Publishings

In the aftermath of Google’s settlement with the FTC over its COPPA violations, some independent content producers on YouTube have expressed unhappiness with the decision. They are unclear how to comply with COPPA, and believe their revenue will diminish considerably. Some also worry that Google’s recently announced (link is external) system to meet the FTC settlement—where producers must identify if their content is child-directed—will affect their overall ability to “monetize” their productions even if they aren’t aiming to primarily serve a child audience. These YouTubers have focused their frustration at the FTC and have mobilized to file comments in the current COPPA proceedings (link is external). As Google has rolled out its new requirements, it has abetted a misdirected focus on the FTC and created much confusion and panic among YouTube content producers. Ultimately, their campaign, designed to weaken the lone federal law protecting children’s privacy online, could create even more violations of children’s privacy. While we sympathize with many of the YouTubers’ concerns, we believe their anger and sole focus on the FTC is misplaced. It is Google that is at fault here, and it needs finally to own up and step up. The truth is, it is Google’s YouTube that has violated the 2013 COPPA rule (link is external) pretty much since its inception. The updated rule made it illegal to collect persistent identifiers from children under 13 without parental consent. Google did so while purposefully developing YouTube as the leading site for children. It encouraged content creators to go all in and to be complicit in the fiction that YouTube is only for those whose age is 13 and above. Even though Google knew that this new business model was a violation of the law, it benefitted financially by serving personalized ads to children (and especially by creating the leading online destination for children in the U.S. and worldwide). All the while small, independent YouTube content creators built their livelihood on this illegitimate revenue stream. The corporate content brand channels of Hasbro, Mattel and the like, who do not rely on YT revenue, as well as corporate advertisers, also benefitted handsomely from this arrangement, allowing them to market to children unencumbered by COPPA regulations. But let’s review further how Google is handling the post-settlement world. Google chose to structure its solution to its own COPPA violation in a way that continues to place the burden and consequences of COPPA compliance on independent content creators. Rather than acknowledging wrong-doing and culpability in the plight of content creators who built their livelihoods on the sham that Google had created, Google produced an instructional video (link is external) for content creators that emphasizes the consequences of non-compliance and the potential negative impact on the creators’ monetization ability. It also appeared to have scared those who do not create “for kids” content. Google requires content creators to self-identify their content as “for kids,” and it will use automated algorithms to detect and flag “for kids” content. Google appears to have provided little useful information to content providers on how to comply, and confusion now seems rampant. Some YouTubers also fear (link is external) that the automated flagging of content is a blunt instrument “based on oblique overly broad criteria.” Also, Google declared that content designated as “for kids” will no longer serve personalized ads. The settlement and Google’s implementation are designed to assume the least risk for Google, while maximizing its monetary benefits. Google will start limiting the data it collects on made “for kids” content – something they should have done a long time ago, obviously. As a result, Google said it will no longer show personalized ads. However, the incentives for content creators to self-identify as “for kids” are not great, given that disabling (link is external) behavioral ads “may significantly reduce your channel’s revenue.” Although Google declares that it is “committed to help you with this transition,” it has shown no willingness to reduce its own significant cut of the ad revenue when it comes to children’s content. While incentives for child-directed content creators are high to mis-label their content, and equally high for Google to encourage them in this subterfuge, the consequences for non-compliance now squarely rest with content creators alone. Let’s be clear here. Google should comply with COPPA as soon as possible where content is clearly child- directed. Google has already developed a robust set of safeguards and policies (link is external) on YouTube Kids to protect children from advertising (link is external) for harmful products and from exploitative influencer marketing. It should apply the same protections on all child-directed content, regardless of which YouTube platform kids are using. When CCFC and CDD filed our COPPA complaint in 2018, we focused on how Google was shirking its responsibilities under the law by denying that portions of YouTube were child-directed (and thus governed