HOME

TheInfoList



OR:

The Children's Online Privacy Protection Act of 1998 (COPPA) is a
United States federal law The law of the United States comprises many levels of codified and uncodified forms of law, of which the most important is the nation's Constitution, which prescribes the foundation of the federal government of the United States, as well as ...
, located at (). The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age, including children outside the U.S. if the website or service is U.S.-based. It details what a
website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google, Facebook, Amazon, and Wi ...
operator must include in a
privacy policy A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...
, when and how to seek verifiable consent from a
parent A parent is a caregiver of the offspring in their own species. In humans, a parent is the caretaker of a child (where "child" refers to offspring, not necessarily age). A ''biological parent'' is a person whose gamete resulted in a child, a male t ...
or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on the marketing of those under 13. Although children under 13 can legally give out personal information with their parents' permission, many websites—particularly
social media Social media are interactive media technologies that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks. While challenges to the definition of ''social medi ...
sites, but also other sites that collect most personal info—disallow children under 13 from using their services altogether due to the cost and work involved in complying with the law.


Background

In the 1990s, electronic commerce was on its rise of popularity, but various concerns were expressed about the data collection practices and the impact of Internet commerce on user privacy — especially for children under 13, because very few websites had their own privacy policies. The Center for Media Education petitioned the Federal Trade Commission (FTC) to investigate the data collection and use practices of the KidsCom website, and take legal action since the data practices violated Section 5 of FTC Act concerning "unfair/deceptive practices." With the passing of the Drivers Privacy Protection Act in 1997, new precedents had been set in regards to the ability for congress to regulate information held by state agencies. After the FTC completed its investigation, it issued the "KidsCom Letter" the report stated that the data collection and use practices were indeed subject to legal action. This resulted in the need to inform parents about the risks of children's online privacy, as well as to parental consent necessity. This ultimately resulted in the drafting of COPPA. The new millennium ushered in an era of regulation that many were simply unaware of. The early years of the transition were fraught with confusion and a lot of animosity. One of the main concerns of the time was the eventual accessibility of child-based websites at the fear many were unwilling to change their business practices. Many were left with a series of loose guidelines that determined what was correct. The simplification of COPPA provided by the FTC was met with a follow-up of demands to law enforcement that the: "... Commission should continue law enforcement efforts by targeting significant violations and seeking increasingly larger civil penalties, when appropriate, to deter unlawful conduct". A mandatory review of the COPPA regulations were conducted in 2005 (resulting with no changes to the original guidelines), found that there were no adverse effects to the online landscape. The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA. Also, under the terms of COPPA, the FTC-designated "safe harbor" provisioning is designed to encourage increased industrial self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants' compliance, such that website operators in Commission-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. the FTC has approved seven safe harbor programs operated by
TrustArc TrustArc (formerly TRUSTe) is a privacy compliance technology company based in San Francisco, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws a ...
,
ESRB The Entertainment Software Rating Board (ESRB) is a self-regulatory organization that assigns age and content ratings to consumer video games in the United States and Canada. The ESRB was established in 1994 by the Entertainment Software Asso ...
,
CARU The Children’s Advertising Review Unit ( CARU) is a U.S. self-regulatory organization that was established in 1974 and is administered by BBB National Programs. It is an independent self-regulatory agency for the promotion of responsible adverti ...
, PRIVO, Aristotle, Inc., Samet Privacy (kidSAFE), and the Internet Keep Safe Coalition (iKeepSafe). In August 2021, Aristotle, Inc. withdrew from the safe harbor program after FTC staff expressed serious concerns about its enforcement of its safe harbor provisions and communicated their intent to recommend the revocation of Aristotle's approval to run a safe harbor program. The FTC also announced its intention to more closely scrutinize the practices of the other six present safe harbors. In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the act since the issuance of the rules in 2000. The proposed rule changes expanded the definition of what it meant to "collect" data from children. The proposed rules presented a
data retention Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998. The different ...
and deletion requirement, which mandated that data obtained from children be retained only for the amount of time necessary to achieve the purpose that it was collected for. It also added the requirement that operators ensure that any third parties to whom a child's information is disclosed have reasonable procedures in place to protect the information. The act applies to websites and online services operated for commercial purposes that are either directed towards children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA. However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently COPPA as well. The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Commission regulation that takes into account the manner in which the information is being collected and the uses to which the information will be put.


