Kids Online Safety Laws Hard to Comply with in Real Time, Say Chief Privacy Officers

“There is no real good way to do it,” said Rachel Glasser, chief privacy officer at Magnite. “We are dealing in a world with pseudonymized identifiers. We don't collect age. We don't collect names or email addresses. We really have no idea how old a user is."

Because of this, “we're very reliant on what [information] gets sent to us,” she said. When Magnite looks at a given piece of content, it tries "to understand ‘What [does] the content represent? Is it a Saturday morning cartoon? Is it sports?' And we can make certain inferences or decisions based on that, but they're very broad and general.”

Peter Lerner, chief privacy and compliance officer at Advance, agreed. “The fundamental problem with most of these kids’ laws" comes up "on sites that are not directed to children,” he said. With something like “Teen Vogue, it's hard to argue that you don't have -- if not actual knowledge -- a pretty good idea that your audience is a teenager.” But with other sites, like the New Yorker, where there is a mixed-age audience, “the problem ... is we don't know in real time who among all these people that come to our site are" under 18.

“There's actually no real way to be able to default to the highest privacy setting for this user versus that user,” Lerner said. “Therefore, there's a fundamental problem with most of these [age-appropriate design code] rules, and frankly, most of these kids privacy law rules. There's operationally, no real way for us to comply.”

Though many lawmakers argue that the U.K. was able to pass age-appropriate codes under the GDPR, “the paradigm is completely different,” he said. “Everybody's already at the highest privacy setting, because it's an opt-in regime, so you're applying it across the board, whereas here in an opt-out regime, you have two choices: You collect more information, asking people their age -- which is not very privacy-friendly, obviously -- or you apply it overboard to your entire audience, which would be silly, because how are you going to monetize your content?”

Glasser said that flags or signals attached to data can help companies figure out how to deal with it. For example, if something is flagged with COPPA, “we will strip out any personal information that we probably shouldn't have gotten in the first place, and then we pass that flag along,” she said. But these flags or signals are very dependent on the publishers of the websites or platforms knowing who their sites are targeted at and passing that information along to companies who may want to run ads on them, Glasser said.

“It takes a little bit of elbow grease,” she said. “You should understand who the websites are" for and"the audience composition.”

Lerner agreed. “The diligence is mostly internal.”

But Glasser also said “I'm not sure that anybody really is -- in terms of marketers anyway -- really hungry to actively target children and collect data about children." She said "there tends to be sort of an ethical line that's already been drawn in the sand.”

Julia Shullman, general counsel and chief privacy officer at Telly, agreed. “No one really wants to hold onto this data or think about more creative ways to manage for advertising in a child's context."

Beyond knowing when to implement kids' online safety laws, the panelists said there are different interpretations of the language in the laws themselves. “We can't agree on what the age of a child is,” said Gary Kibel, a privacy attorney at Davis+Gilbert. Some states say it's a person younger than 13, while others say it's up to 17, and some have specific rules for ages 13 to 15, he said.

One of the big questions when it comes to compliance is, “How do we define consent?” Kibel said. “But even harder, how do we define knowledge? How do we define knowledge about who was a child?”