by COPPA). The channels we cited in our complaint were not gray-area channels that might be child attractive but also draw lots of teen and adult viewers. Our complaint discussed such channels as Little Baby Bum, ChuChu TV Nursery Rhymes and Kids Songs, and Ryan’s Toy Reviews. We did not ask the FTC to investigate or sanction any channel owners, because Google makes the rules on YouTube, particularly with regard to personal data collection and use, and therefore it was the party that chose to violate COPPA. (Many independent content creators concur indirectly when they say that they should not be held accountable under COPPA. They maintain that they actually don’t have access to detailed audience data and do not know if their YouTube audience is under 13 at all. Google structures what data they have access to.) For other content, in the so-called “gray zone,” such as content for general audiences that children under 13 also watch, or content that cannot be easily classified, we need more information about Google’s internal data practices. Do content creators have detailed access to demographic audience data and are thus accountable, or does Google hold on to that data? Should accountability for COPPA compliance be shifted more appropriately to Google? Can advertising restrictions be applied at the user level once a user is identified as likely to be under thirteen regardless of what content they watch? We need Google to open up its internal processes, and we are asking the FTC to develop rules that share accountability appropriately between Google and its content creators. The Google settlement has been a significant victory for children and their parents. For the first time, Google has been forced to take COPPA seriously, a U.S. law that was passed by Congress to express the will of the majority of the electorate. Of course, the FTC is also complicit in this problem as it waited six years to enforce the updated law. They watched Google’s COPPA violations increase over time, allowing a monster to grow. What’s worse, the quality of the kids YouTube content was to most, particularly to parents, more than questionable (link is external), and at times even placed children seriously at risk (link is external). What parents saw in the offering for their children was quantity rather than quality content. Now, however, after six years, the FTC is finally requiring Google and creators to abide by the law. Just like that. Still, this change should not come as a complete surprise to content creators. We sympathize with the independent YT creators and understand their frustration, but they have been complicit in this arrangement as well. The children’s digital entertainment industry has discussed compliance with COPPA for years behind closed doors, and many knew that YouTube was in non-compliance with COPPA. The FTC has failed to address the misinformation that Google is propagating among content creators, its recent guidance (link is external) not withstanding. Moreover, the FTC has allowed Google to settle its COPPA violation by developing a solution that allows Google to abdicate any responsibility with COPPA compliance, while continuing to maximize revenue. It’s time for the FTC to study Google’s data practices and capabilities better, and squarely put the onus on Google to comply with COPPA. As the result of the current COPPA proceedings, rules must be put in place to hold platforms, like YouTube, accountable.

SUBJECT: CCFC and CDD statement on today’s YouTube inquiry by Senator Markey Campaign for a Commercial-Free Childhood and the Center for Digital Democracy, whose complaint led to the FTC settlement (link is external) which requires YouTube to change its practices to comply with federal children’s privacy law, applaud Senator Ed Markey for writing to Google (link is external) to inquire about YouTube’s child-directed advertising practices. “To its credit, Google has developed a robust set of safeguards and policies on YouTube Kids to protect children from advertising for harmful products and exploitative influencer marketing. Now that Google has been forced to abandon the fiction that the main YouTube platform is exclusively for ages 13 and up, it should apply the same protections on all child-directed content, regardless of which YouTube platform kids are using.” Josh Golin, Campaign for a Commercial-Free Childhood “Google should treat all children fairly on YouTube and apply the same set of advertising and content safeguards it has especially developed for YouTube Kids. When young people view child-directed programming on YouTube, they should also be protected from harmful and unfair practices such as ‘influencer’ marketing, exposure to ‘dangerous’ material, violent content, and exposure to food and beverage marketing.” Jeff Chester, Center for Digital Democracy

