Future Tense

13 Going on Old Enough to Share Your Personal Data

Why do users 12 and younger get basic digital data protections than teens and adults don’t?

Teen girl on bed looking at laptop with giant surveillance eyes blinking behind her.
Animation by Lisa Larson-Walker. Photo by Alys Tomlinson/Getty Images.

In the U.S., the restrictions on young people’s power to do “adult” things get lifted at different ages. You get to buy alcohol at 21. When you turn 18, you can vote, get married, enlist in the Army, buy a lottery ticket, and buy a pack of cigarettes. In most states, you can freely consent to sex at 16, as well as register as an organ donor.

And at 13, you can—like the rest of us poor schmucks—share personal data with websites without the authorization of a parent or guardian. Why 13? In the U.S., policymakers deemed kids younger than 13 too naïve, too vulnerable to predatory data practices to be so easily giving away their identifiable info. But what about the rest of us?

Around the turn of the millennium, U.S. law started granting children younger than 13 special protections on the internet. These protections came via the Children’s Online Privacy Protection Act, or COPPA, which Congress passed in 1998 in response to concerns about a child’s ability to fully understand the consequences of giving away personally identifying information—such as first and last name, home address, email address, phone number, or Social Security number—online.

Since the law went into effect in April 2000, it’s required any site collecting this kind of information from an individual younger than 13 to obtain “verifiable parental consent” before doing so. The Federal Trade Commission, which enforces COPPA, suggests various mechanisms for obtaining verifiable consent—including a parental consent form, the required use of a credit or debit card (on the assumption children younger than 13 don’t have credit cards), or the creation of a toll-free phone or teleconference line for parents to call—though it doesn’t mandate a particular process. The law also mandates that moms, dads, and/or guardians be given the option to choose whether their child’s information can be shared with third parties, and to review or delete any information collected on their preteen. Any data collected needs to be kept confidential and secure by the collector, and deleted once no longer necessary for its original purpose (such as when children shut down their profiles). The rules apply whether the website is aimed specifically at kids or not.

The rules represent an attempt to shield innocent children from a Big Bad Internet that wants to exploit them: to commercialize their information, to create comprehensive user profiles, to amass valuable databases, and of course, to sell them things. It’s not to stop them from using the internet. It’s to stop the internet from using them. In practice, however, the law pushed sites like Facebook and YouTube not to obtain parental consent but to set a minimum age to open an account at 13 (kids can still watch YouTube, or have a YouTube Kids profile within their parents account, but they can’t have an account of their own). It’s far easier, and less pricey, to ban junior users from signing up altogether than it is to set up verifiable consent options. Instead, many platforms wait until kids reach the ripe old age of 13 to gain unsupervised access to mine their personal data riches. (Though, as Facebook admits, there’s little they can do to stop preteens from setting up profiles by simply lying—who knew tweens were savvy enough to do get around such a wall?)

Congress, according to an FTC guide to COPPA, only applied these protections to kids age 12 and younger because these younger children were deemed  “particularly vulnerable to overreaching by online marketers and subject to graver safety risk.” (Everyone else, it seemed, would be fine with general consumer protection laws.)

During Mark Zuckerberg’s testimony before the Senate Judiciary and Commerce committees, however, Democratic Sen. Ed Markey, one of the authors of COPPA, put forward a question: Would Zuckerberg support expanding the protections that COPPA grants those younger than 13 to all kids younger than 16, too?

Zuckerberg, unsurprisingly, avowed that protecting minors’ privacy is “extremely important” but refused to give a hard answer. “Senator, I’m not sure if we need a law, but I think that this is certainly a thing that deserves a lot of attention,” he said.

Markey’s question got to the heart of COPPA’s seemingly arbitrary age cutoff. There’s no remarkable distinction between the internet savvy of a 13-year-old and a 12-year-old, and yet the law draws a stark line between the protections given to each. It’s not the first time teenhood has been used as the subjective line for regulatory benchmarks—think of PG-13 ratings for movies, perhaps the most famous example of this. But unlike ratings, which continue to restrict young teens from accessing “adult” content through R and NC-17 ratings, there are no levels in COPPA. Might as well be 13 going on 30.

As Markey’s question alludes, however, after a slew of data breaches and data privacy scandals like the one that landed Zuckerberg in the congressional hot seat, some are starting to question whether young teens are just as worthy of protections as preteens. After all, these minors can be just as vulnerable as their younger counterparts, and perhaps with more problematic adolescent info for data collectors to exploit.

Yet, looking at all the changes in the ways the young people use the internet today, it seems like the most reasonable solution to this abrupt disparity may not be creating another staggered level of restrictions. Instead, I think it’s time to rethink the idea of “children’s online protection” altogether.

While the net of the ’90s may have seemed like a scary, confusing place to let children go unsupervised, those protected by COPPA in 2018 are mostly digital natives. They haven’t known a world without the internet, without Facebook, Instagram, Snapchat, and more. While legislators still consider 13 a fairly standard regulatory age, it’s no longer an accurate or useful reflection of when kids start exploring the web by themselves. The idea that 13 is the age at which kids become internet savvy, too, seems ludicrous. Many children are probably more digital privacy savvy than the grown-ups of the “I gave away my credit card details to scammers on the phone” generation.

On top of this, COPPA isn’t particularly effective. As Facebook admits, untold deluges of underage kids are probably skirting around parental controls and breaching the COPPA barricades themselves. It only takes a very simple misrepresentation (see: my underage use of the teen social network Habbo Hotel at age 12) for children to face the unregulated “adult” internet we do.

The kids are online. What we need then, isn’t more restrictions against data collection for minors but better data privacy measures for all. Rather than expanding legal protections to include another age bracket, COPPA’s principles of active consent, secure data storage, and access to deletion should be applied to everyone (including children and teens) no matter what birth year they’ve selected on a form: not a Children’s Online Privacy Protection Act, but an Online Privacy Protection Act. It’s not unheard of. The European Union’s General Data Protection Regulation, which goes into effect this May, for example, establishes baseline data privacy protections for all natural persons—including a right to easily access the data organizations hold about you, to have that data deleted, and to withdraw consent of data collection at any time—while still stipulating where standards must be higher where children are involved.

If anything, COPPA’s highly protective rules for children seem to excuse the highly unregulated mess that we older internet users must navigate. Many of the reasons for not wanting children on sites such as Facebook—its extensive data-collection and profiling; its aggressive, manipulative marketing; the insecurity of its amassed data—are pertinent concerns regardless of age. Let’s fix those problems, rather than making vain attempts to keep children off them until they hit the magical age of 13.

The kids are (mostly) all right. But what about everyone else?