Good afternoon, everyone, and thank you so much for attending our brief the hill event. Im emma morris, the Global Policy director at fozi. Id like to thank kmoonk carden as and his staff for securing the room for us. Briefly by way of background for those who arent familiar with the family Online Safety institute, were a Nonprofit Organization working to make the online world safer for kids and their families. Were pleased to host this panel today to discuss one of the most important issues facing families, kids privacy on the internet. In the united states, the collection and processing of childrens data has primarily been regulated by the childrens Online Privacy protection act and its corresponding rule for over 20 years. This law long preceded facebook, snapchat, youtube and hello barbie. We have seen numerous legislative proposals including from senator markey to change the way childrens legislation is regulated. At the beginning of the summer the federal trade Commission Published a request. With all of this activity in minding, fosi introduced a white paper which you should have received on your way in and you can download from our website. We believe that limiting the Data Collected from children and preventing Online Marketing to those under 13 absent verifiable parental consent are admirable aims. We are cognizant that Small Businesses are able to comply with the law and create engaging, educational and fun content for children. We Want Companies to bein sent ivized to protect childrens information. With that in mind ill hand over to Stephen Balkam who will moderate the panel this afternoon. Great. Thank you very much, emma. Thank you to the fosi team led by emma morris to put all this together. Fantastic in such a short period of time in the middle of the summer, so thank you for that. Also as its probably pretty obvious, cspan is here. Were out live and so just when questions come around, just be aware that you could well be taken up on broadcast tv. So, yes, founder and ceo of the family Online Safety institute. I will be moderating the panel. I just want to mention were also hash tagging at fosi briefs the hill. I know its not brief but it is a good hash tag, so please use it. And of course this video that cspan is doing right now will be arc koohived at cspan and w provide a link. Im going to ask this esteemed panel to introduce themselves starting with you, mark. If you could tem ll us who you are, where you work and a tweet length description of your work in this space. Im mark eichorn, sachbt director in the Privacy Division of the ftc. Ive been in that job for about ten years. And what the ftc does is protect consumer privacy. We enforce copa and we do policy work around copa. So a couple of years ago we held a workshop on Educational Technology issues and are holding a copa workshop this october. Thank you very much. Hi, everyone. Stephen, thank you for having me. My name is john falzone. I work at the Entertainment Software rating board where i run the privacy certified program, which is a ftcapproved copa safe harbor program. So i work with companies primarily in the Interactive Entertainment and toy spaces to ensure that theyre complying with the law and regulations and generally doing right by their consumers. Joseph wender, Senior Advisor to ed markey. Ed markey was the author of copa and we have been active in the last 20 years since then on pushing all sorts of kids privacy and advancement issues. Most recently introduced a copa 2. 0 bill which im sure ill be discussing during this panel. And im jim halpert and i cochair the Global Cybersecurity practices at dli piper and back in 1978 as a senior associate i helped negotiate and draft some of the language that ed markey wound up sponsoring with conrad burns and Richard Brian that became the copa law and was there at the creation and i think filed seven sets of comments in the 2000 rule making, so i was there at the creation and hope to provide some context over time regarding copa. Thank you, all. Its quite a breadth of experience, both past and present. No doubt well into the future, because this issue is not going to go away. Mark, let me start with you. What has led the ftc to see comments on the copa rule now before any other time . Im speaking for myself and knotted for t not for the commissioner or the commissioners. I speak for one of them and im not going to say who. So i we do this regulatory review process of all our rules and guides every ten years typically. And that is on a routine schedule. With copa we revised the rule in 2013 pretty substantially to add categories of personal information that werent really collected when the rule was first implemented or when the statute was first passed. And sort of to expand the rule in other ways, to cover persistent identifiers but also third parties collecting information from sites when they have actual knowledge that theyre directed to kids. So, you know, we hear about copa a lot. Theres a number of statutes that we enforce and rules that we enforce. Theres a lot more just sort of discussion and talk about copa than many of the others. Theres also theres been a lot of changing technologies. For example, i mentioned the ed tech workshop that we held. At the time that the statute was passed, there was no mention in the statute whatsoever of schools, and it sort of raised this issue of, well, if somebody is using an Online Service in the school context, can the parent i mean, excuse me, can the teacher provide seconsent o not . These types of issues. So weve sort of addressed those in the statement of basis and purpose for the rule but weve never really addressed them more directly in the rule itself. And when we held the workshop a couple years ago on these issues, its clear that this industry is really accelerating. Theres a huge amount going on there. We thought about sort of making sure that we addressed that issue