Violations

According to the FTC, courts may fine violators of COPPA up to $43,280 in civil penalties for each violation. The FTC has brought a number of actions against website operators for failing to comply with COPPA requirements, including actions against
Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...
,
TikTok TikTok, known in China as Douyin (), is a short-form video hosting service owned by the Chinese company ByteDance. It hosts user-submitted videos, which can range in duration from 15 seconds to 10 minutes. TikTok is an international version o ...
, '' Girls' Life'',
American Pop Corn Company The American Pop Corn Company is a family owned popcorn producer. Founded in 1914, it is the oldest popcorn company in the United States. Its only brand, Jolly Time, is sold globally and in every state in America. It employs 185 people, and its ...
,
Lisa Frank Lisa Frank (born 1955) is an American businesswoman, the founder of Lisa Frank Incorporated, headquartered in Tucson, Arizona. She is known for producing whimsical commercial design for school supplies and other products that are primarily mark ...
, Inc., Mrs. Fields Cookies, and
The Hershey Company The Hershey Company, commonly known as Hershey's, is an American multinational company and one of the largest chocolate manufacturers in the world. It also manufactures baked products, such as cookies and cakes, and sells beverages like milksh ...
. In February 2004, UMG Recordings, Inc. was fined US$400,000 for COPPA violations in connection with a website that promoted the then 13-year-old rapper
Lil' Romeo Percy Romeo Miller (born August 19, 1989), also known by his stage name Romeo (formerly Lil' Romeo), is an American rapper, actor, and television personality. He gained fame as a rapper in the early 2000s after signing with No Limit Records, the ...
and hosted child-oriented games and activities, and Bonzi Software, which offered downloads of an animated figure "
BonziBuddy BonziBuddy ( , stylized as BonziBUDDY) was a freeware desktop virtual assistant created by Joe and Jay Bonzi. Upon a user's choice, it would share jokes and facts, manage downloads, sing songs, and talk, among other functions, as it used Microsof ...
" that provided shopping advice, jokes, and trivia was fined $75,000 for COPPA violations. Similarly, the owners of the Xanga website were fined
US$ The United States dollar (symbol: $; code: USD; also abbreviated US$ or U.S. Dollar, to distinguish it from other dollar-denominated currencies; referred to as the dollar, U.S. dollar, American dollar, or colloquially buck) is the official ...
1,000,000 in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent's consent. In 2016, the mobile advertising network inMobi was fined US$950,000 for tracking the
geo-location In geography, location or place are used to denote a region (point, line, or area) on Earth's surface or elsewhere. The term ''location'' generally implies a higher degree of certainty than ''place'', the latter often indicating an entity with an ...
of all users (including those under 13) without their knowledge. The advertising software continuously tracked user location despite privacy preferences on the mobile device. Other websites that were directed towards children and fined due to COPPA include Imbee (2008), Kidswirl (2011) and Skid-e-Kids (2011). In February 2019, the FTC issued a fine of $5.7 million to
ByteDance ByteDance Ltd. () is a Chinese internet technology company headquartered in Beijing and incorporated in the Cayman Islands. Founded by Zhang Yiming, Liang Rubo and a team of others in 2012, ByteDance developed the video-sharing social network ...
for failing to comply with COPPA with their
TikTok TikTok, known in China as Douyin (), is a short-form video hosting service owned by the Chinese company ByteDance. It hosts user-submitted videos, which can range in duration from 15 seconds to 10 minutes. TikTok is an international version o ...
app (then called Musical.ly). ByteDance agreed to pay the largest COPPA fine since the bill's enactment and to add a kids-only mode to the TikTok app. Three dating apps by Wildec were pulled by Apple and Google from their respective app stores, after the FTC determined that the dating apps allowed users under 13 to register, that Wildec knew there were significant numbers of minor users, and that this allowed inappropriate contact with minors. On September 4, 2019, the FTC issued a fine of $170 million to
YouTube YouTube is a global online video sharing and social media platform headquartered in San Bruno, California. It was launched on February 14, 2005, by Steve Chen, Chad Hurley, and Jawed Karim. It is owned by Google, and is the second mo ...
for COPPA violations, including tracking the viewing history of minors in order to facilitate
targeted advertising Targeted advertising is a form of advertising, including online advertising, that is directed towards an audience with certain traits, based on the product or person the advertiser is promoting. These traits can either be demographic with a focu ...
. Many notable social media platforms were subjected to this attack from the FTC, especially groups like Facebook where the platform had users actively ignoring these guidelines since its inception due to ease-of-access and the universal need for children to sign up to use third-party content. As a result, YouTube announced that as part of the settlement, in 2020 it would require channel operators to mark videos that are "child-oriented" as such, and would use
machine learning Machine learning (ML) is a field of inquiry devoted to understanding and building methods that 'learn', that is, methods that leverage data to improve performance on some set of tasks. It is seen as a part of artificial intelligence. Machine ...
to automatically mark those as clearly "child-oriented" if not marked already. In the settlement terms, channel operators that failed to mark videos as "child-oriented" could be fined by the FTC for up to $42,530 per video, which has raised criticism towards the settlement terms. The decision came in terms that, despite good faith, created many issues among the content creators on the site. Users such as
Ryan's World Ryan's World (formerly Ryan ToysReview) is a children's YouTube channel for children aged 2–6 featuring Ryan Kaji along with his mother (Loann Kaji), father (Shion Kaji), and twin sisters (Emma and Kate). The channel usually releases a new ...
,
Philip DeFranco Philip James DeFranco (born Philip James Franchini Jr.; born December 1, 1985), commonly known by his online nickname PhillyD, is an American YouTube personality. He is best known for ''The Philip DeFranco Show'', a news commentary show centered ...
and
TheOdd1sOut Robert James Rallison (born May 14, 1996), known online as TheOdd1sOut, is an American cartoonist, YouTuber, animator, author, and voice actor. He is known for producing storytime animations on his YouTube channel and being the co-creator and c ...
with vastly different content found themselves in the hot seat for their appealing content for children. The following guidelines were implemented on the basis set by the following rules: In 2022, Epic Games settled a Federal Trade Commission complaint in part by agreeing to pay a $275 million penalty for COPPA violations. The FTC complaint alleged that Epic illegally collected personal information from children under the age of 13 and made it difficult for parents to get such information deleted. The full agreement included an additional $245 million to refund users who were manipulated into making unintended purchases.


