Children's Online Privacy Protection Act
|Enacted by||the 105th United States Congress|
|Effective||21 April 2000|
While children under 13 can legally give out personal information with their parents' permission, many websites – particularly social media sites — disallow underage children from using their services altogether due to the cost and work involved in complying with the law.
In the 1990s, the electronic commerce was on its rise, but there have been expressed various concerns about the data collection practices and the impact of Internet commerce on the user privacy - especially children, because very few websites had their own privacy policies. Center of Media Education petitioned the Federal Trade Commission (FTC) to investigate the data collection and use practices of the KidsCom.com website, and take legal action since the data practices violated Section 5 of FTC Act concerning "unfair/deceptive practices". After the FTC completed its investigation, it issued the "KidsCom Letter" - the report that the data collection and use practices were indeed subject to legal action. This resulted in the need to inform parents about the risks of children's online privacy, as well as to parental consent necessity. This resulted in the drafting of COPPA.
The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA. Also under the terms of COPPA, the FTC-designated "safe harbor" provisioning is designed to encourage increased industry self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants' compliance, such that website operators in Commission-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. As of June 2016,[update] the FTC has approved seven safe harbor programs operated by TRUSTe, ESRB, CARU, PRIVO, Aristotle, Inc., Samet Privacy (kidSAFE), and the Internet Keep Safe Coalition (iKeepSafe).
In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the act since the issuance of the rules in 2000. The proposed rule changes expanded the definition of what it meant to "collect" data from children. The proposed rules presented a data retention and deletion requirement, which mandated that data obtained from children be retained only for the amount of time necessary to achieve the purpose that it was collected for. It also added the requirement that operators ensure that any third parties to whom a child's information is disclosed have reasonable procedures in place to protect the information.
The act applies to websites and online services operated for commercial purposes that are either directed towards children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA. However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently COPPA as well. The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Commission regulation that takes into account the manner in which the information is being collected and the uses to which the information will be put.
The FTC has brought a number of actions against website operators for failure to comply with COPPA requirements, including actions against Girls' Life, American Pop Corn Company, Lisa Frank, Inc., Mrs. Fields Cookies, and The Hershey Company.
In February 2004, UMG Recordings, Inc. was fined US$400,000 for COPPA violations in connection with a web site that promoted the then 13-year-old pop star Lil' Romeo and hosted child-oriented games and activities, and Bonzi Software, which offered downloads of an animated figure "BonziBuddy" that provided shopping advice, jokes, and trivia was fined US$75,000 for COPPA violations. Similarly, the owners of the Xanga website were fined US$1 million in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent's consent.
In 2016, the mobile advertising network, inMobi was fined US$950,000 for tracking all ages of users (13 and younger and older) geo-location unknowingly. The advertising software continuously tracked user location despite privacy preferences on the mobile device. Other websites that were directed towards children and fined due to COPPA include Imbee (2008) Kidswirl (2011), and Skid-e-Kids (2011).
In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is "directed to children" under 13 and that collects "personal information" from users or (2) knowingly collects personal information from persons under 13 through a website or online service. After July 1, 2013, operators must:
- Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of personal information from persons under 13, including notice of any material change to such practices to which the parents has previously consented;
- Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of personal information from persons under age 13;
- Provide a reasonable means for a parent to review the personal information collected from their child and to refuse to permit its further use or maintenance;
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children under age 13, including by taking reasonable steps to disclose/release such personal information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
- Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
According to a notice issued by the Federal Trade Commission an operator has actual knowledge of a user's age if the site or service asks for – and receives – information from the user that allows it to determine the person's age. An example cited by the FTC includes, an operator who asks for a date of birth on a site's registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they're under 13. Another example cited by the FTC that an operator may have actual knowledge based on answers to "age identifying" questions like "What grade are you in?" or "What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college."
A small fee is charged by Microsoft under COPPA as a way to verify parent consent. The fee is donated to the National Center for Missing and Exploited Children. Google, however, charges the small fee as a way to verify one's date of birth.
