The plot of last Sunday’s episode of HBO’s fantastic and hilarious show, Silicon Valley, titled “Terms of Service,” was driven entirely by “COPPA,” a somewhat obscure (though probably not to our blog readers) privacy law that stands for the Children’s Online Privacy Protection Act. As someone who frequently advises clients on COPPA-related issues, this was a really fun episode for me to watch. So I thought I’d share some of my musings.
For the most part, the episode nails COPPA in a really impressive way. There is no question the writers were advised by a privacy professional who knows his or her stuff, as reflected by the cogent analysis delivered by the crew’s car washing, practicing-law-without-a-license lawyer. The guy may be a former convict, but he sure knows his COPPA law. He even pronounces it right!
But probably because a show that was just about COPPA wouldn’t be particularly interesting for anyone to watch, even me (ok, I would watch it), the writers did take some liberties to help move the plot along.
The first dramatic liberty was the shocking $21 billion COPPA fine, which Jared accurately* calculated as:
51,000 estimated underage users x
25.6 average chat sessions/user x
$16,000 per violation =
$20,889,600,000.00 ($20.8 billion)
Jared’s Calculation of PiperChat Liability
* When COPPA was enacted in 2000, the maximum penalty was $16,000 per violation. But as insane as $21 billion may sound, in 2016, the FTC increased the per violation fine from $16,000 to $40,000, subject to automatic increases to account for inflation, making the current maximum fine $40,462 per violation. So in 2017, the maximum fine actually would have been a whopping $52.8 billion!
Historically, however, the maximum penalty calculation, though relevant, hasn’t proven to be all that meaningful in resolving COPPA cases. The FTC, or state AGs that also police COPPA, have traditionally been more interested in encouraging violators to enter into consent decrees that require changes in privacy practices, not in fining companies into oblivion.
That said, it is true that COPPA fines can be substantial, with the maximum COPPA penalty to date coming in at $3,000,000. Also, PiperChat would be facing other potential liabilities. Although COPPA does not provide a private right of action, I could just imagine the “most feared lawyer in Silicon Valley” leading a class action of parents seething over this motley crew of socially-awkward, 20-something, man-boy-babies, capturing and storing 1,305,600 video chats (per Jared’s calculation) of their young children chatting with each other.
So, I’m not saying the issue isn’t really dire for PiperChat, but it’s not because a $21 billion fine is a realistic penalty for the company. A good lawyer, and maybe one who actually has a license to practice law, would help PiperChat work through these issues, including by recommending changes to the company’s privacy practices and policies, finding a way to work with regulators, and preparing for battle against that angry mob of parents, who still have the challenge of demonstrating damages under the Supreme Court’s recent Spokeo decision.
The second dramatic liberty was Richard pinning the entire problem on Dinesh not porting over the Terms of Service (thus, the name of the episode) from his platform. Blaming the Terms of Service gave Gilfoil just what he had been waiting for – to watch Dinesh crash and burn as CEO – but even if Dinesh had moved over the Terms of Service, it wouldn’t have saved them.
COPPA isn’t triggered based on what’s in or is left out of your Terms of Service. COPPA is triggered when the operator (PiperChat, Inc.) collects personal information (name, email address, video and audio, IP address, cookies) from users (a) of an online service (PiperChat) that is directed to children under the age of 13 (probably not PiperChat), or (b) that the operator has “actual knowledge” are under the age of 13 (definitely the case here: Richard has actual knowledge by seeing the faces of the young users).
So the COPPA problem arises from the fact that PiperChat is knowingly collecting tons of personal information from underage users (Dinesh confirms “we collect everything”), not because Dinesh ignored Richard’s reminder to port over the Terms of Service.
Wonderfully, their “lawyer” was dead on in explaining this: they had “no parental permission requirements in place.” If PiperChat wanted to allow children under 13 to use their platform, COPPA requires them to obtain “verifiable parental consent” before collecting any personal information from those users. Alternatively, PiperChat could have done what most companies do and not allow children under 13 to use the service by reflecting that in the Terms of Service, implementing a COPPA-compliant age screen, and making sure the company doesn’t have actual knowledge its users are under 13.
Musings aside, loved the episode, love the show.