45 percent of teens had a cell phone; by 2009, it was 75 
percent.\6\ The fastest growth has been among younger teens:
---------------------------------------------------------------------------
    \6\ http://www.pewinternet.org/Reports/2009/14_Teens-and-Mobile-
Phones-Data-Memo.aspx.

   In 2004, just 18 percent of 12 year olds had a cell phone, 
---------------------------------------------------------------------------
        compared to 64 percent of 17 year olds.

   In 2009, 58 percent of 12 year olds had a cell phone, 
        compared to 83 percent of 17 year olds.\7\
---------------------------------------------------------------------------
    \7\ http://www.pewinternet.org/Reports/2010/Social-Media-and-Young-
Adults.aspx.

    Mobile phone usage is also growing rapidly among younger children. 
Twenty percent of U.S. children ages 6-11 currently own a cell phone, 
up from 11.9 percent of children in 2005.\8\
---------------------------------------------------------------------------
    \8\ http://www.npd.com/press/releases/press_080625.html.

   U.S. teens (ages 13 to 17) send or receive an average of 
        3,146 text messages a month, and kids 12 and under send 1,146 
        texts per month.\9\
---------------------------------------------------------------------------
    \9\ http://blog.nielsen.com/nielsenwire/online_mobile/under-aged-
texting-usage-and-actual-cost/.

   More than a third of teens download ringtones, IM, or use 
---------------------------------------------------------------------------
        the mobile web.

   About a quarter download games and applications.

   16 percent use location-based services on their phones.\10\
---------------------------------------------------------------------------
    \10\ http://blog.nielsen.com/nielsenwire/online_mobile/breaking-
teen-myths/.




Other Digital Devices
    Most teens use computers to go online, but increasingly, they're 
also going online with their mobile devices.

   27 percent of teen cell phone users use their phone to go 
        online.

   24 percent of teens with a game console (like a PS3, Xbox or 
        Wii) use it to go online.

   19 percent of teens with a portable gaming device use it to 
        go online.\11\
---------------------------------------------------------------------------
    \11\  http://www.pewinternet.org/Reports/2010/Social-Media-and-
Young-Adults.aspx.

    Just over half of teens (51 percent) own a portable gaming device 
like a PSP or a Gameboy. Younger teens are more likely to have them (66 
percent of 12-13 year olds, compared to 44 percent of 14-17 year 
olds).\12\ Kids can use these devices to download TV shows and movies, 
surf the web, listen to music, and send instant messages.\13\ 
Similarly, while the iPod Touch is not a smartphone, it enables users 
to text, access the web, and download apps. Sixty-five percent of iPod 
Touch users are 17 or younger.\14\
---------------------------------------------------------------------------
    \12\ http://www.pewinternet.org/Reports/2010/Social-Media-and-
Young-Adults.aspx.
    \13\ http://us.playstation.com/psp/fullfeatured/index.htm.
    \14\ AdMob--January 2010 Mobile Metrics Report. http://
metrics.admob.com/.
---------------------------------------------------------------------------
How Kids Are Using Mobile Tech
The Good News
    A variety of recent studies have shown that integrating technology 
into schools can boost achievement in mathematics, literacy, and 
reading.\15\
---------------------------------------------------------------------------
    \15\ http://www.iste.org/Content/NavigationMenu/Advocacy/Policy/
59.08-PolicyBrief-F-web.pdf.

   In four North Carolina schools in low-income neighborhoods, 
        9th- and 10th-grade students were given smartphones and special 
        software to help with their algebra studies. They used the 
        phones for a variety of tasks, including recording themselves 
        solving problems and posting the videos to a private social 
        networking site for their classmates. Students with the phones 
        performed 25 percent better on the end-of-the-year algebra exam 
        than students without the devices in similar classes.\16\
---------------------------------------------------------------------------
    \16\ http://www.nytimes.com/2009/02/16/technology/
16phone.html?_r=1.

   A new study in the U.K. found that text messaging helped 
        children develop ``phonological awareness'' which is key to 
        learning how to spell. The kids who text more often (especially 
        those who use abbreviations such as ``plz'' or ``4ever'') 
        showed higher scores on spelling exams. Researchers also found 
        that kids who received mobile phones at younger ages were 
        better at reading words and identifying patterns of sound in 
        speech.\17\
---------------------------------------------------------------------------
    \17\ http://www.britac.ac.uk/news/news.cfm/newsid/14.