In the changes effective July 1, 2013, the definition of an operator was updated to make clear that COPPA covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. Websites and services that target children as a secondary audience may differentiate among users, and are required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13. The definition of personal information requiring parental notice and consent before collection now includes "persistent identifiers" that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations. The definition of personal information after July 1, 2013, also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice.
On November 19, 2015, the FTC announced it had approved an additional method for obtaining verifiable parental consent: "face match to verified photo identification" (FMVPI). The two-step process allows a parent to submit a government-sanctioned ID for authentication, then submit an impromptu photo via mobile device or web camera, which is then compared to the photo on the ID.
While COPPA is an American law, the Federal Trade Commission has made it clear that the requirements of COPPA will apply to foreign-operated web sites if such sites "are directed to children in the U.S. or knowingly collect information from children in the U.S." Since it is US Federal law, it's applicable only to websites that are run:
- by websites under U.S. jurisdiction;
- by websites which are hosted on servers in the U.S.;
- by websites with owners headquartered in U.S. territory; or
- by commercial websites available in U.S. market.
European Union's General Data Protection Regulation article 8 explicitly says that children's personal information deserves parental consent as well. However, GDPR has variable age of consent - from 13 to 16.
COPPA is controversial and has been criticized as ineffective and potentially unconstitutional by legal experts and mass media since it was drafted. Complaints leveled against the legislation include website owners banning users 12 and under — which only "encourages age fraud and allows websites to bypass the burden of obtaining parental consent" — and the active suppression of children's rights to freedom of speech, self-expression, and other First Amendment rights.
Delays in obtaining parental consent often result in children moving on to other activities that are less appropriate for their age or pose bigger privacy risk.
An Internet Safety Technical Task Force composed of experts from academia and commercial companies found in 2012 that mandatory age verification is not only a poor solution for privacy but also constitutes a violation of privacy. The law has also many safety flaws. For example, it does not protect kids from predatory advertising, it does not prevent kids from accessing pornography or lying about their age, and it doesn't ensure a totally safe environment online. Tech journalist Larry Magid, a long-time vocal opponent of the law — also notes that parents, not the government, hold the bulk of responsibility of protecting children online. COPPA has also been criticized for its potential chilling effect on children's apps, content, websites and online services. For example, Snapchat released a Snapkidz version of its app in June 2013, but unlike Snapchat, Snapkidz didn't allow photo sharing at all due to COPPA regulations. Similarly, it has been pointed out that the COPPA Rule was not necessarily about privacy protection but more about "enforcing the laws."
COPPA's penalties ($40,000 per violation) can be potentially catastrophic for the small businesses, undermining their business model. While some major corporations have enough money to pay the fine or implement a parental consent mechanism, small businesses often cannot afford it.
Mark Zuckerberg, co-founder and CEO of Facebook, has expressed opposition to COPPA and stated "That will be a fight we take on at some point. My philosophy is that for education you need to start at a really, really young age."
- "Complying with COPPA: Frequently Asked Questions". FTC Business Center. Federal Trade Commission. 20 March 2015. Retrieved 22 June 2016.
- "What age should my kids be before I let them use Instagram, Facebook, and other social media services?". Commons Sense Media. Common Sense Media, Inc. Retrieved 22 June 2016.
- Bilton, N. (18 February 2015). "Letting Your Kids Play in the Social Media Sandbox". The New York Times. The New York Times Company. Retrieved 22 June 2016.
- Rochman, B. (24 May 2011). "Should Kids Under 13 Be on Facebook?". Time. Time, Inc. Retrieved 22 June 2016.
- Magid, L.J. (24 April 2000). "New Law Protects Kids Online, but It's No Substitute for Parenting". Los Angeles Times. tronc, Inc. Retrieved 22 June 2016.
- Warmund, J. (2001). "Can COPPA Work? An Analysis of the Parental Consent Measures in the Children's Online Privacy Protection Act". Fordham Intellectual Property, Media, and Entertainment Law Journal. 11 (1). Retrieved 22 June 2016.
- "FTC Staff Sets Forth Principles For Online Information Collection From Children". FTC Press Releases. Federal Trade Commission. 16 July 1997. Retrieved 22 June 2016.