Subject: Which digital privacy proposals in Congress make the grade? Nov. 21, 2019 Contact: David Rosen, drosen@citizen.org (link sends e-mail), (202) 588-7742 Susan Grant, sgrant@consumerfed.org (link sends e-mail), (202) 387-6121 Caitriona Fitzgerald, fitzgerald@epic.org (link sends e-mail), (617) 945-8409 Katharina Kopp, kkopp@democraticmedia.org (link sends e-mail), (202) 836-4621 Campaign for a Commercial-Free Childhood · Center for Digital Democracy · Color of Change · Consumer Federation of America · Consumer Action · Electronic Privacy Information Center · Parent Coalition for Student Privacy · Privacy Rights Clearinghouse · Public Citizen · U.S. PIRG NOTE TO REPORTERS Grading Digital Privacy Proposals in Congress When it comes to digital privacy, we’re facing an unprecedented crisis. Tech giants are spying on our families and selling the most intimate details about our lives for profit. Bad actors, both foreign and domestic, are targeting personal data gathered by U.S. companies – including our bank details, email messages and Social Security numbers. Algorithms used to determine eligibility for jobs, housing, credit, insurance and other life necessities are having disparate, discriminatory impacts on disadvantaged groups. We need a new approach. Consumer, privacy and civil rights groups are encouraged by some of the bills that recently have been introduced in Congress, many of which follow recommendations in the groups’ Framework for Comprehensive Privacy Protection and Digital Rights in the United States (link is external). The framework calls for baseline federal privacy legislation that: - Has a clear and comprehensive definition of personal data; - Establishes an independent data protection agency; - Establishes a private right of action allowing individuals to enforce their rights; - Establishes individual rights to access, control and delete data; - Puts meaningful privacy obligations on companies that collect personal data; - Requires the establishment of algorithmic governance to advance fair and just data practices; - Requires companies to minimize privacy risks and minimize data collection; - Prohibits take-it-or-leave-it or pay-for-privacy terms; - Limits government access to personal data; and - Does not preempt stronger state laws. Three bills attained the highest marks in the recent Privacy Legislation Scorecard (link is external) compiled by the Electronic Privacy Information Center (EPIC): - The Online Privacy Act (H.R. 4978 (link is external)), introduced by U.S. Reps. Anna Eshoo (D-Calif.) and Zoe Lofgren (D-Calif.), takes a comprehensive approach and is the only bill that calls for a U.S. Data Protection Agency. The bill establishes meaningful rights for individuals and clear obligations for companies. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective. - The Mind Your Own Business Act (S. 2637 (link is external)), introduced by U.S. Sen. Ron Wyden (D-Ore.), requires companies to assess the impact of the automated systems they use to make decisions about consumers and how well their data protection mechanisms are working. It has explicit anti-preemption language and holds companies accountable when they fail to protect privacy. The private right of action should be broader, and the bill needs clear limits on data uses. - The Privacy Rights for All Act (S. 1214 (link is external)), introduced by U.S. Sen. Ed Markey (D-Mass.), has important provisions minimizing data collection and delinking user identities from collected data, and prohibits bias and discrimination in automated decision-making. It also includes a strong private right of action and bans forced arbitration for violations. It does not preempt state law, but it lacks explicit anti-preemption language, which would make it more effective. Two bills are plainly anti-privacy. The Information Transparency & Personal Data Control Act (H.R. 2013 (link is external)), introduced by U.S. Rep. Suzan DelBene (D-Wash.), falls woefully short. It provides few protections for individuals, contains overly broad exemptions and preempts stronger state laws. The Balancing the Rights of Web Surfers Equally and Responsibility (BROWSER) Act (S. 1116 (link is external)), introduced by U.S. Sen. Marsha Blackburn (R-Tenn.), is based on the old, ineffective take-it-or-leave-it terms of use model, does not allow agency rulemaking, is weak on enforcement and preempts state laws. Both are bad, anti-privacy bills. Future federal privacy bills must make the grade. Additional privacy bills are expected to be introduced by U.S. Sen. Maria Cantwell (D-Wash.) and U.S. Rep. Jan Schakowsky (D-Ill.). Separately, U.S. Sens. Richard Blumenthal (D-Conn.), Roger Wicker (R-Miss.) and Josh Hawley (R-Mo.) may release their own bills. These leaders should strive to meet the standards that the framework lays out. Baseline privacy legislation must not preempt stronger state protections and laws – such as the California Consumer Privacy Protection Act (link is external) that takes effect in 2020, biometric data protection laws such as those in Illinois (link is external) and Texas (link is external), and data breach notification laws (link is external) that exist in every state. States must be allowed to continue serving as “laboratories of democracy,” pioneering innovative new protections to keep up with rapidly changing technologies. In addition, federal privacy legislation must include a strong private right of action – a crucial tool consumers need to enforce their rights and change the behavior of powerful corporations – and establish safeguards against data practices that lead to unjust, unfair, manipulative and discriminatory outcomes. For more information, see these fact sheets (link is external). Please contact any of the individuals listed above to speak with an expert. ###