properly and getting public ideas on how to do that. Ill just say just to highlight one more issue or one more change, obviously a lot of us use voice assistance. And when the Commission Revised the rule in 2013, we added coverage of audio collected from a kid. So that raises questions about, well, if you have a Voice Assistant that is directed to kids for some reason and youre basically just using it to do voice activated search essentially, then we realized that would sort of raise issues. So we issued a discretionary enforcement policy that basically says if you use it for something quick like that and you just immediately delete it, you know, were not going to be bringing a case involving that. So thats another issue where we want to get the publics input, sort of see how that might be integrated into the rule and how to address that. And also are there other issues about Voice Assistants, other issues with smart tvs, that kind of thing that we want to address. Talk a little bit about the process. Were coming up to the end of august. What happens next . When are you guys going to actually deliver your thoughts on this . Right. Well, it will be a while, i suspect, because the comments are not due until october 23rd. Were having the workshop, as i said, october 7th and we expect well get a lot of input there as well. So once we get those comments, well sit down and go through what we got and review the input and then figure out where to go from there. Just to make clear what this is, theres sort of a process for a rule making where we put out particular basically regulatory language that we propose. This is one step before that. Were still sort of at the informationgathering phase. So one thing that could come out of this next step is we could end up making a regulatory proposal based on what we hear. Okay. And how are you currently working with companies that create content . Just taking a step back from the looking at copa, how are you currently working with everyone from the disneys to the mom and pop shops who were creating an educational app, for instance . Well, one of the things we do is we have a copa hotline where companies can reach out to us and sort of pose an issue to us or ask a question about the rule. We see this as trying to sort of facilitate compliance with the rule as opposed to sort of catching somebody in a violation. So thats one avenue. We also have consumer and Business Education that we put out, and the faqs on copa where we sort of try to make the rule as clear as possible. Those are some of the ways that we do that. Okay. John, for those of us who are not familiar with safe harbors or the esrb, lets do a little bit of a level set. What is a safe harbor . Sure. So, first of all, safe harbors were created as part of the legislation that was passed. The safe harbor regime is intended to be to provide independent oversight and enforcement of the act but on a selfregulatory basis. So in other words, its not mandatory for any company to be a part of a safe harbor. Companies choose whether or not they want to work with safe harbor programs. The esrb is one of the oldest copa safe harbors, but there are seven companies that provide safe harbor services. And so the companies that work with us have chosen to become parts of our program. They pay, depending on the program, some sort of fee for our services. Then our job is to make sure that those companies are, first and foremost, complying with copa and the amended copa rule and the guidance that the ftc puts out. Many of our programs go beyond just copa but from a safe harbor standpoint, thats our primary objective. Every day my team is in websites and in apps that our members are putting out and theyre looking through them just as any user would, doing the user experience. Theyre doing back end scans to see whats happening on the back end that the user can see. Making sure that, one, the practices of that member are in line with what copa requires and, two, that the policies that they put out, in other words, the disclosures that theyre making are reflecting those practices and accurate to their consumers. Talk a little bit about how you guys promote the creation of content for kids, particularly the under 13 market, which has bedevilled a lot of creators. Talk about that. Its an incredibly difficult market. To be frank, most of our members dont even really get into that market. The majority of the websites and apps why is that, john . Because its difficult to monetize and stay compliant with the law. So we are lucky that some of the companies that we work with have strategies for monetiization but those are the traditional ways that you would monetize within an app or on a website. Some of our members in the toy industry, its not necessarily about that for them because they have brands that theyre just looking to keep kids engaged with and they can monetize in other ways. But its a difficult it is a difficult market to be in and to make money in. But it is one where if you have sort of the right longterm view, you can be very successful in it. So our job is we start working with our members as early as we can in the process. If they have something thats under 13 in a true childdirected sense or that is just going to be hitting some under 13s in a significant way but maybe directed to an older audience, we start working with them as early as we can in the Development Process to start flagging issues that might be coming. Because, look, the companies that work with us, they know what copa is and theyre trying to do the right thing by working with us, but they dont always necessarily know what that right thing is. And then youve got companies that are just coming to us when they have Just Launched or are planning to launch something. Those Companies Often think that they know everything and that theyre compliant with everything. But then when you get into it, it can be complicated and