Re: [IAB] Proposed IETF Privacy Policy for Review

"John Levine" <> Thu, 17 March 2016 15:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2501612D9DF for <>; Thu, 17 Mar 2016 08:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V7g-HDp-_7Q9 for <>; Thu, 17 Mar 2016 08:04:20 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B05012DC10 for <>; Thu, 17 Mar 2016 08:04:10 -0700 (PDT)
Received: (qmail 79864 invoked from network); 17 Mar 2016 15:04:09 -0000
Received: from unknown ( by with QMQP; 17 Mar 2016 15:04:09 -0000
Date: Thu, 17 Mar 2016 15:03:47 -0000
Message-ID: <20160317150347.29907.qmail@ary.lan>
From: John Levine <>
Subject: Re: [IAB] Proposed IETF Privacy Policy for Review
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Mar 2016 15:04:26 -0000

In article <> you write:
>My only issue is that it claims our websites are not for use by children under 13. They most certainly are.

No, it says they are not *intended* for children under 13.  Words
matter, particularly in legal documents, and it's important to read them
carefully enough to understand what they mean.

Having written a chapter on COPPA for a legal encyclopedia, I can
report that the law is actually pretty reasonable, as is the section
of our proposed privacy policy.  Intended means what it sounds like,
there's nothing on our web sites aimed at kids, with typical examples
being cartoons and games.

It specifically does not mean that children are forbidden to use our
sites, nor does it mean that we have to take any measures to keep
children out.  (For sites that really are intended for children,
there's a comprehensive set of rules with compliance generally
outsourced to a handful of specialist companies in the marketing and
entertainment industries.)

COPPA discourages collection of PII from children without their
parents' consent, so insofar as we are able, we should avoid doing so.
If it became apparent that a participant on an IETF list (or,
hypothetically an I-D author) were under 13 it would be a good idea to
suspend the child's subscription and tell her to have her parent write
to the list owners, so we could explain what the IETF is, how the
mailing lists work, and ask whether the parent is OK with her
participation.  It would also be a good idea since a 12 year old child
cannot meaningfully agree to the Note Well.

For more info on COPPA, Google is your pal.  You're in Canada, and I
have no idea whether the IETF's contacts with Canada are sufficent
that PIPEDA would apply, although I would guess that our practices
would be fine under PIPEDA.  If anyone cares I have contacts at the
OPC I could ask.