Contact: David Monahan, CCFC (david@commercialfreechildhood.org (link sends e-mail); 617-896-9397) Jeff Chester, CDD (jeff@democraticmedia.org (link sends e-mail); 202-494-7100) Will the FTC Weaken Children’s Privacy Rules? Invited Advocates Raise Concerns About Upcoming COPPA Workshop, Plans to Undermine Federal Protections for Kids October 7 D.C. lineup dominated by tech industry supporters WHAT: The Future of the Children’s Online Privacy Protection Act Rule (COPPA): An FTC Workshop (link is external) WHEN: October 7, 2019, 9:00 am ET WHERE: Constitution Center, 400 7th St SW, Washington, DC WORKSHOP PRESENTERS FOR CAMPAIGN FOR A COMMERCIAL-FREE CHILDHOOD (CCFC) AND CENTER FOR DIGITAL DEMOCRACY (CDD): THE CHALLENGE: In 2012, the FTC approved new safeguards to protect children’s privacy in the digital era, heeding the advice of child advocates, consumer groups, privacy experts and health professionals. But now the Commission has called for comments (link is external) on COPPA three years before a new review is mandated by statute. The questions posed by the Commission, as well as public comments made by FTC staff, make privacy advocates wary that the FTC’s goal is to roll back COPPA safeguards rather than strengthen protections for children. Concerns about the FTC creating new loopholes or supporting industry calls to weaken the rules are heightened by the FTC’s speaker list for this workshop, replete with tech and marketing companies and their lawyers and lobbyists, with just a few privacy and children’s advocates at the table. The advocates are also concerned that the FTC is contemplating this action just weeks after its most significant COPPA enforcement action to date—requiring major changes to Google’s data collection practices on YouTube—a move that could result in rules being changed before those new practices have even been implemented. Children and families need increased COPPA enforcement, not weaker rules. The key problems, the advocates note, are the lack of enforcement of the law by the FTC; the failure of the agency to protect children from unfair marketing practices, such as influencers; and the need to maintain the strongest possible safeguards—whether in the home, school or on mobile devices. Speakers at the workshop include: Josh Golin, Executive Director, CCFC Will participate in a panel entitled Scope of the COPPA Rule. Katharina Kopp, Ph.D., Deputy Director, Director of Policy, CDD Will participate in a panel entitled Uses and Misuses of Persistent Identifiers. Laura M. Moy, Associate Professor of Law, Director, Communications & Technology Law Clinic, Georgetown University Law Center Will participate in a panel entitled State of the World in Children’s Privacy. Josh, Katharina, and Laura are available for questions in advance of the workshop, and will also be available to speak with press on site. See video of Future of COPPA Workshop here: https://www.ftc.gov/news-events/audio-video/video/future-coppa-rule-ftc-... (link is external) https://www.ftc.gov/news-events/audio-video/video/future-coppa-rule-ftc-... (link is external) ###

Press Statement Google YouTube FTC COPPA Settlement Statement of Katharina Kopp, Ph.D. Deputy Director Center for Digital Democracy August 30, 2019 It has been reported that Google has agreed to pay between $150 million and $200 million to resolve an FTC investigation into YouTube over alleged violations of a children's privacy law. A settlement amount of $150-200 million would be woefully low, considering the egregious nature of the violation, how much Google profited from violating the law, and given Google’s size and revenue. Google’s unprecedented violation requires an unprecedented FTC response. A small amount like this would effectively reward Google for engaging in massive and illegal data collection without any regard to children’s safety. In addition to assessing substantial civil penalties, the FTC must enjoin Google from committing further violations of COPPA and impose effective means for monitoring compliance; the FTC must impose a 20-year consent decree to ensure Alphabet Inc. acts responsibly when it comes to serving children and parents. ------ In April, 2018, the Center for Digital Democracy (CDD) and the Campaign for Commercial-Free Childhood (CCFC), through their attorneys at Georgetown Law’s Institute for Public Representation (IPR), filed an FTC complaint (link is external) detailing YouTube’s COPPA violations. Twenty-one other privacy and consumer groups signed on to CCFC and CDD’s complaint, which detailed how Google profits by collecting personal information from kids on YouTube, without first providing direct notice to parents and obtaining their consent as required by law. Google uses this information to target advertisements to children across the internet and across devices, in clear violation of COPPA.

