On January 14, MySpace announced an agreement with the attorneys general of 49 states and the District of Columbia in which the website pledged to take specified steps to increase the safety of children on its site. The agreement came in response to pressure from state officials for the site to tighten protections. It merits examination by others in light of the state public policy consensus that it reflects.
The United States has no specific "Social Network" privacy law. Instead, social networking sites can be subject to a number of laws, written for different industries and even different technologies, but which happen by their terms to apply to the activities of networking sites as well.
Role of COPPA
One federal statute that does directly govern networking sites (although enacted in response to chat rooms) is the Children's Online Privacy Protection Act of 1998 (COPPA), which restricts the collection by social networks of personal information about children under the age of 13. If a 12-year-old attempts to register on a site, COPPA—which requires verifiable parental consent as a precondition to the data collection—applies. However, COPPA does not affect teenagers. Moreover, the COPPA restrictions can easily be circumvented by children who do not report their age honestly or who have access to a parent's email address.
As social networking websites—unknown in 1998 when COPPA was enacted—have grown, so, too, have concerns on the part of state attorneys general that such sites provide insufficient protections against sexual predators and harassing bullies. After considerable discussion, in January, MySpace—the largest social networking site—announced an agreement with the attorneys general in which it committed to make certain improvements to its protections of teenagers. The state attorneys general expressly "call upon other social networking services to adopt these principles."
MySpace agreed to certain design and functionality changes intended to implement those principles. Stating that providing children with a "safer social networking experience" is a primary objective for operators of social networking sites, MySpace agreed to organize an industry-wide Internet Safety Technical Task Force devoted to finding and developing robust online identity authentication tools. This effort addresses the most nettlesome online problem—the task of identifying someone accurately. A famous New Yorker cartoon featured a dog facing a computer and telling his friend, "On the Internet, nobody knows you're a dog." For social networks, the problem is that the site never really knows either a user's name or her age.
MySpace also agreed to changes to its website design and functionality to protect younger users from inappropriate contact by adults. For example, MySpace will allow users to restrict "friend" requests to only those who know the user's email address or last name. It will make a "friends only" group invite mandatory for 14- and 15-year-olds, and the default option for 16- and 17-year-olds. Users under age 18 will be able to block all users over 18 from contacting them or viewing their profile. Among other changes, MySpace will automatically assign users under 16 a private profile. It will prevent users over 18 from browsing for users under 18, and anyone from browsing for users under 16.
Furthermore, MySpace agreed to take other specified steps to protect younger users from inappropriate content. These steps include an image policy for hosted images, expansion of spam/abuse reporting capabilities and a prohibition against users under 18 and 21 accessing tobacco and alcohol advertisements. Users under 18 also are not to be allowed to access or post messages to "mature" groups.
More broadly, MySpace agreed to other steps designed to enhance the safety of all of its members. For example, it committed to allow all users to set their profiles to private and to enable all users to pre-approve comments before they are posted. Among other things, it will enable all users to conceal their "online now" status and block particular users from contacting them.
MySpace also agreed to try to limit its membership to users 14 and over. To address the problem of younger children lying about their age, MySpace has agreed to create a registry of email addresses for children under 18, in which parents not wishing their children to join participating social networking sites could register their children's email addresses. This registry may be somewhat similar to the ones maintained by state governments in Utah and Michigan; both states list email addresses to which certain types of messages may not be sent.
Finally, MySpace will undertake a variety of steps to improve its ability to block adult content from being available to children under 18 via its site.
Will This Help?
Some of these steps may prove more effective than others. The new MySpace age registry, while well-intentioned, faces uncertain prospects. For example, while already existing email addresses might be blocked, it is unclear how a child could be prevented from simply creating a new email address to use in registering.
Another provision commits MySpace and the attorneys general to discuss with Google the "need to cease directing age-inappropriate linked advertisements to minors." Implementing this may require closer coordination and information exchange between MySpace and Google. How this is implemented could raise a separate set of privacy issues.
Although only time and experience will demonstrate the effectiveness of these measures, from a legal perspective, the significance of the MySpace agreement is that it seeks by self-regulation (albeit under some pressure from law enforcement) to fill a gap in U.S. law by protecting children ages 13 and older who are outside the coverage of COPPA. Although it lacks the force of law, the state attorneys general clearly hope that the MySpace agreement will serve as a model for other social networking sites.