CIPA, COPPA, and Age Verification

This week I've been reading about federal regulations on protecting children's safety and privacy online. I'm certainly not an expert in this topic, and I know there are a lot of aspects that could be discussed, so this post is just my two cents.

As readers may remember, I was on the internet in the early days of Web 2.0. I'm pretty sure the statute of limitations has passed, so I'm comfortable saying that I definitely didn't always use my true age when signing up for an account. It was so easy to just choose a different year, and all my friends were already on these sites, so why not? The website certainly didn't try to deter me.

I realized even then that the requirement to enter my birthday to make an account was to protect the company I'm making the account with, not me. If the requirement for account holders to be over 13 is so easy to get around, then the age of their users is obviously not what they're worried about.

So what are they worried about? What protection does this requirement provide for companies?

Why Kids Lie (On the Internet)

From imgflip.com
Mostly, it's to technically comply with COPPA, the Children's Online Privacy Protection Act, passed in 1998 in the US. COPPA restricts the collection of data from children under 13, so by asking for the user's age before they create an account the company can say they are complying with COPPA, even if you can just lie and get around it.

My own repeated experience reinforced the idea that these age restrictions are there as CYA for the companies, not for my benefit or protection. The implementation seems largely ineffective, and so I tend to agree with danah boyd et al., who contends that COPPA, through parents, teaches kids to lie about their age.

"Websites continue to collect data about children under the age of 13, notably those who lie about their age to gain access to the websites." -danah boyd et al.

An update to COPPA was passed in 2025, with companies needing to fully comply as of this week (4/22/2026). Key changes include: requiring parental opt-in consent to share children's data with third-party companies; limiting data retention to "as long as reasonably necessary to fulfill a specific purpose for which it was collected", prohibiting indefinite storage, and; expanding the definition of personal information to include biometric identifiers, such as fingerprints. Only time will tell if these additional regulations will be sufficient, or at least an improvement.

Regulation, Meet Education

COPPA is not the only federal regulation that was created to protect children online. CIPA (Children's Internet Protection Act, 2000) mandates that internet browser filters be on computers in publicly funded institutions where children are likely to use the internet if the institution benefits from the FCC's E-Rate discount program, which is most public schools and public libraries. CIPA seems to try to protect children using the authority of the institution, while COPPA relies on the compliant cooperation of domain holders and ed-tech companies.

I'm not sure either of these regulations are the best way to protect children online, but they're better than nothing. That is, setting aside the censorship issues, but that's a topic for another post.

The update to CIPA, the Protecting Children in the 21st Century Act (passed 2008, enforced 2012), compliments CIPA by focusing on internet safety education. This act requires the FTC to develop a nationwide program that would "encourage best practices for internet safety and facilitate access to awareness and education campaigns".

From what I can tell, the practical effect of this amendment was a new certification requirement for schools to receive E-rate discounts. To meet certification requirements, schools must adopt or amend their internet safety policy so that it "provides for educating minors about appropriate online behavior." Notably, they don't offer guidance on the "best practices" to providing children with education on internet safety. They also don't address the issue of children regularly lying about their age in order to create accounts. An emerging technology that's purported to solve this particular problem is age verification software.

Age Verification? More Like Privacy Evacuation

Many countries have implemented age verification laws with the intent to better protect children online. The US doesn't have a federal mandate for age verification, but several states have passed their own regulation. However, the FTC released a statement recently that they would not enforce COPPA regulations against online services that only collect personal information for age verification purposes, provided they comply with specific conditions. The related policy statement specifies that information collected for age verification purposes may be disclosed to third parties only if the online service obtains written assurance that the third party will delete this information promptly.

This stuck out to me because I recently watched a video that followed the breadcrumb trail of data requests during an age verification process, and found that the age verification service provider explicitly stated that they store ID documents to "maintain an audit trail".

By using multiple layers of third party service providers, websites and online services that utilize age verification processes are able to plead plausible deniability, and the collected personal information is stored several steps away from the site that had originally requested it. Beyond privacy concerns, age verification processes pose other significant dangers to both children and adults.

