from the not-how-anything-works dept
How do you comply with a law that prohibits collecting personal information from children under 13? If you said “by not collecting personal information from children under 13,” congratulations, you understand the law better than Louisiana’s Attorney General.
The state of Louisiana has filed a lawsuit against Roblox that includes what might be one of the most breathtakingly contradictory legal arguments I’ve ever encountered (ht: Liz Dye). In a complaint that runs 42 pages and accuses Roblox of being “the perfect place for pedophiles,” the Louisiana AG manages to argue that Roblox violated COPPA (the Children’s Online Privacy Protection Act) by… complying with COPPA.
Let’s dive into paragraph 113, which is doing some truly Olympic-level mental gymnastics:
Defendant could have also required children under 13 to provide their names and email addresses and obtain parental approval – a fundamental protection against predators – but refused to do so. This decision allowed the company to bypass certain protections that are mandated by federal law and designed to protect children. The Children’s Online Privacy Protection Act (“COPPA”) prohibits companies like Defendant from collecting, using, or disclosing the personal information of children under 13 without verifiable parental consent. COPPA was enacted because Congress recognized the heightened vulnerability of children on the internet. As the Federal Trade Commission (“F’TC”) noted the limited capacity of children to “understand fully the potentially serious safety and privacy implications” of sharing their personal information.
So let me get this straight: COPPA (according to Louisiana’s Attorney General) prohibits collecting personal information from kids under 13 without parental consent. Roblox doesn’t collect names or email addresses during sign-up in order to comply with the law by avoiding the collection of personal information that would trigger COPPA’s requirements. And Louisiana’s AG thinks this is… a violation of COPPA?
COPPA explicitly gives companies a choice: either don’t collect personal information from children, or collect it with verifiable parental consent. It’s right there in the law. Louisiana is essentially arguing that if you choose option A (don’t collect), you’re violating the law because you didn’t choose option B (collect with consent). Louisiana’s legal theory would make about as much sense as a law saying “you can either wear a red shirt or a blue shirt,” and then arresting someone for wearing red because they did so to “avoid” wearing the blue shirt.
Under their interpretation, every company that serves children would be required to collect personal information from those children, just so they could then get parental consent. The privacy law becomes a mandatory surveillance law.
This is yet another one of those laws in which law enforcement officials view actual compliance with the law (i.e., not doing something) as “sidestepping” the law. The lawsuit literally claims that a few paragraphs later:
Yet instead of implementing safeguards to comply with COPPA, Defendant chose to bypass these protections altogether. Defendant intentionally avoids requesting a name or email address during sign-up to sidestep the requirement of verifiable parental consent.
The lawsuit essentially claims that Roblox “bypassed” COPPA’s requirements by following them. The logic appears to be that because COPPA allows for collection of data with parental consent, companies are somehow required to collect that data and get that consent, rather than simply choosing not to collect the data in the first place.
That’s not how laws work. That’s not how any of this works.
COPPA doesn’t mandate age verification or data collection. It sets rules for what you must do if you collect personal information on a service targeted at children. If you don’t collect that information, you don’t trigger COPPA’s requirements. It’s compliance, not evasion.
Now, Louisiana might try to argue that Roblox’s approach creates a loophole that facilitates harm to children by making it easier for predators to create anonymous accounts. But that’s not what COPPA is designed to prevent. COPPA is a privacy law—its purpose is to prevent the unauthorized collection of children’s personal information, not to mandate surveillance systems. Indeed, the thinking behind COPPA is that children are more safe if companies are not collecting their data. And Louisiana’s position seems to be “but doing that makes them less safe.”
If Louisiana wants platforms to implement stronger identity verification for child safety reasons, they should advocate for new legislation designed for that purpose (and see if they can make a law that actually survives Constitutional scrutiny), not twist existing privacy protections into their opposite.
The interpretation by AG Liz Murrill creates an absurd Catch-22: the lawsuit argues Roblox should have illegally collected children’s personal information in order to ensure it wasn’t illegally collecting children’s personal information.