Compliance

In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that (1) operate a website or online service that is "directed to children" under 13 and that collects "personal information" from users or (2) knowingly collects personal information from people under 13 through a website or online service. After July 1, 2013, operators must: * Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from persons under age 13; * Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator's practices with regard to the collection, use, or disclosure of personal information from persons under 13, including notice of any material change to such practices to which the parents have previously consented; * Obtain verifiable parental consent, with limited exceptions, prior to any collection, use, and/or disclosure of personal information from persons under age 13; * Provide a reasonable means for a parent to review the personal information collected from their child and to refuse to permit its further use or maintenance; * Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children under age 13, including by taking reasonable steps to disclose/release such personal information only to parties capable of maintaining its confidentiality and security; and * Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. * Operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity. According to a notice issued by the Federal Trade Commission, an operator has actual knowledge of a user's age if the site or service asks for – and receives – information from the user that allows it to determine the person's age. An example, cited by the FTC, includes an operator who asks for a date of birth on a site's registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they are under 13. Another example cited by the FTC is that an operator may have actual knowledge based on answers to "age identifying" questions like "What grade are you in?" or "What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college." A small fee is charged by
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
under COPPA as a way to verify parental consent. The fee is donated to the
National Center for Missing and Exploited Children The National Center for Missing & Exploited Children (NCMEC) is a private, nonprofit organization established in 1984 by the United States Congress. In September 2013, the United States House of Representatives, United States Senate, and the Pres ...
. Google, however, charges a small fee as a way to verify one's date of birth. In the changes effective July 1, 2013, the definition of an operator was updated to make clear that COPPA covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. Websites and services that target children as a secondary audience may differentiate among users, and are required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13. The definition of personal information requiring parental notice and consent before collection now includes "persistent identifiers" that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent are required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations. The definition of personal information after July 1, 2013, also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice. On November 19, 2015, the FTC announced it had approved an additional method for obtaining verifiable parental consent: "face match to verified photo identification" (FMVPI). The two-step process allows a parent to submit a government-sanctioned ID for authentication, then submit an impromptu photo via mobile device or web camera, which is then compared to the photo on the ID.