I don't know what the 'right way' to protect children online is, but this ain't it, chief.

Going Forward

There are very few situations where abstinence and omission provide the best outcomes. Prolonged and consistent education programs have been shown time after time to be more effective. Some regulation that purports to protect children a) doesn't necessarily do so, and b) can limit the rights of both adults and children in myriad ways. For now, I suspect that the trend of tech companies doing the bare minimum and schools and libraries picking up the educational slack will continue.

Comments

  1. NMZumpanoApril 24, 2026 at 6:34 PM

    There are so many layers and the difficulty increases with each technological advancement. I'm not sure this is a truly solvable problem, unfortunately.

    ReplyDelete
  2. JuliaApril 26, 2026 at 5:13 PM

    Im fascinated with the way that not reading the terms of service has evolved into not caring about privacy at all for the general public. I think the average person might think its there for a reason, assuming that the technologies are safe and that no ill intent can come out of it.
    I think its frightening how this has evolved into things like facial recognition, I found the video you linked so fascinating! I was at a convention this weekend where a booth had you scan your face to participate in the activity and everyone around me was participating in it, and I stepped back and had to ask, why am I doing a facial scan to spin a wheel at a product booth!

    ReplyDelete
  3. Bianca Martínez-FrancoApril 26, 2026 at 9:00 PM

    I second your conclusion here. The evolution of tech is constantly outpacing the laws and regulations that exist to wrangle them in. It is also not in the best interest of these large corporations to actually implement regulations without some sort of benefit to them. We, the consumer, continue to be at a loss due to this fact.

    ReplyDelete

Post a Comment

Popular posts from this blog

My First Five Days on Bluesky as a Professional Learning Network

Image
[Personal Image] As I prepare to exit graduate school and enter the information profession proper, I've been thinking about how I will stay connected with my classmates and professors, and how I will build new connections with my colleagues across the world. I decided that building a professional learning network  would best help me accomplish this goal. And so begins the story of my first five days on Bluesky. Day 1 - Setting up My First Steps: Set up my account , added my profile picture and cover image, and wrote a bio (for the first time!). Followed several library-related starter packs from  Christian Lauersen's running list . Ended up following nearly 400 accounts just from starter packs. Wrote a brief introduction post after reading that you should do that before following a whole bunch of accounts (whoops). Almost immediately felt anxiety that this platform will suck me into mindless scrolling. But also, excitement at having a digital community to share the cool t...
Read more

A Bit About Me

Image
An Image is Worth 1000 Bios [Personal Photo] [Created by author with imgflip.com] The photo above is the one I've been using for various social media profiles since May 2024. It doesn't accurately reflect my current image but I appreciate the small amount of anonymity this gives me, as I'm not immediately recognizable from my profile picture. I've never filled out a bio on any social media profile, so I haven't included one here either. I grew up in the early days of Web 2.0 and participated in early iterations of YouTube (2005), Tumblr (2007), Facebook (2006), DeviantArt (2000) and many other websites that are no longer around.    As algorithmic feeds have overtaken personal timelines, I've found decreasing personal value in using most popular social media sites.  Nowadays, I rarely use social media besides YouTube, which I admittedly use every day as my main source of entertainment and background noise.  I keep in touch with my family and friends via text, so...
Read more

Digital Data Privacy: A Paradox?

Image
This week, I've been thinking about the nature of privacy on the modern internet. A common sentiment I hear from people who grew up before social media was commonplace is that they're grateful they were able to keep the silly mistakes they made in their youth private. When they were adolescents, privacy was assumed. Now, preserving privacy often requires active effort.  Technology has advanced rapidly in recent decades, and comprehensive regulation to protect data privacy in America has not kept up. In contrast, the European Union passed the General Data Protection Regulation (GDPR) in 2018, and since then more countries and jurisdictions have passed comparable regulation to protect their citizens' data privacy. As federal regulation has largely stagnated in America, individual states are left to pick up the mantle. Tech companies work with corporate interest groups to lobby the hell out of elected state representatives in order to weaken or even repeal existing regulat...
Read more