FOR RELEASE July 26, 2019 Consumer Privacy Organizations to Challenge Facebook Settlement Statement from Groups --------- “The Settlement Fails to Provide Meaningful Relief to Facebook Users” WASHINGTON, DC – Many of the nation’s leading consumer privacy organizations are urging a federal court in Washington, DC to consider public comments before finalizing a proposed settlement between the Federal Trade Commission and Facebook. “The Facebook settlement is both historic and controversial. Many believe the FTC failed to establish meaningful safeguards for consumer privacy. We believe the court overseeing the case should consider the views of interested parties,” said Marc Rotenberg, President of the Electronic Privacy Information Center. Under the terms of the settlement, Facebook will pay a record-breaking $5 b fine to the United States Treasury, but there will be no significant changes in Facebook’s business practices and the FTC will release all pending complaints against the company. Typically in a proposed FTC settlement, the public would be provided an opportunity to provide comments to the agency before finalizing the deal. But no such opportunity was provided in the Facebook settlement. Many of the organizations that are joining the effort have also filed detailed complaints with the Federal Trade Commission, alleging that Facebook has violated privacy laws, including the Children’s Online Privacy Protection Act. A Freedom of Information Act case revealed that there are more than 26,000 complaints against Facebook currently pending at the Commission. In a similar case in 2012, the privacy group Consumer Watchdog challenged the FTC settlement with Google regarding the Safari hack. In other consumer privacy cases, courts have created opportunities for interested parties to file papers and be heard prior to a final determination on a proposed settlement. The case is In the Matter of Facebook, No. 19-cv-2184 (D.D.C. Filed July 24, 2019) EPIC filed with the court today: https://epic.org/2019/07/epic-challenges-ftc-facebook-s.html (link is external) Statements of Support: Brandi Collins-Dexter, Senior Campaign Director, Color of Change, “Despite the large price tag, the FTC settlement provides no meaningful changes to Facebook’s structure or financial incentives. It allows Facebook to continue to set its own limits on how much user data it can collect and it gives Facebook immunity for unspecified violations. The public has a right to know what laws Facebook violated. Corporations should face consequences for violating the public trust, not be given a rubber stamp to carry out business as usual. This settlement limits the ability of Black users to challenge Facebook’s misuse of their data and force real accountability which is why the courts must review the fairness of this settlement.” Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America: “The FTC’s settlement with Facebook sells consumers short by failing to change the company’s mass surveillance practices and wiping away other complaints that deserved to be addressed. It needs to be stronger to truly protect our privacy.” Linda Sherry, Director of National Priorities, Consumer Action: “The FTC’s pending Facebook settlement does not take adequate measures to limit the collection and sharing of consumers’ personal information, but appears to provide the company with extensive protections from even future violations. Consumer Action respectfully urges the court to consider positions from interested parties who have related complaints filed with the FTC to ensure that the most fair and comprehensive agreement is approved.” Sally Hubbard, Director of Enforcement Strategy, Open Markets. “The FTC’s settlement is woefully insufficient in light of Facebook’s persistent privacy violations. The fine is a mere cost of doing business that makes breaking the law worth it for Facebook. Remedies must curb Facebook’s widespread data collection and promote competition. Otherwise Facebook will continue to fortify its monopoly power by surveilling users both on Facebook and off, and users can’t vote with their feet when Facebook violates their privacy. The public must have the opportunity to be heard on this negligent settlement." Robert Weissman, President, Public Citizen: “The FTC's settlement amounts to Facebook promising yet again to adhere to its own privacy policy, while reserving the right to change that policy at any time. That approach will fail to protect users' privacy. The court should reject the settlement and order the FTC to try again and do better.” Josh Golin, Executive Director, Campaign for Commercial-Free Childhood: “Facebook has been exploiting kids for years, and this proposed settlement is essentially a get-out-of-jail-free card. It potentially extinguishes our children's privacy complaints against Facebook, but offers absolutely no protections for kids' privacy moving forward. It also sweeps under the rug a complaint detailing how Facebook knowingly and intentionally tricked kids into spending money