   Teachers in Escondido Union School District in California 
        are exploring the use of iPods to improve student reading. 
        Students can record and then hear themselves reading, which 
        helps them work on fluency and comprehension. Teachers can 
        import student recordings and create time-stamped digital 
        portfolios to track progress. Data from a group of fourth-
        graders has found that using iPods to practice reading resulted 
        in more rapid improvement rates compared with a control 
        classroom.\18\
---------------------------------------------------------------------------
    \18\ See Appendix A_http://www.joanganzcooneycenter.org/pdf/
pockets_of_potential.pdf.

    More generally, there are a number of ways that mobile devices can 
---------------------------------------------------------------------------
improve education:

   Mobile devices allow students to gather, access, and process 
        information outside the classroom, and can help bridge school, 
        afterschool, and home environments.

   Because of their relatively low cost, handheld devices can 
        help level the digital playing field, reaching and inspiring 
        children from economically disadvantaged communities.

   Mobile devices can support personalized learning 
        experiences, and adapt to the individual needs of learners.\19\
---------------------------------------------------------------------------
    \19\ http://www.joanganzcooneycenter.org/pdf/
pockets__of_potential.pdf.
---------------------------------------------------------------------------
The Bad News
Cyberbullying
    43 percent of kids admit to being cyberbullied, but only 10 percent 
tell someone about it.
    Cyberbullying is when someone repeatedly harasses, mistreats, or 
makes fun of another person online or while using cell phones or other 
electronic devices.

   Cyberbully 411 reports that 40 percent of kids say they were 
        cyberbullied through instant messenger services; 30 percent 
        said it happened on social networking sites; 29 percent said it 
        happened while playing online games.

   Cyberbullying is especially prevalent in middle school-aged 
        kids (9-14).\20\
---------------------------------------------------------------------------
    \20\ http://www.commonsensemedia.org/protecting-kids-cyberbullying.
---------------------------------------------------------------------------
Sexting
    22 percent of teen girls (ages 13-19) say they have sent nude or 
semi-nude photos or video of themselves, either online or via text 
messages.

   Messages are even more prevalent than images. Thirty-nine 
        percent of teen boys and girls say they have sent sexually 
        suggestive messages (text, e-mail, IM), and 48 percent of teens 
        say they've received them.

   Kids who sext may face criminal charges for child 
        pornography or other violations, and could be required to 
        register as sex offenders.\21\
---------------------------------------------------------------------------
    \21\ http://www.thenationalcampaign.org/sextech/PDF/
SexTech_Summary.pdf.
---------------------------------------------------------------------------
Distracted Driving
    In 2007, AAA reported that 21 percent of fatal car crashes 
involving teens between the ages of 16 and 19 were the result of cell 
phone usage.
    According to the National Highway Traffic Safety Administration, in 
2008 there were 5,870 fatalities and an estimated 515,000 injuries in 
police-reported crashes involving driver distraction, and the highest 
incidence of distracted driving occurs in the under-20 age group.\22\
---------------------------------------------------------------------------
    \22\ http://www.nhtsa.dot.gov/staticfiles/DOT/NHTSA/NRD/Multimedia/
PDFs/Human%20Factors/Reducing%20Unsafe%20behaviors/811216.pdf.

   34 percent of texting teens ages 16-17 say they have texted 
---------------------------------------------------------------------------
        while driving.

   52 percent of cell-owning teens ages 16-17 say they have 
        talked on a phone while driving.\23\
---------------------------------------------------------------------------
    \23\ http://pewinternet.org/Reports/2009/Teens-and-Distracted-
Driving.aspx.
---------------------------------------------------------------------------
Cheating
    More than 35 percent of teens with cell phones admit to using their 
cell phones to cheat.
    Kids have always found ways to cheat in school, but now they have 
more powerful tools.

   45 percent of teens say texting friends about answers during 
        tests is a serious cheating offense, but 20 percent say it's 
        not cheating at all.

   69 percent of schools have policies that don't permit cell 
        use, but more than half of all kids ignore them.\24\
---------------------------------------------------------------------------
    \24\ http://www.commonsensemedia.org/cheating-goes-hi-tech.
---------------------------------------------------------------------------
Location-Based Technology
Mobile phones with GPS capabilities can expose a kid's exact location. 
        Many new programs and apps have been developed that allow kids 
        to announce their physical whereabouts. This creates physical 
        safety concerns.
    If a kid shares location info to ``friends,'' that information can 
be passed along to unintended audiences. Privacy concerns are also a 
huge issue. Marketers use geolocation technology to target kids with 
promotions. A child's purchasing habits will be registered and personal 
data collected. Location-based technology raises several critical 
questions and concerns:

   Should mobile geolocation data, persistent IP addresses, and 
        other identifying information be protected for children under 
        age 13--in the same way that name, age, gender, and address 
        information are protected today?

   Do teens understand how their personally identifying 
        information will be used, and do they need additional 
        protections?