The COPPA misunderstanding isn’t the lawsuit’s only legal misstep. The complaint reveals a broader pattern of treating routine content moderation challenges as evidence of illegal conduct. For instance, the lawsuit faults Roblox because some kids are able to bypass text filters by using alternative spelling. I only wish I were kidding:
Because Roblox is deceptive by design, children are exposed to graphic sexual material and the existing safety features are woefully inadequate. For example, Roblox’s chat filtering feature is designed to filter inappropriate content and personal information on accounts aged 12 and younger but is less restrictive for accounts aged 13 and above. However, these filters are easily bypassed by obscuring text with alphanumeric combinations (e.g., “D1DDY P13NS”).
Ah yes, the legal theory that content filtering technology must be perfect, or it’s “deceptive by design.” This is a bit like suing a car company because some people speed, or suing a bank because some people rob banks. If your security measure can be circumvented by anyone, ever, then obviously you’re running a criminal enterprise.
Has AG Murrill met any children recently? Because I have news for her: kids are really good at getting around rules. They’ve been figuring out creative ways to say forbidden words since approximately the dawn of language. The fact that some 12-year-old somewhere has figured out that “D1DDY P13NS” bypasses a content filter is not evidence of a criminal conspiracy—it’s evidence that 12-year-olds exist.
This legal theory would make every content moderation system on the internet potentially fraudulent. The fact that some users work around filters doesn’t make the filters themselves deceptive any more than the existence of lock picks makes door locks fraudulent.
Also note the assumption in there that all children are automatically exposed to inappropriate content, which is quite a claim.
Also, this next paragraph is just bizarre. Does Murrill think the kids these days are out there seeking out Sean Diddy Combs’ virtual party experiences?
The report confirmed that Defendant actively hosted over 600 “Diddy” games, with titles like “Survive Diddy,” “Run from Diddy Simulator,” and “Diddy Party,” which appear to recreate reported incidents involving the music mogul Sean Combs, publicly known as “Diddy.” Diddy was federally indicted and is underwent trial for sex trafficking of minors and other grievous criminal charges regarding allegations surrounding reports about “freak-off’ parties-events which, according to testimony, multiple lawsuits and mediareports, allegedly involved forced drug use, violent assaults, and the sex trafficking of minors, including victims as young as 10 years old.
I mean, yes, those sure sound to be in extremely poor taste, but it’s a bit of a weird thing for Louisiana to be focusing on. I’m pretty sure that kids today aren’t seeking out fake parties mimicking the sex parties of a washed-up hip hop star whose biggest hits were way before any of them were born.
There are legitimate concerns about child safety on gaming platforms. Roblox, like every major social platform, faces real challenges in protecting young users from predators and inappropriate content. Those are serious issues worth discussing and addressing.
But this particular legal theory is bananas. It’s the kind of argument that makes you wonder if anyone at the Louisiana AG’s office actually read COPPA before filing a lawsuit about it.
The complaint does raise other issues about Roblox’s safety measures and content moderation that might have more legal merit (Roblox insists that the lawsuit is complete garbage). But when your lead argument is essentially “they violated the law by following the law,” it doesn’t exactly inspire confidence in the rest of your legal reasoning.
This feels like someone Googled “COPPA requirements” for about five minutes, half-understood what they read, and then built an entire lawsuit around a fundamental misreading of the statute. The result is a complaint that accidentally argues companies should violate COPPA in order to comply with COPPA.
The broader implications here are troubling. If Louisiana’s interpretation were to gain traction, it could create perverse incentives for companies to collect more personal data from children rather than less—exactly the opposite of what privacy advocates have been fighting for. Instead of rewarding platforms that take a privacy-protective approach, this legal theory would punish them for not being invasive enough.
Maybe Louisiana’s AG should have spent less time crafting inflammatory soundbites about “pedophile playgrounds” and more time, you know, reading the actual law they’re claiming was violated. Just a thought.
Filed Under: age verification, compliance, coppa, liz murrill, louisiana, protect the children
Companies: roblox
