PRIVO Submits Comments to NTIA on Kids Online Health and Safety Request

On November 16, 2023, PRIVO welcomed the opportunity to comment in response to the National Telecommunications and Information Administration (NTIA) - Kids Online Health and Safety Request for Comment. In submitting these Comments, PRIVO was mindful of the Request’s directive that comments supplement, rather than repeat the work of the Task Force, draw out issues for discussion and provide practical solutions and guidance on these issues.

To that end, PRIVO focused its Comments on a common root cause of the many harms that can befall minors online, a single practical solution that can have an outsized benefit over the entire ecosystem if promoted and implemented, and important guidance to parents and educators that the US government should amplify. Our response begins with a brief overview of our compliance programs and technology solutions that are both privacy enhancing and friction reducing with the goals of facilitating companies’ creation of products that minors can benefit from and enjoy online and the appropriate use of those products by minors and families.

Here is an overview of our recommendations:

The Internet is the one place in American society where children and adults interact freely, repeatedly and for long periods of time, without significant adult accompaniment, supervision, chaperoning, buddy systems, or check-in places and times. In the offline world, American families do not simply drop children under 13 off at crowded amusement parks, fairs, Spring Break beaches, or the neighborhood karaoke bar to show off their talent. They do not do so because they fear their child coming under the influence of a “friendly” adult who is in fact grooming the child for physical harm, exploitation and trafficking. They fear their child encountering older minors who might bully them, pick fights with them, or steal their ticket money. They fear their child being exposed to language, sexual activity and alcohol/drug use not appropriate for their age. And, in the case of the karaoke bar, they know that the child will be denied entrance. As children become teenagers, families, while still concerned with the above risks, often allow teens additional freedom consistent with their increased cognitive development and need for independence. However, families typically retain reasonable controls and restrictions such as requiring teens to use buddy systems with similarly-aged siblings and friends and checking in at certain times or places or by cell phone. At the same time, though, parents may allow their children to watch a particular R-rated movie because they disagree with the rating or believe their child is mature enough to be exposed to that content.

The drafters of COPPA recognized these real-world realities and crafted legislation that attempted to balance many competing demands - to facilitate access by children under 13 to the many benefits of the Internet and online services, to support the rights of parents to make informed decisions about and regulate their children’s use of the Internet and online services, and to avoid the overburdening of adults’ use of the Internet and online services that resulted in the invalidation of the Child Online Protection Act of 1988 and that could curtail the economic benefits of the digital economy. Following suit, the FTC crafted its regulations implementing COPPA with a sliding scale that imposes fewer regulatory requirements in situations that pose less risk to children and heavier requirements in situations that present more risk. The drafters of COPPA also recognized that overly restrictive and unchanging regulations would hinder the development of the Internet and online services as well as miss responding to emerging practices and harms. For this reason, COPPA created the Safe Harbor program to encourage third parties to move quickly and innovate parental consent solutions that support the goals of COPPA, subject to review by the FTC.

While the Internet and online services have changed, multiplied and taken on even greater importance in Americans’ lives since the adoption of COPPA, the competing demands that must be satisfied remain largely the same. It remains important to identify solutions that are not so overly restrictive, difficult to comply with or so annoying that users, including the very parents who are seeking to protect their children, actively look for ways to circumvent them, and companies attempting to implement them are hobbled in developing new and innovative sites and services for all, including children. It also remains important to partner with industry to develop the solutions needed.

One solution that can have an out-sized positive impact on the entire online ecosystem is the use of smarter age gates. Age gates are often criticized because they may have been designed in a way that is easy to defeat. They may rely on nothing more than the child’s word as to what their age is. When faced with such an age gate, children often provide their current age and are denied access or at least instant access to the site or service as a result. They then attempt to circumvent the age gate by clearing their browser, switching to another browser, un-installing and re-installing the app or similar tactics. Then, they lie in response to the now-anticipated age-gate question. And, many parents, just as they may do with the R-rated movie, will allow, instruct or facilitate their child circumventing the age gate. They may do this because they want to play a 13+ game with their eight-year child and are not worried about the risks that would normally be associated allowing the child to engage in that activity because the parent will be in the game and able to react to any negative situation. Or, they may do it out of exhaustion with the seemingly unending demands of their child to use the many sites the child is attracted to and wants to access.

What is important to understand, though, is that, unlike allowing a child to view an isolated R-rated movie, when an eight-year-old child (or parent on the child’s behalf) lies to the age gate, they create a profile of an online user who appears to be 13 years old and that profile lives on the Internet long after. The deception may have satisfied the immediate need to reduce the friction of getting the child into an online game that a parent approves of, but it creates a situation where that eight-year-old perpetually appears to be five years older. Having gotten through the age gate, the child may gain access to other games that the parent would not approve of, or the child may be able to leverage its sign on credentials for the game platform to get onto other platforms where the child may be exposed to unmoderated chat, bullying or inappropriate advertising content that the parent did not anticipate when foiling the age gate on the original site or service. What is more, the problem will continue for at least the next five years as the eight-year-old will be able to access 13+ services for five years before reaching 13, at which point, the now 13-year-old may appear to the Internet to be an 18-year-old who should be able to access age-restricted sites and services. Thus, many of the mental health concerns that are presented as harms to teens justifying regulation up to the age of 18 are in fact harms to much younger children who are masquerading as teens. Keeping these younger children off of sites that do not cater to their needs is fundamental.

Instead of giving up on age gates as a sensible way to keep children off of sites intended for teens and adults, or teens off of sites intended for adults, the US government should encourage the development of smarter age gates. Sites that attract children should rely on more than just the child’s word at the age gate as to what their age is. Smart age gates can enforce that result and help mitigate the root cause of so many harms to children by preventing their unfettered access to sites used by people of all ages. They reinforce the common sense protections parents naturally put in place in the offline world and that the drafters of COPPA sought to establish for children’s activities online.

PRIVO has developed age-aware technology to complement its parental consent service and strengthen age gates and entry points using opted-in device-level data to alert sites and services that a child is at their age gate and to prevent children who are turned away from the age gate from simply clearing the browser, changing browsers or re-installing the app to get a second bite at the age gate apple. Parents can enroll the device when they purchase it or hand it down to the child so that sites and services will know that the device is primarily used by a child under a certain age. The US government should encourage online sites and services to begin to interoperate with solutions such as this so that they can be alerted to the fact that a child is on their site or service and take the appropriate action to prevent child access or secure parental consent.

Parents need simple to use solutions to managing the ever increasing number of sites and services that their children will interact with throughout their development, academic careers, and changing interests. Filters already exist that can prevent children from being exposed to pornography online, but they are a cumbersome, partial solutions that parents must seek out and pay for. Online sites and services also need a simpler solution to regulatory compliance than age verifying all sites users. Smarter age gates and innovations like the use of the age-aware device-level data solution that PRIVO has created meet both needs.

Finally, because of the out-sized importance of keeping minors off of sites and services that do not cater to their specific needs, the US government should be providing guidance to parents and educators about the consequences of their decisions to subvert or allow their children to subvert age gates. This guidance should come from multiple sources such as the Department of Education directed to both teachers and educational institutions. Devices provided by educational institutions should be enrolled in programs such as PRIVO’s. Additional guidance should be provided to online operators about the availability of programs such as PRIVO’s and that participating in them should be a best practice and norm to be followed.

PRIVO's complete submission letter can be found here.