The Children's Online Privacy Protection Rule
The Children’s Online Privacy Protection Act (COPPA) is public safety legislation enacted by Congress in 1998. The sole purpose of COPPA is to outline and impose regulations and requirements that industry groups and website operators must comply with when directing online services to children under 13 years of age.
COPPA seeks the safety of a child's personal information (name, telephone number physical address, Social Security number, etc.) as they navigate the internet environment. COPPA’s primary goal is to place a parent of a child in control over the information collected from their children.
The regulations and precautions outlined in COPPA apply to:
Lawmakers created and designed COPPA at the request of the Federal Trade Commission (FTC). During a three-year effort by the FTC to educate consumers about the online collection of personal information, the FTC surveyed 212 commercial children’s websites.
The survey found an overwhelming majority of the websites (89 percent) collected personal information from children, but only 24 percent posted privacy policies. Furthermore, only one percent of the websites required the parents of that child to consent to collect or provide disclosure of such information.
Congress introduced the COPPA bill and signed it into law in October 1998. It went into effect in April 2000. It has since been amended. The FTC enforces COPPA regulations.
COPPA protects the personal information of children within the online environment. Per COPPA, personal information includes names, home, and e-mail addresses, and social security numbers and photos, videos, and audio files of children under the age of 13.
Primarily, COPPA is needed to protect children. Also, it is needed to help keep parents of a child informed and in control of the online services used by their children and the intentions of said services.
Secondarily, COPPA protects online providers by giving them guidelines and regulations for compliance regarding children’s privacy protection.
COPPA compliance is not straightforward — it doesn’t apply to every online service or website. Per the FTC, the law applies to:
The FTC does provide a COPPA compliance plan for businesses. To be considered COPPA safe, groups or individuals must submit their self-regulatory guidelines to the FTC for approval. These businesses must show they have made a reasonable effort to comply with the points on the list above.
Posting clear online policies also includes information regarding the information practices and disclosure practices of other online services that operate on your site, e.g., plug-ins or advertising networks.
The policy must include:
COPPA compliance requires giving direct notice to parents explaining your practices before collecting personal information.
The notice must tell parents that you have collected their contact information to get consent. It must also inform the parents that you intend to collect their child’s personal information, that parental consent is required, and tell them how to give their consent.
Operators of websites must obtain parental consent before collecting, using, or disclosing personal information from a child under 13. How you collect parental consent is up to you, but the consent must be verifiable.
Methods of verifiable parental consent include:
If personal information is used for internal purposes only, you can use the “e-mail plus” method for verification consent. With the e-mail plus method, you simply send a message to the parent's e-mail address. They must reply with their written consent.
You must also honor the parent’s ongoing rights related to collecting the personal information of their child. You must provide a way for them to review the personal information collected, review the parent's online contact information, revoke consent, refuse further collection of personal information, and delete their child’s personal information.
COPPA compliance also requires you to establish and maintain procedures to protect the confidentiality and integrity of personal information of children under 13 once gathered.
Ensure that other service providers or third parties can do the same if you are releasing the information to them.
Remember to keep personal information only as long as it's necessary for the intended purpose. Once the personal data is no longer legitimate or applicable, you must securely dispose of it.
Minimize the amount of personal information you collect from children under 13, collecting only necessary information. Avoid excess data collection entirely.
The FTC revised COPPA after an extensive review in 2013. The revisions sought to give parents additional control over the online collection of their child’s personal information in the ever-changing online environment. In particular, the 2013 changes address how children navigate the internet, specifically the increased use of mobile devices and social media networking.
The revisions expanded the definition of children’s personal information to include persistent identifiers (e.g., cookies) that track a child’s online activity, including photos, videos, audio recordings, and geolocation information.
In brief, at the outset of the law, Congress recognized that children under 13 are particularly vulnerable to online marketers and may not understand privacy and safety issues as they relate to online personal information collection.
The language in COPPA states, “websites directed to children.”. This language includes subject matter, visual content, age of models, language, character, tone, and messages targeted to children.
Including this language places an essential emphasis on content creators, especially on various social networking platforms. Content creators are required to disclose the intended audience and state if their content is directed towards children.
Online services or content directed towards children include children's subject matter, animated characters, child-oriented online activities, celebrities or models under 13, chat rooms for children, a children's message board, etc.
Some believe COPPA to be ineffective legislation, making it controversial. The main complaints are that the law suppresses children’s rights to freedom of speech and self-expression. Others believe the rules are easily circumvented. Others feel the law is inadequate to address the role of educators in the virtual education environment.
The FTC enforces COPPA with the help of other state and federal law enforcement agencies. Civil penalties for COPPA violations could be up to $43,792 per violation. Of course, determining the appropriate civil penalty for violations vary from case to case.
Congress enacted COPPA to outline and impose regulations and rules regarding collecting personal information of children under 13 by online operators.
COPPA requires compliance, much of which involves informing and educating parents on how and why their children’s personal information is being collected — consent is required.
The law has been updated since its inception to reflect the changing online environment. Although the law is controversial, failure to comply could lead to civil penalties for online operators and content creators.