9 Jun





 min read

Customers Come First: Why COPPA 2.0 Should Not be a Problem for Your Business

A few short weeks after Facebook announced its intent to build an “Instagram for Kids”, Senator Ed Markey has renewed calls to update and expand COPPA, the Child Online Privacy Protection Act. After reflecting on the wave of backlash Facebook has seen as well as the call for a COPPA 2.0 that would, among other things, raise the age protections from 13 up to 16 years old, I wanted to offer a quick guide for navigating the youth market for anyone looking to either expand their business or align themselves with COPPA 2.0.

The first thing you need to know is you shouldn’t be worried about COPPA 2.0, or COPPA at all for that matter.

The 2nd and 3rd order effects of building a youth focused business are what you should be worried about, and if you can effectively mitigate those risks, then compliance will be easy. If you haven’t found a way to mitigate the risks, and simply seek compliance, what you are building is dangerous and irresponsible to put out into the world.

You can’t carelessly enter the youth market; a new bolt-on product line, partnership, platform feature, etc. isn’t going to cut it here. When you are talking about your customers, you’ve got to be all in. Business alignment with the customer is critical in this market, and the customers overwhelmingly want their kids to be safe and secure on your platform. Beyond that, since you are working with people’s children, you have a moral obligation to protect them from what you’ve built. Period. Full stop.

There is no one-size fits all breakdown for achieving total business alignment to your customers, but a practical high-level approach I use are the following three buckets: mission, business operations, and technology.

It starts and ends with your Mission.

Your mission defines what your business will one day become. If you adopt a mission that you genuinely, passionately believe will improve the lives of children and parents, it is going to be much easier to get all the other details right, from organizational structure to technology features and compliance.

For Vanta, we have made it our mission to put an end to cyberbullying and create a safe place for kids to game, learn, and grow. That mission was borne out of the personal experience of my friend and Co-Founder, Ed Lallier, whose son was cyberbullied while playing the popular game Fortnite. His experience is tragically common and echoes the unfortunate reality of playing video games online today for many children and even adults — exposure to toxic behavior borne out of anonymity and a poorly controlled environment.

Our entire business aligns to this mission because we have a strong conviction that by creating a safe and supervised environment for kids to channel their natural excitement for video games, we’ll be making their lives better while building a sustainable business at the same time (I’m a big believer that purpose and profit are not mutually exclusive).

Furthermore, if you do not embrace your mission and connect it to your actual business operations, you’re going to struggle. Again, just look to the tornado of criticism mounting against Facebook for its ‘Instagram for Kids’ business. The problem with Facebook is not that they lack a mission, or that the mission is not a positive one, it is that there is a clear disconnect between their mission and how they actually make money and operate. In essence, their mission is obvious lip service and the move is likely an attempt to pad their aging demographic with new blood and monetize their data. Business as usual for Facebook.

This approach may work in other markets (for a time…) but here they are bound to fail. Not because of legislative pressure on big tech companies, and not because they will muck up some aspect of technological or regulatory execution. Rather, because their hidden mission, their true mission, to monetize the data of children on their platform, is as obvious as it is misaligned with the wishes and needs of their prospective new customers.

So align your mission to the needs of your customers and make sure you actually follow it.

Build business practices that address the ‘3 Worries’.

If your instinct after the first step (or as a first step) is to dive into building software, take a minute and think about your business model first. Not only will this save you time and money from building something no one wants, but it will prevent you from disaster on your platform with significant ethical and legal consequences. Thinking through the operational infrastructure that you will need to build your business and safeguard your young users, should be your next course of action after aligning on your company’s mission.

Best practice is to go beyond regulatory compliance, and beyond technology — get to the heart of potential risks. The way I think about online safety starts with what I call “the 3 worries.” That is: grooming and predators, cyberbullying and harassment, and child information security. Your infrastructure at a minimum needs to address all three.

For example at Vanta, this manifests in a couple key ways:

  1. We put a tremendous amount of effort into selecting and training our esports coaches who will be supervising and mentoring kids in our program. That means running detailed background checks and interviews to vet them, putting coaches through our in-house leadership development training to make sure they are well-equipped for the job, and continuously engaging them throughout the season.
  3. We add another layer of controls by having trained moderators in every practice and game session. These moderators audit and assess the quality of coaching and reduce the risk of bad actors making it past the safeguards in #1 above.

These specific ways of addressing risk are unique to Vanta, but regardless of your business model, the most important thing is to train your people. I will say that again— train your people. As they say, an ounce of prevention is worth a pound of cure. Take that to heart and continuously seek to improve the quality, knowledge, and preparedness of anyone who interfaces with your customers. This could be your customer service or sales representatives, your technicians, your moderators, your coaches(!), your marketers, or your brand ambassadors. If they come into contact with your customer through any medium, train them. They are your last and best asset when all else fails and your best source of immediate problem solving. This is the way.

Build COPPA+ technology.

Finally, once your mission and your operations are aligned, we can discuss the technological side of things. This is the critical final piece for building a responsible and sustainable business that protects the safety and privacy of your customers. Technology tends to be the area that is easiest conceptually to tackle, given it is a more concrete problem-solving exercise.

However, even here there are still important outside factors to consider. First of all, if you built your technology to be just COPPA compliant, it is not scalable. Simple compliance to COPPA likely means you are out of compliance with other federal and state laws where you do business such as FERPA, CCPA, SOPIPA, PPRA, etc. (Familiarization with these acronyms a good place to start your tech requirements research…)

Think ‘COPPA+’ from the get-go to keep your bar as high as possible. Build as much of your stack from scratch, by design if you can. Retrofitting live software to comply with COPPA (and/or COPPA 2.0) will be both challenging and costly— for some, prohibitively so. If you do nothing else right, focus on the four main tenets of COPPA: consent (from parents), access (to collected information), visibility (of user activity), and deletion (of data).

Think through the front-end customer experience and back-end handling of data, while maintaining a real sense of how well your business mitigates the risk of predatory behavior, harassment, and data compromises. Fill the gaps with software solutions where possible, and do not be afraid to add ‘human in the loop’ interactive AI systems to supplement your design.

Center safety at all levels of your business.

If news of COPPA 2.0 has you scrambling to figure out what legal and technological changes you will need to implement to ensure compliance, I would wager you are thinking about the problem incorrectly. The real problem is likely that your business is not aligned to fully serve the needs of your customers, and it may be time for an overhaul.

With regard to Senator Markey’s bill, we at Vanta are wholeheartedly behind the spirit of laws intended to safeguard children in an increasingly complex digital world, and to give parents and guardians the tools they need to help them protect and equip their children and wards. We will pay close attention and support any legislation that we believe will improve the safety of kids online & off.

[Visit www.VantaLeagues.com, Twitter contact @vantaleagues]

Spread the word.

Vanta BLOG