on mobile games over several years, sometimes to the tune of thousands of dollars per child.” James P. Steyer, CEO and Founder of Common Sense Media: "On behalf of families across the country, Common Sense fully stands behind EPIC's motion. The proposed settlement is a "get out of jail free" card for Facebook, purporting to absolve Facebook not only of liability for privacy abuses but for other -- completely unaddressed and unexplored -- Section 5 abuses. One such abuse that the FTC is aware of and that court documents confirm includes tricking kids into making in-app purchases that have put families out hundreds and even thousands of dollars —something the company has yet to meaningfully change its policies on to this day. Such a broad release is unprecedented, unjustified and unacceptable." Edmund Mierzwinski, Senior Director for Federal Consumer Programs, U.S. PIRG: "This laughable $5 billion settlement with the category-killer social media giant Facebook makes the much smaller Equifax settlement for sloppy security look harsh. Facebook intentionally collects and shares an ever-growing matrix of information about consumers, their friends and their interests in a mass surveillance business model. It routinely changes its previous privacy promises without consent. It doesn't adequately audit its myriad business partners. The FTC essentially said to Facebook: "Pay your parking ticket but don't ever change. Your fast-and-loose practices are okay with 3 of the 5 of us." Not changing those practices will come back to haunt the FTC, consumers and the world.” Jeff Chester, Executive Director, Center for Digital Democracy: "The 3-2 Facebook decision by the FTC leaves millions of Americans vulnerable to all the problems unleashed by the Cambridge Analytica scandal. The commission adopted a woefully inadequate remedy that does nothing to stem the fundamental loss of its user privacy which led to our original 2009 complaint."

In response to a call (link is external) for submissions by the UN Committee on the Right of the Child (link is external) on the topic of children’s rights in relation to the digital environment, CDD joins academics and advocates in submitting comments. The group calls on the Committee to recognize the far-reaching harms caused by digital marketing and the personal data extraction on which it is predicated. Many digital marketing practices infringe many rights enshrined in the UN Convention on the Rights of the Child (link is external). The Committee ought to recognize the need to protect children from these harms so children can fully enjoy the opportunities digital environments offer for their development and fulfilment of their rights.

For Immediate Release: Feb. 26, 2019 Contact: Mike Stankiewicz, mstankiewicz@citizen.org (link sends e-mail), (202) 588-7779 Jeff Chester jeff@democraticmedia.org (link sends e-mail) (202) 494-7100 MEDIA ADVISORY Press Briefing: Senators, Coalition Call for Sweeping National Digital Privacy Legislation Experts to Demand Federal Action to Combat Growing digital-consumer and Civil Rights Threats WHAT: Staff briefing, open to the press and sponsored by U.S. Sens. Ed Markey (D-Mass.) Tom Udall (D-N.M.), at which consumer protection and civil rights advocates will explain the urgent need for sweeping federal digital privacy legislation with a new approach. It includes baseline legislation that doesn’t pre-empt state privacy laws, the creation of a new federal data protection agency and safeguards against data practices that lead to unjust, unfair, manipulative or discriminatory, outcomes. The briefing comes as Americans increasingly demand protection of their digital privacy in light of unethical privacy sharing and harvesting by tech giants. Without any constraints, Big Tech companies and their partners are collecting sensitive information on American citizens, ranging from financial and health information to data that tracks our Internet activity across all our devices, our location throughout the day and much more. Both the federal government and the states must be empowered to protect the public from this ever-growing online threat to their privacy, welfare and civil rights. Members of the Privacy and Digital Rights for All coalition, which has announced a Framework for Comprehensive Privacy Protection And Digital Rights (link is external) in the U.S. also will speak about the need for enduring privacy innovation and limiting government access to personal data. WHEN: 2 p.m. EST, Mon., March 4 WHO: Ed Mierzwinski, consumer program director, U.S. PIRG Jeffrey Chester, executive director, Center for Digital Democracy Brandi Collins-Dexter, senior campaign director, Color of Change Josh Golin, executive director, Campaign for a Commercial-Free Childhood Burcu Kilic, research director, Public Citizen’s Access to Medicines program Christine Bannan, administrative law and policy fellow, Electronic Privacy Information Center (EPIC) WHERE: Hart Senate Office Building Room 216 120 Constitution Ave NE Washington, DC 20002 ###