   Will this identifying information be used to target kids and 
        teens with new behavioral advertising and marketing campaigns?
Balancing the Good and Bad
    Mobile phones and devices can bring new educational and creative 
opportunities for children. They can also bring increased distractions, 
and decreased privacy. But whether their impact is positive or 
negative, mobile phones and portable digital devices are not going 
away. As parents, teachers, industry leaders, and policymakers we must 
take steps to ensure that kids can access the benefits of mobile 
technology and digital media, while protecting them from potential 
negative consequences.

What Parents Can Do

   Think carefully about whether--and when--your kids need 
        mobile phones and devices, and what phone capabilities, like 
        cameras and texting, are appropriate for their age. Make sure 
        your kids know your rules about when, how, and how often to use 
        them.

   Know the new ways that kids use mobile phones, including 
        creating, accessing, and distributing video, and downloading 
        apps and games. If you don't know what they're doing, you won't 
        be able to set the rules.

   Talk with your kids about privacy and the ways that mobile 
        phones and location-based services can give out their personal 
        information.
What Educators Can Do

   Teach Digital Literacy and Citizenship in K-12 schools, so 
        that all kids learn how to use digital--and mobile--devices in 
        smart, effective, and responsible ways.\25\
---------------------------------------------------------------------------
    \25\ For more information, see the Common Sense Media Digital 
Literacy and Citizenship Whitepaper at http://www.commonsensemedia.org/
about-us/public-leadership.

   Establish clear rules about when, where, and how students 
        can--and cannot--use mobile phones and devices at school, and 
        encourage dialogue about why mobile use needs to be limited and 
---------------------------------------------------------------------------
        responsible.

   Encourage innovative approaches to using mobile devices to 
        expand positive opportunities for learning, creativity, and 
        communication.

What Industry Can Do

   Take increased responsibility for the programs and apps they 
        distribute.

   Use the same tech innovations that let kids access programs 
        and platforms to enable parents to access tools that help them 
        manage their kids' use of mobile devices.

   Develop better parent controls for mobile devices, and make 
        them easier for parents to understand and use.

   Enable parents to access independent ratings and parent 
        advice through mobile devices--for mobile apps and all the 
        other services that kids can now access.

What Policymakers Can Do

   Build digital literacy and citizenship programs in schools 
        and communities, including professional development for 
        educators, and a new Digital Literacy Corps.

   Update the Children's Internet Protection Act (CIPA) and 
        other legislation to reduce barriers to students using personal 
        mobile devices on school networks, so that schools can decide 
        how to set rules that encourage learning in school, at home, 
        and in between.

   Outlaw texting while driving by all drivers and any use of 
        cell phones by teen drivers.

   Update the Children's Online Privacy and Protection Act 
        (COPPA) to address mobile technology and ensure that children's 
        privacy is protected on all media platforms.

    Mobile phones and devices are becoming mini-computers that enable 
kids to access every portal and platform of the digital world--from 
home, school, or any place in between. Mobile devices and digital media 
are changing the ways that kids live and learn--and the changes can 
create opportunities and pose potential dangers.
    Kids today are growing up in a mobile, digital world, and we need 
to give them the digital literacy skills and judgment to access the 
benefits--and avoid the dangers--of this world. smart phones will 
change kids' lives. we all share a responsibility for making sure the 
changes are positive.

Who We Are
    Common Sense Media is dedicated to improving the lives of kids and 
families by providing the trustworthy information, education, and 
independent voice they need to thrive in a world of media and 
technology.
    More than 1.3 million people visit the Common Sense website every 
month for age-appropriate media reviews and parenting advice. Tens of 
millions more access our advice and information through our 
distribution partnerships with leading companies like Comcast, DirecTV, 
Time Warner Cable, Cox Communications, Facebook, Yahoo, Google, Apple, 
Disney, Netflix, Barnes & Noble, Best Buy, and others.
Common Sense Media Board of Directors
    Rich Barton, Chairman and CEO, Zillow.com
    Marcy Carsey, Founding Partner, Carsey-Werner Productions
    Chelsea Clinton, Columbia University
    James Coulter, Founding Partner, TPG
    Geoffrey Cowan, University Professor, The Annenberg School for 
      Communication at USC
    April Delaney, President, Delaney Family Fund
    John H.N. Fisher, Managing Director, Draper Fisher Jurvetson
    Lycia Carmody Fried, Community Volunteer
    Thomas J. Holland, Partner, Bain & Company, Inc.
    Gary E. Knell, President and CEO, Sesame Workshop
    Robert L. Miller, President and CEO, Miller Publishing Group
    William S. Price, III (Chair), President, Classic Wines, LLC
    Jesse Rogers, Managing Director, Golden Gate Capital
    Susan F. Sachs, Partner, Establishment Capital Partners
    James P. Steyer, Founder and CEO, Common Sense Media
    Gene Sykes, Managing Director, Goldman, Sachs & Co.
    Todor Tashev, Director, Omidyar Network
    Deborah Taylor Tate, Former FCC Commissioner
    Michael Tollin, Founding Partner, Tollin Productions
    Eugene Washington, MD, Dean, UCLA Medical School
    Lawrence Wilkinson (Vice Chair), Co-Founder, Oxygen Media and 