- Thomas, L.M. (19 August 2014). "FTC Approves iKeepSafe's COPPA Safe Harbor Program". Privacy Law Corner. Winston & Strawn LLP. Retrieved 22 June 2016.
- Thomas, L.M. (20 February 2014). "FTC Approves Sixth COPPA Safe Harbor Program". Privacy Law Corner. Winston & Strawn LLP. Retrieved 22 June 2016.
- "FTC Will Propose Broader Children's Online Privacy Safeguards". The National Law Review. Ifrah PLLC. 22 December 2011. Retrieved 22 June 2016.
- "FTC v. California Dental Association, 526 U.S. 756 (1999)". Justia. 24 May 1999. Retrieved 22 June 2016.
- Federal Trade Commission (3 November 1999). "16 CFR Part 312 Children's Online Privacy Protection Rule; Final Rule" (PDF). Federal Register. 64 (212): 59888–59915. Archived from the original (PDF) on 29 October 2013. Retrieved 22 June 2016.
- "FTC Announces Settlements with Web Sites That Collected Children's Personal Data Without Parental Permission". FTC Press Releases. Federal Trade Commission. 19 April 2001. Retrieved 22 June 2016.
- "Popcorn Company Settles FTC Privacy Violation Charges". FTC Press Releases. Federal Trade Commission. 14 February 2002. Retrieved 22 June 2016.
- "Web Site Targeting Girls Settles FTC Privacy Charges". FTC Press Releases. Federal Trade Commission. 2 October 2001. Retrieved 22 June 2016.
- "FTC Receives Largest COPPA Civil Penalties to Date in Settlements with Mrs. Fields Cookies and Hershey Foods". FTC Press Releases. Federal Trade Commission. 27 February 2003. Retrieved 22 June 2016.
- "UMG Recordings, Inc. to Pay $400,000, Bonzi Software, Inc. To Pay $75,000 to Settle COPPA Civil Penalty Charges". FTC Press Releases. Federal Trade Commission. 18 February 2004. Retrieved 22 June 2016.
- Sullivan, B. (7 September 2006). "FTC fines Xanga for violating kids' privacy". NBCNews.com. NBCUniversal Media, LLC. Retrieved 22 June 2016.
- "Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers' Locations Without Permission". Federal Trade Commission. 2016-06-22. Retrieved 2018-03-04.
- "Imbee.com Settles FTC Charges Social Networking Site for Kids Violated the Children's Online Privacy Protection Act; Settlement Includes $130,000 Civil Penalty". FTC Press Releases. Federal Trade Commission. 30 January 2008. Retrieved 22 June 2016.
- Engle, M.K. (12 July 2011). "Kidswirl, LLC, FTC File No. 112-3034" (PDF). Federal Trade Commission. Retrieved 22 June 2016.
- "Operator of Social Networking Website for Kids Settles FTC Charges Site Collected Kids Personal Information Without Parental Consent". FTC Press Releases. Federal Trade Commission. 8 November 2011. Retrieved 22 June 2016.
- Percival IV, L.C.; Johnson, E. (1 July 2013). "New Children's Online Privacy Protection Act (COPPA) Rule Now In Effect". The National Law Review. Ifrah PLLC. Retrieved 22 June 2016.
- Larose, C.J.; Siripurapu, J.M. (28 June 2013). "Guide to Compliance with the Amended Children's Online Privacy Protection Act (COPPA) Rule". The National Law Review. Ifrah PLLC. Retrieved 22 June 2016.
- Larose, C.J. (29 June 2013). "Amended Children's Online Privacy Protection Act (COPPA) Rule Compliance Deadline Approaching". The National Law Review. Ifrah PLLC. Retrieved 22 June 2016.
- "Children's Online Privacy Protection Rule: Not Just for Kids' Sites". FTC Business Center. Federal Trade Commission. April 2013. Retrieved 7 July 2013.
- "Why does Microsoft charge me when I create an account for my child?". support.microsoft.com. Retrieved 2017-03-26.
