Maybe you shouldn't collect the information about anybody unless you have a way of discriminating.

I run some (low-traffic) websites. I don't collect any information about anyone. It's not essential.

It depends on what they consider "collecting information". Does your server log IP addresses? Do you know the age of the person behind each IP address? Does that count as "collecting information" about them? You know an IP, the time and date they accessed the site, what pages they viewed, you can infer a general location. If the law is not clear enough, it can be interpreted to make basically any website infringing.

If you want to have a newsletter, or offer a service where people log in and want to recover their password, you'll need at least an email address. Can you verify that every email address is exclusively used by people 13+?

I agree with the grandparent poster that not collecting information should be the default.

re: collecting IP addresses: I run my web sites behind Nginx and does have rolling logs, but I ignore IP addresses.

For your e-mail use case, I think a reasonable compromise is asking if the user is older than 13 and what alternative is there but to trust them? Personally, I think that collecting e-mail addresses for people signing up for a newsletter is a great example of when it is perfectly fine to collect private data.

I think duration and consent have to be part of the equation. Collecting an IP for somewhere in the range of milliseconds to 24 hours in order to gather statistics about site traffic is one thing, putting it in perpetual storage for cross correlation is entire different. Asking for an email address to create an account is one thing, using 3rd party cookies to figure out someone’s email address to cross correlate with their browsing history is different. Blurring the line between these innocent practices and mass surveillance by international corporations is quite disingenuous.

I am not trying to blur the line or say they’re equivalent. I’m saying that if the law, as written, doesn’t distinguish between these things then it becomes a cudgel that can be selectively wielded against any website that happens to draw the ire of anyone with power to launch investigations.

We all see how incompetent the government is when it comes to understanding technology and how it works (see the Missouri governor clamoring to prosecute someone for “hacking” because they used view source), so remember when you’re asking for greater regulation who it is that’s going to be doing the regulating.

This is basically what I do with my hobby sites. I have HAProxy sprinkled around the internet here and there. I set the custom header with the client IP address to something that my web server doesn't recognize. This means everyone on the internet shows up as my VPN address. This also forces me to ignore IP addresses and design protection ACL's to be generalized. It has been a fun learning exercise.

That said, I am not suggesting that businesses should or could do this. Some businesses are required through regulations to capture IP addresses of their customers at a minimum.

Requiring payment for access would also work. Maybe $10 for a lifetime membership, otherwise its read-only.

Children can only participate with these companies because the product is 'free'. Same with p*rn and free2play games: eliminate the 'free' component to effectively block them from children (at least without parental consent).

Not too hard to get around. I have friends who used to buy American Express gift cards to get around having to pay online with a credit card so kids could easily get around any payment restrictions. I think all a paywall would do is make life more inconvenient for the average user.

>How would that work in practice? A lot of us here operate websites. Your website gets a request. How are you supposed to tell the age of the person that request came from?

Idea, browsers would implement parent control, so when you setup a child account on your kid device the OS will store the age of the user, the browsers would read this. Then in the request (maybe depending or region or whatever protocol) the browser can tell you if the user age is <13 or other interval.

So this means the browsers need to collaborate with the OS and the parent has the responsibility to setup the correct user account for the user in the OS, for older OS the parent will have to setup this setting directly in browser and setup the browser in a "child" mode.

I think that websites generally do this based on whether the content is primarily intended for children (e.g. youtube doesn't collect this type of data when users are viewing videos marked as being for children).

And this ends up breaking the site for adults as well.

I have a YouTube playlist of videos I'd like to show my kids. It turns out that YouTube will not allow videos marked as "intended for children" to be added to a playlist, even by an account that belongs to a adult. So the only videos I can put in that playlist for my kids are ones YouTube thinks are NOT for kids.

That just sounds like a bug.

It's not a bug, it's a direct and intentional consequence of the FTC's efforts to strengthen COPPA which this article complains that Google didn't just go along with, and required by the settlement mentioned in the article. COPPA effectively bans companies from collecting data on under-13s (there's a parental consent provision which is basically infeasable to comply with), which includes stuff like letting them add videos to playlists. Google didn't allow under-13s to have accounts, but parents let kids watch videos on their accounts and the FTC's position is that this was a violation of COPPA when the videos weren't aimed at kids. So now Google cannot, by law, allow people to comment on videos that seem like they're aimed at kids, add them to playlists, or do other things that collect data from the person viewing them.

> How would that work in practice?

You could ask everyone to confirm their age with eID.

Which ironically takes your site from

- "can maybe connect sensitive data to some persons"

to

- "can absolutely connect sensitive data to every user unless they really go out of their way to avoid it"