so theres a lot of issues that you just have to work through. But you can work through them, if youre willing to do it. So one of the most complicating issues that we come across when talking to companies is this distinction between actual versus constructive knowledge. Again, for the uninitiated, what is this extraordinary distinction between actual and constructive knowledge and how it relates to the copa rule itself. Right. Just by way of background, copa is triggered when the Online Service is either directed to children under 13 years old or the operator of the Online Service has actual knowledge that the user is under 13 years old. So thats copa in its current state the way that it works. Actual knowledge is what it sounds like from a legal standpoint. The company has to actually know that that user is under 13 years old. The most typical way that a company would know that is if the user has identified as under 13 years old. A lot of websites contain or apps contain a registration process or some sort of age gating process so a user may identify as under 13. Weve all seen those popups that come up. A user might identify as under 13 and then automatically at that point copa is triggered, regardless of what the site is. It could be a site that could be a site that is intended for parents. But if they collect the users age, then copa would be triggered in that circumstance. Constructive knowledge is would be a situation where the operator should have known that the user was under the13 from a legal standpoint, so that could be based off of any number of factors of information that they might have available to them. It sort of broadens the scope, as you can imagine. Right. Okay, thank you. Joseph, so what was your reaction and as important your bosses reaction to the ftc in july that copa would be reviewed much earlier than had been expected . Our reaction was cautious optimism. He was very supportive when the rules were reviewed back in 2013 and he clearly sees that the landscape has changed in the six years preceding. And so things like biometrics, things like genetics, things like Voice Assistant, all the things that mark discussed, its clear that theyre much more prevalent in the ecosystem today and that the commission should be taking a look at that, so thats good. Now, i say cautious optimism because we dont know yet what the outcome of this rule making will be. If in the end the rules are strengthened, thats a really good thing. But you always have to be wary of potential bad players or others coming in and attempting to weaken the rules. So until we see what the final product of the process is, i dont want to i cant say if were going to be happy or sad. But i dont want to prejudge the process because its good that theyre certainly starting it. So i had the privilege of testifying to the Senate Judiciary only a month or so ago on the topic protecting innocence in a digital world. During that hearing, the ftc came under a barrage of criticisms. Presumably you saw or watched that hearing. Do you share the level of criticism of the ftc or put in a more positive way, what more could the ftc do in this space . I think particularly in the kids privacy space, the jury is still out. Because as Everybody Knows in this room, theres a case pending or a proceeding pending about youtube and whether they violated and what the fine is going to be and what the continuing or new obligations that are going to be placed on google. Now, that settlement, that agreement has not yet been released, has not yet been announced. So i think what they do in that particular case will be indicative of the position that the commission is taking with regards to how serious they are about enforcing copa. So i dont want to say yet. Well see what they do. Well, im sure you can, though, talk about senator markeys own proposals which politico mentioned three of them this morning. Were busy. Off you go. Tell us about them in tweetlength descriptions. Sure. Three different bills, the trifecta of bills. The first is a copa 2. 0 bill, which he has introduced on a bipartisan basis with josh hawley, the republican senator from missouri. What that bill will do in short to be consistent with california and gdpr spell out your acronym, gdpr. You spell it out. General Data Protection regulation. Thank you, jim. What it would do is create as Everybody Knows, copa is only 12 and under. Senator markey and others believe 13, 14, 15yearolds need special protections. Not necessarily the same as 12 and under, but still need special protections. So what the bill would do is extend protections to 13, 14 and 15yearolds. It would also change the knowledge standard from actual to constructive. It would ban targeted ads for kids and it does create an eraser button consistent with the law in california that allows parents and children to erase information that they themselves have posted so as to not violate the first amendment. The other two bills are the camera act, which is the children immediate Research Advancement act which is directing nih to do a fiveyear study on the impact of technology on children. Its obvious that kids are totally glued to these things now. So what are the socio, emotional, cognitive and physical impacts of this incredible increase in Technology Use by children. The last bill, which has not been introduced yet is called the kids acted, the kids entr t internet design and safety act. That bill is seeking to give the ftc new authorities to address exactly what i was just describing, the practices by many websites to glue children to devices. All the strategies that they use regarding auto play and other functions to sort of suck kids in and ensure that they dont stop watching. I have a 3yearold. It works very well on him. He will not stop watching the device unless i rip it out of his hand. And so that bill which well be introducing sometime in september or october will address