- "FTC Strengthens Kids' Privacy, Gives Parents Greater Control Over Their Information By Amending Childrens Online Privacy Protection Rule". FTC Press Releases. Federal Trade Commission. 19 December 2012. Retrieved 22 June 2016.
- "FTC Grants Approval for New COPPA Verifiable Parental Consent Method". FTC Press Releases. Federal Trade Commission. 19 November 2015. Retrieved 22 June 2016.
- Landy, G.K. (2008). "Chapter 18: Privacy and Use of Personal Data". In Mastrobattista, A. The IT / Digital Legal Companion: A Comprehensive Business Guide to Software, IT, Internet, Media and IP Law. Elsevier, Inc. p. 477. ISBN 9781597492560.
- Matecki, L.A. (2010). "Update: COPPA is Ineffective Legislation! Next Steps for Protecting Youth Privacy Rights in the Social Networking Era". Journal of Lawn and Social Policy. 5 (2): 7. Retrieved 22 June 2016.
- Magid, L. (4 August 2012). "Unintended Consequences of FTC's New COPPA Children's Online Privacy Rules". The Huffington Post. TheHuffingtonPost.com, Inc. Retrieved 22 June 2016.
- "New Internet Privacy Rules Will Not Protect Kids".
- Magid, L. (29 August 2014). "Magid: Protecting children online needs to allow for their right to free speech". The Mercury News. Digital First Media. Archived from the original on 25 March 2016. Retrieved 22 June 2016.
- Morris, J. (23 November 2010). "Ask CDT: Answers on First Amendment Rights Online". CDT Blog. Center for Democracy and Technology. Retrieved 22 June 2016.
- Puckett, J.M. (14 May 2013). "Insider insights on COPPA". Emoderation Blog. Emoderation Limited. Archived from the original on 18 November 2016. Retrieved 22 June 2016.
- Boyd, D.; Hargittai, E.; Schultz, J.; Palfrey, J. (7 November 2011). "Why parents help their children lie to Facebook about age: Unintended consequences of the Children's Online Privacy Protection Act". First Monday. 16 (11). Retrieved 22 June 2016.
- Griggs, B. (1 November 2011). "Parents help kids lie to get on Facebook, study finds". CNN.com. Turner Broadcasting System, Inc. Retrieved 22 June 2016.
- Perlroth, N. (17 June 2012). "Verifying Ages Online Is a Daunting Task, Even for Experts". The New York Times. The New York Times Company. Retrieved 22 June 2016.
- Kluver, C. (5 July 2013). "Parental Notification, the FTC and Kids Apps: What's COPPA all about?". Digital Media Diet. Retrieved 22 June 2016.
- Chaey, C. (24 June 2013). "Snapchat Debuts SnapKidz, A Sext-Free App For Kids Under 13". Fast Company. Mansueto Ventures, LLC. Retrieved 22 June 2016.
- Kamenetz, A. (28 June 2013). "How the New COPPA Requirements Are Bad for Businesses and Kids". Fast Company. Mansueto Ventures, LLC. Retrieved 22 June 2016.
- Davis, W. (25 September 2012). "IAB: Proposed Children's Privacy Rules Undermine Business Model". Online Media Daily. MediaPost Communications. Retrieved 22 June 2016.
- Hostetler, David R (2013). "Children's privacy in virtual K-12 education: virtual solutions of the amended Children's Online Privacy Protection Act (COPPA) rule". North Carolina Journal Of Law & Technology. Online Ed 167.
- Lev-Ram, M. (20 May 2011). "Zuckerberg: Kids under 13 should be allowed on Facebook". Fortune. Time, Inc. Retrieved 22 June 2016.
- Children's Online Privacy Protection Act (COPPA) of 1998, via Federal Trade Commission
- 16 C.F.R. Part 312, the FTC's Children's Online Privacy Protection Rule, via Government Printing Office
- Six Step Compliance Plan for Your Business via Federal Trade Commission, Business Center
- Children's Privacy, via Federal Trade Commission
- FTC FAQ on COPPA compliance, via Federal Trade Commission
- Cybertelecom :: COPPA Information on COPPA regulatory developments