COPPA

The Children's Online Privacy Protection Rule

COPPA

The Children’s Online Privacy Protection Act (COPPA) is public safety legislation enacted by Congress in 1998. The sole purpose of COPPA is to outline and impose regulations and requirements that industry groups and website operators must comply with when directing online services to children under 13 years of age.

What is COPPA?

COPPA seeks the safety of a child's personal information (name, telephone number physical address, Social Security number, etc.) as they navigate the internet environment. COPPA’s primary goal is to place a parent of a child in control over the information collected from their children.

The regulations and precautions outlined in COPPA apply to:

  • Operators of general audience websites and online services that knowingly collect, use, or disclose personal information from children under the age of 13 or have knowledge that they are collecting this personal information from other websites or online services directed to children.
  • Operators of commercial online services (e.g., mobile apps or IoT devices, such as smart toys and wearables) and commercial websites that are directed toward children under the age of 13 that collect, use, or disclose personal information from children. These operators cannot position the child's participation as conditional upon providing personal information.

Who created COPPA?

Lawmakers created and designed COPPA at the request of the Federal Trade Commission (FTC). During a three-year effort by the FTC to educate consumers about the online collection of personal information, the FTC surveyed 212 commercial children’s websites.

The survey found an overwhelming majority of the websites (89 percent) collected personal information from children, but only 24 percent posted privacy policies. Furthermore, only one percent of the websites required the parents of that child to consent to collect or provide disclosure of such information.

Congress introduced the COPPA bill and signed it into law in October 1998. It went into effect in April 2000. It has since been amended. The FTC enforces COPPA regulations.

Why do we need COPPA?

COPPA protects the personal information of children within the online environment. Per COPPA, personal information includes names, home, and e-mail addresses, and social security numbers and photos, videos, and audio files of children under the age of 13.

Primarily, COPPA is needed to protect children. Also, it is needed to help keep parents of a child informed and in control of the online services used by their children and the intentions of said services.

Secondarily, COPPA protects online providers by giving them guidelines and regulations for compliance regarding children’s privacy protection.

How can a business become COPPA Compliant?

COPPA compliance is not straightforward — it doesn’t apply to every online service or website. Per the FTC, the law applies to:

  • Businesses that operate websites and provide online services directed towards children under 13 that collect their personal information.
  • Businesses that operate websites and provide online services directed towards children under 13 and let others (companies, ad networks, etc.) collect their personal information.
  • Businesses that operate websites and provide online services are directed towards general audiences but possess knowledge that the personal information of children under 13 is collected.
  • Businesses that operate advertising networks or plug-ins and know that personal information is collected from websites or online services directed at children under 13.

The FTC does provide a COPPA compliance plan for businesses. To be considered COPPA safe, groups or individuals must submit their self-regulatory guidelines to the FTC for approval. These businesses must show they have made a reasonable effort to comply with the points on the list above.

Post a comprehensive online Privacy Policy

One of the first steps in COPPA compliance is ensuring you have a public posting of your privacy policy that is easily accessible. The privacy policy must be comprehensive and clear, describing how the personal information of children under 13 is collected and handled.

Posting clear online policies also includes information regarding the information practices and disclosure practices of other online services that operate on your site, e.g., plug-ins or advertising networks.

The policy must include:

  • A list of all online operators that are collecting visitors' personal information, third-parties included. The list must include names and contact information.
  • A description of the kind of personal information collected (name, address, etc.) and how it is collected (directly or passively through cookies), and how it is used (e.g. marketing).
  • A description of parental rights and procedures they can follow to exercise those rights.

Include privacy policy links on the homepage; make sure they are clear and prominent.

Provide direct notice to parents

COPPA compliance requires giving direct notice to parents explaining your practices before collecting personal information.

The notice must tell parents that you have collected their contact information to get consent. It must also inform the parents that you intend to collect their child’s personal information, that parental consent is required, and tell them how to give their consent.

Obtain Parental Consent

Operators of websites must obtain parental consent before collecting, using, or disclosing personal information from a child under 13. How you collect parental consent is up to you, but the consent must be verifiable.

Methods of verifiable parental consent include:

  • Signing a consent form and sending it back (fax, scan, mail, etc.);
  • Calling a toll-free number or connecting via video conference to speak with trained personnel;
  • Answering knowledge-based challenge questions;
  • Providing a government-issued photo ID to check against a database;
  • Verifying a picture (photo ID) submitted by the parent and comparing it to a second photo submitted (facial recognition technology);
  • Using a payment card (credit, debit, etc.) that provides notification of separate transactions to the account holder.

If personal information is used for internal purposes only, you can use the “e-mail plus” method for verification consent. With the e-mail plus method, you simply send a message to the parent's e-mail address. They must reply with their written consent.

Provide a way for parents to review collected information

You must also honor the parent’s ongoing rights related to collecting the personal information of their child. You must provide a way for them to review the personal information collected, review the parent's online contact information, revoke consent, refuse further collection of personal information, and delete their child’s personal information.

Establish confidentiality and security procedures

COPPA compliance also requires you to establish and maintain procedures to protect the confidentiality and integrity of personal information of children under 13 once gathered.

Ensure that other service providers or third parties can do the same if you are releasing the information to them.

Delete children’s information after use

Remember to keep personal information only as long as it's necessary for the intended purpose. Once the personal data is no longer legitimate or applicable, you must securely dispose of it.

Do not require unreasonable data collection

Minimize the amount of personal information you collect from children under 13, collecting only necessary information. Avoid excess data collection entirely.

What changes have been made to COPPA?

The FTC revised COPPA after an extensive review in 2013. The revisions sought to give parents additional control over the online collection of their child’s personal information in the ever-changing online environment. In particular, the 2013 changes address how children navigate the internet, specifically the increased use of mobile devices and social media networking.

The revisions expanded the definition of children’s personal information to include persistent identifiers (e.g., cookies) that track a child’s online activity, including photos, videos, audio recordings, and geolocation information.

Furthermore, the changes also updated the requirements and procedures for the COPPA Safe Harbor Program. The FTC also updated a guide for parents — Protecting Your Child’s Privacy Online.

Why is 13 the age limit for COPPA?

In brief, at the outset of the law, Congress recognized that children under 13 are particularly vulnerable to online marketers and may not understand privacy and safety issues as they relate to online personal information collection.

What does COPPA mean for content creators?

The language in COPPA states, “websites directed to children.”. This language includes subject matter, visual content, age of models, language, character, tone, and messages targeted to children.

Including this language places an essential emphasis on content creators, especially on various social networking platforms. Content creators are required to disclose the intended audience and state if their content is directed towards children.

Online services or content directed towards children include children's subject matter, animated characters, child-oriented online activities, celebrities or models under 13, chat rooms for children, a children's message board, etc.

Why is COPPA controversial?

Some believe COPPA to be ineffective legislation, making it controversial. The main complaints are that the law suppresses children’s rights to freedom of speech and self-expression. Others believe the rules are easily circumvented. Others feel the law is inadequate to address the role of educators in the virtual education environment.

What Is the punishment for COPPA violations?

The FTC enforces COPPA with the help of other state and federal law enforcement agencies. Civil penalties for COPPA violations could be up to $43,792 per violation. Of course, determining the appropriate civil penalty for violations vary from case to case.

Conclusion

Congress enacted COPPA to outline and impose regulations and rules regarding collecting personal information of children under 13 by online operators.

COPPA requires compliance, much of which involves informing and educating parents on how and why their children’s personal information is being collected — consent is required.

The law has been updated since its inception to reflect the changing online environment. Although the law is controversial, failure to comply could lead to civil penalties for online operators and content creators.