Collecting personal data without age verification or parental consent for users under 13 may not be COPPA compliant for Stack Exchange anymore
COPPA (the Children's Online Privacy Protection Act) is the US law governing websites' interactions with children under 13. Stack Exchange currently uses an exemption in the law that allows sites that are general-purpose or have adult-focused content sites to largely ignore COPPA, only being required to delete any personally identifying information from any user that they learn is under 13 years old. Such sites are not required to proactively take any steps to determine that users are 13 or older, only react if someone notifies an employee.
That exemption applied when SE focused on technology professionals, but it has since expanded in scope. It only takes an identifiable part of a website that is attractive to children to make the entire site fall under stricter provisions under COPPA. While a generic chat site would qualify for the exemption described above, a chat site with several rooms, one of which discussed dolls would not qualify. That doesn't necessarily mean the entire site is subject to onerous rules -- it depends on the nature of the site and which exemptions the operators are able to take advantage of. COPPA is an extremely intricate set of regulations, so the correct answer to almost any question about it is "it depends."
SE now clearly hosts content that is attractive to children. For example, at the time of writing, the most popular tag on Arqade is minecraft, and 20% of Minecraft users are under the age of 15. This means in the lingo of COPPA, SE is considered to be a website that is "directed to children" but "does not target children as its primary audience."
While websites that are directed to children but do not target children as their primary audience do not qualify for the exemption allowing them to collect whatever PII they want and delete the PII of any underage user they happen to find out about, they do qualify for the active age screening exemption. This allows them to ask for the user's age before asking for PII, which allows websites more flexibility in how they treat people above the minimum age. Websites in this category are not required ask any user their age, but the default flips; they are required to treat all of their users as children that they don't know to be adults.
The flexibility for sites in this category to treat adults and children differently is not unlimited: according to the FTC's official COPPA FAQ, they cannot prohibit children under 13 from using the site:
4. I run a site that I believe may fall within the FTC’s sub-category of a website directed to children but where it is acceptable to age-screen users. Can I age-screen and completely block users who identify as being under age 13 from participating in any aspect of my site?
No. If your site falls within the definition of a “Web site or online service directed to children” as set forth in paragraph (1) of 16 C.F.R. § 312.2, then you may not block children from participating altogether, even if you do not intend children to be your primary target audience. Instead, what the amended Rule now permits you to do is to use an age screen in order to differentiate between your child and non-child users. You may decide to offer different activities, or functions, to your users depending upon age, but you may not altogether prohibit children from participating in a child-directed site or service.
This rule was made under authority from Congress to prohibit deceptive practices, so it appears that the FTC considers a site that has content that is interesting to children but children are not allowed to participate in to be deceptive.
SE's options if they want to keep Arqade and any other sites that are interesting to children are varied and complicated, but the two most important things to keep in mind are that they must not prevent a child from participating in an activity because they haven't provided PII that is not reasonably necessary for the activity 16 CFR 312.7, and they must obtain parental permission if they collect/use PII for any reason not in the fairly generous list of exceptions.
After digging through the ins and outs of what is considered PII for COPPA purposes, I'm convinced that pinging and chat are the only major pieces of functionality that require PII currently1. That doesn't mean there aren't other issues that would need to be addressed. For instance, SE would have to ensure that the tracking used on the site by itself and its advertisers apply, and it would have to take steps to make reasonably sure that posts and comments by underaged users does not contain PII. (Pre-screening for PII by a staff member before publishing is explicitly defined as a reasonable approach for doing this.)
Alternatively, SE could obtain parental permission to display any personal information children put in post or comments. Third party services exist to make it easier to verify parental consent. They would still need to make sure they were in compliance with the various provisions of COPPA, but with parental permission there is much less that is restricted.
1: But note that the presence of pinging and chat turn anything that displays a username into "requiring PII" due to odd dependencies2 in the COPPA definition of PII.
2: This is not even the oddest interaction3 between definitions in the COPPA regulations.
3: I really want to see a ruling on how Chevron deference applies to an agency's resolution of Russel's paradox!