We appreciate the opportunity to offer feedback on the FTC's examination of its COPPA Rule aimed at safeguarding children's online privacy. As emergency remote learning—spurred on by the COVID-19 pandemic—altered the scope and duration of how children interact with online services, it's imperative to modernize the COPPA Rule so it may effectively address emerging privacy threats.

We are a group of academic researchers working on the application and impact of educational technologies on student privacy. We write to encourage the Commission to take specific steps to protect and study children’s privacy online, drawing on our collective experience in computer science. In fact, our research focuses on the privacy risks students face when they use school-sponsored educational technologies inside and outside the classroom. We encourage further questions and engagement with the Commission’s staff to provide additional details and clarifications, and answer any questions.

Responding to question 12, it would be more advantageous for privacy researchers and parents alike to have the information posted within the online notice (§ 312.4(d)) rather than the direct notice required under § 312.4(c). Placing details about third-party sharing in the online notice offers several benefits. Firstly, an online platform provides a centralized and easily accessible location for comprehensive information, allowing researchers and parents to efficiently analyze and compare privacy practices across multiple operators. This approach aligns with the contemporary trend of digital transparency, empowering children and their parents to make informed decisions about their privacy. Furthermore, required third-party disclosure in the online notice enhances the longevity and accessibility of the information, ensuring that researchers can reference and track changes over time, contributing to a more robust and insightful analysis of privacy practices in the digital landscape.

Indeed, one of our studies focused on assessing privacy risks in K-12 schools,^[1] and our research methodology showcased the effectiveness of relying on online disclosures. By capitalizing on a parallel online disclosure scenario, where many schools disclose online the technology vendors they use, we employed a sophisticated web scraper to systematically gather information about the educational technologies that may be in use by various schools. This research was facilitated by schools openly sharing details about the educational technologies they endorse on dedicated webpages, sometimes mandated by state law, such as in the case of public schools in Illinois.^[2] Although we were able to create a scraper to collect data on technologies used in schools in our work, the legal requirement for these schools to disclose information on the technologies they utilize through an online notice would have streamlined the process and enabled future audits more easily. This work suggests that having standardized online notices about how a website is meeting COPPA requirements, could be a valuable resource for comprehensive and insightful research on how websites are enacting these new COPPA proposed rules when they come into effect.

Responding to question 14, we strongly support the proposal for separate consent mechanisms because it aligns and substantiates the imperative for a more deliberate and transparent approach to children's privacy. Our qualitative research interviewing school officials^[3] underscores the significance of this separation, particularly in the school setting. We found that parents often provide consent for their children to use educational technology in a context where it is buried among various back-to-school forms, diminishing the clarity and awareness of the consent process. In light of this issue, introducing a separate and distinct form that explicitly outlines the optional nature and consequences of data disclosure would address this issue. A dedicated form would serve as a valuable tool in ensuring that parents are well-informed about the specific implications of data disclosure, fostering a more transparent and meaningful consent process in line with the Commission's objective under § 312.5(a)(2). Indeed, it is reasonable to assume that the separate consent mechanism would analogously have the same benefits when a child wants to use an online service outside of the classroom context.

Furthermore, the consent mechanism for disclosure should be offered at a different time and/or place than the mechanism for the underlying collection and use. Previous research by McDonald and Cranor^[4] has shown that privacy policies tend to be lengthy and filled with dense “legalese”, suggesting that an average individual would need to spend 244 hours a year to read the privacy policies of the websites they visit. Applying this insight to parental consent notices, it becomes evident that a separate disclosure notice becomes not just practical but crucial. By providing a distinct notice for data disclosure, parents are afforded a more manageable and understandable framework for comprehending the intricacies of how their child’s data is utilized, offering a reasonable alternative to the challenging task of deciphering dense, data-related language within an extensive document. Thus, a separate consent mechanism for disclosure supports the broader goal of promoting informed decision-making around children’s privacy.

Lastly, § 312.5(a)(2) ought to require operators to explicitly state which disclosures are integral to the nature of the website or online service. This transparency is essential to prevent any potential exploitation through information asymmetry. For example, parents may be sophisticated enough to understand that their child's calculator app does not need location data to perform arithmetic. The laws of mathematics do not change based on one's location. However, the intricacies of sophisticated online platforms can obfuscate what disclosures are integral versus optional. Without clear delineation, there exists a risk of users unwittingly providing consent to a broader range of disclosures than they may have intended. By mandating that operators specify what disclosures are inherent to the nature of their service, the Rule adds a crucial layer of protection, empowering users to make informed decisions about the extent to which their personal information is shared. This measure not only aligns with the principles of user autonomy and privacy, but also serves as a deterrent against any deceptive practices that might otherwise compromise users' data privacy. One caveat from our own work in this space is that despite notices, many parents may still not fully comprehend the ramifications of their consent choices on their children’s data but more clear and manageable information chunks will still improve the current state of disclosures.

As children's lives become more intertwined with technology, it is essential for the FTC's COPPA Rule to adapt and align with the fundamental statutory goal of COPPA—empowering parents with complete authority over their children's personal information. The implementation of robust, efficient, and effective notice and consent mechanisms undergird the realization of COPPA’s goal.

[1] Chanenson, J. et al. (2023) ‘Uncovering Privacy and Security Challenges In K-12 Schools’, in Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. New York, NY, USA: Association for Computing Machinery (CHI ’23), pp. 1–28. Available at: https://doi.org/10.1145/3544548.3580777.

[2] 105 Ill. Comp. Stat. Ann. 85/27

[4] McDonald, A.M. and Cranor, L.F. (2008) ‘The Cost of Reading Privacy Policies’, I/S: A Journal of Law and Policy for the Information Society, 4, p. 543.