Global Business Network
Board of Advisors
    Aileen Adams, Chair, The Women's Foundation of California
    Larry Baer, Chief Operating Officer, San Francisco Giants
    Richard Beattie, Chairman, Simpson Thacher & Bartlett LLP
    Angela Glover Blackwell, Founder and CEO, PolicyLink
    Geoffrey Canada, Founder and President, Harlem Children's Zone
    Ramon Cortines, Superintendent, Los Angeles Unified School District
    Yogen Dalal, Managing Director, The Mayfield Fund
    Steve Denning, Founding Partner, General Atlantic Partners
    Susan Ford Dorsey, President, Sand Hill Foundation
    Millard Drexler, Chairman and CEO, J. Crew
    Ezekiel Emanuel, MD, PhD; Chair, Department of Clinical Bioethics, 
       The National Institutes of Health
    Robert Fisher, Director, GAP Inc.
    Arjun Gupta, Founder & Managing Partner of TeleSoft Partners
    F. Warren Hellman, Founding Partner, Hellman & Friedman
    James Herbert II, President and CEO, First Republic Bank
    David Hornik, Partner, August Capital
    Omar Khan, President, Insight Strategy & Logic (ISL), Web Site 
       Design
    David Lawrence Jr., President, The Early Childhood Initiative 
       Foundation
    Nion McEvoy, Chairman and CEO, Chronicle Books
    Nell Minow, Founder, The Corporate Library and Movie Mom
    Newton Minow, Counsel, Sidley, Austin and Brown; Former FCC 
       Chairman
    James Montoya, Senior Vice President, The College Board
    Becky Morgan, President, Morgan Family Foundation
    Nancy Peretsman, Managing Director, Allen & Company Inc.
    Philip Pizzo, MD, Dean, Stanford University School of Medicine
    George Roberts, Founding Partner, Kohlberg Kravis Roberts & Co.
    Carrie Schwab Pomerantz, President, Charles Schwab Foundation
    Alan Schwartz, CEO, Guggenheim Partners
    Marshall Smith, Senior Adviser, Department of Education
    Thomas Steyer, Founding Partner, Farallon Capital
    Robert S. Townsend, Partner, Morrison & Foerster LLP
    Laura Walker, President, WNYC Radio
    Alice Waters, Founder, Chez Panisse and Chez Panisse Foundation
    Robert Wehling, Founder, Family Friendly Programming Forum; Former 
       CMO, Procter & Gamble
    Tim Zagat, Co-Founder and Co-Chair, Zagat Survey

Board of Policy Advisors
    Angela Glover Blackwell, Founder and CEO, PolicyLink
    Dr. Milton Chen, Executive Director, The George Lucas Educational 
       Foundation
    Michael Cohen, CEO, The Michael Cohen Group
    Dr. Jeffrey Cole, Director, Center For The Digital Future
    Ramon Cortines, Superintendent, Los Angeles Unified School District
    Ezekiel Emanuel, MD, PhD; Chair, Department of Clinical Bioethics, 
The National Institutes of Health
    Ellen Galinsky, Co-Founder and President, Families and Work 
Institute
    Andrew Greenberg, President, Greenberg Qualitative Research, Inc.
    Denis Hayes, President, The Bullitt Foundation
    Dr. Donald Kennedy, President Emeritus, Stanford University; 
Editor-in-Chief, Science Magazine
    David Lawrence Jr., President, The Early Childhood Initiative 
Foundation
    Wendy Lazarus, Co-Founder and Co-Director, The Children's 
Partnership
    Christopher Lehane, Political Communications Expert
    Laurie Lipper, Co-Founder and Co-Director, The Children's 
Partnership
    Philip Pizzo, MD, Dean, Stanford University School of Medicine
    Dr. Alvin Poussaint, Prof. of Psychiatry, Harvard Medical School; 
Dir. of Media, Judge Baker Children's Center
    Thomas Robinson, MD, Associate Professor of Pediatrics and 
Medicine, Stanford University
    Theodore Shaw, Professor, Columbia University
    Marshall Smith, Senior Adviser, Department of Education