Danielle Citron over at Concurring Opinions invited me to write a guest post expanding on a comment I wrote yesterday on her post on the Google Buzz story. I’m reposting it here with more of the links enabled, which got lost in translation:
Google’s new social networking service, Google Buzz, has obviously been all over the news lately, in part for various complaints about Google’s privacy practices. Those complaints have focused on the way in which Buzz, enrollment in which was automatic for Gmail users, initially defaulted to effectively sharing users’ email contacts with the public. EPIC has filed a complaint with the FTC arguing that this combination of automatic enrollment and “opt-out” of information-sharing was an unfair or deceptive trade practice in violation of Section 5 of the FTC Act.
But that’s not what caught my attention in Danielle’s post. What really set off alarm bells in my head was Danielle’s recounting how her children and their friends, all under the age of 13, suddenly had their Gmail accounts turned into Google Buzz accounts, and then proceeded to upload all sorts of information about themselves using the service. That raises the prospect that Google Buzz, by collecting such information without getting the appropriate parental consent, violated the Children’s Online Privacy Protection Act, or COPPA. I haven’t seen any discussion of this issue anywhere else.
COPPA is one of the few privacy statutes with real bite: it has strict rules that require substantial effort to follow, and the FTC has shown itself to be a vigorous enforcer. Indeed, the FTC has gone after two social networking sites for COPPA violations recently, and in one case imposed a fine of $1 million. So is Google violating COPPA? The answer is unclear but there’s definitely risk for Google here.
COPPA regulates the online collection of information from children under the age of 13. It applies to two classes of websites: those that have “actual knowledge” that they are collecting information from children, and those that are “directed to children.” If a website in either category is going to collect personally identifiable information (PII) from children, it first has to get “verifiable consent” from a parent. The FTC uses a “sliding scale” to determine what sort of verifiable parental consent is required; for information that is going to be publicly disclosed, as here, the FTC’s COPPA regulations require something like a mail-in form or a credit card.
It’s clear that Google has been collecting PII from children and that it hasn’t been getting prior verifiable consent. But it doesn’t need to comply with COPPA if it doesn’t either have actual knowledge or if the site is not directed to children. “Actual knowledge” typically comes about because the site asks for an age or birth date in the registration process—whether or not a human actually looks at it, the site will have “actual knowledge” if a user provides a birth date that is less than 13 years ago. This is in fact the most common vector for COPPA violations: a site asks for the user’s age, but doesn’t bar the user or get verifiable consent if the user responds that they are less than 13. But Buzz didn’t ask for an age when its users joined, so Google doesn’t appear to have “actual knowledge” of Buzz’s users’ ages. [Update: it occurs to me that Google might very well know that some of its Gmail users are under 13, despite what its terms say (see below). So this could still be a problem for Google.]
Even if Google lacks “actual knowledge,” it might still need to comply with COPPA if Buzz is “directed to children.” Buzz users are Gmail users, and Gmail’s terms appear to bar users under 18:
2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google . . . .
But the FTC has taken the sensible position that merely stating a rule barring users under 13 is not enough to avoid COPPA compliance if the rule is not enforced. So we need to look at the definition of “directed to children,” According to the FTC regulations, a website is “directed to children” if it is “a commercial website . . . that is targeted to children,” which is not terribly helpful. The FTC looks at the following factors to determine whether a website is “targeted” at children: “its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.” The Commission will also consider empirical evidence concerning who’s using the service, and who the intended audience is.
Buzz doesn’t seem to satisfy many of those factors. There’s not much about the site design that screams out “young children.” The short video promoting Buzz I watched had only adult cartoon figures in it. But focusing on the list of factors ignores the fact that we are talking about a social networking site here, which may be inherently “targeted at children.” Children are drawn to such sites like catnip. It’s worth noting that Facebook has made a different choice than Google: it asks for your age on registering, and bars those under 13. Google would be wise to adopt a similar policy.
I’m not certain the FTC has yet brought a COPPA enforcement action against a company that didn’t have any actual knowledge of users’ ages. As a result, there’s not much to go on in terms of deciding when a site might be found to be “directed to children.” And perhaps an enforcement action is unlikely here. But I’m sure Google doesn’t want to be the test case.