International scope

The FTC has asserted that COPPA applies to any online service that is directed to U.S. users or knowingly collects information from children in the U.S., regardless of its country of origin. Referring to their official website, the following embodies such views: The FTC's Office of International Affairs directs the agency's international activities for competition and consumer protection, which include: * strengthening relationships with foreign competition and consumer protection agencies * developing formal and informal arrangements and agreements with competition and consumer protection agencies around the world * engaging in cooperative dialogues and submitting reports at international forums for competition and consumer protection * helping agencies around the world develop and enhance their own competition and consumer protection programs * sharing information with foreign law enforcement authorities through the U.S. Safe Web Act * maintaining a robust International Fellows Program However, the FTC rarely performs enforcement actions against foreign companies, and faces a number of practical challenges in doing so. The general assumption is that, despite the interconnected world of internet services, jurisdiction only applies to domestic operation. Nevertheless, it has successfully enforced COPPA against at least one foreign company with a significant US userbase, securing a $5.7 million settlement against the Chinese company
ByteDance ByteDance Ltd. () is a Chinese internet technology company headquartered in Beijing and incorporated in the Cayman Islands. Founded by Zhang Yiming, Liang Rubo and a team of others in 2012, ByteDance developed the video-sharing social network ...
over their
TikTok TikTok, known in China as Douyin (), is a short-form video hosting service owned by the Chinese company ByteDance. It hosts user-submitted videos, which can range in duration from 15 seconds to 10 minutes. TikTok is an international version o ...
app.


Criticisms

COPPA is controversial and has been criticized as ineffective and potentially unconstitutional by legal experts and mass media since it was drafted. Complaints leveled against the legislation include website owners banning users 12 and under — which only "encourages age fraud and allows websites to bypass the burden of obtaining parental consent" — and the active suppression of children's rights to freedom of speech, self-expression, and other
First Amendment First or 1st is the ordinal form of the number one (#1). First or 1st may also refer to: *World record, specifically the first instance of a particular achievement Arts and media Music * 1$T, American rapper, singer-songwriter, DJ, and reco ...
rights due to necessity of registering accounts to do so. Delays in obtaining parental consent often result in children moving on to other activities that are less appropriate for their age or pose bigger privacy risks. In addition, age restrictions and the "parental consent" process are easy for children to circumvent, and parents generally help them to lie about their age. An Internet Safety Technical Task Force composed of experts from academia and commercial companies found in 2012 that mandatory age verification is not only a poor solution for privacy but also constitutes a violation of privacy. The law has also many safety flaws. For example, it does not protect kids from predatory advertising, it does not prevent kids from accessing pornography or lying about their age, and it does not ensure a totally safe environment online. Tech journalist
Larry Magid Larry Magid (born 1947) is an American journalist, technology columnist and commentator. He is the author of several books. Early life Lawrence J. Magid was born in 1947 in Brooklyn, NY. He grew up in Los Angeles, California. He received his BA ...
, a long-time vocal opponent of the law, also notes that parents, not the government, hold the bulk of responsibility of protecting children online. COPPA has also been criticized for its potential
chilling effect In a legal context, a chilling effect is the inhibition or discouragement of the legitimate exercise of natural and legal rights by the threat of legal sanction. A chilling effect may be caused by legal actions such as the passing of a law, the ...
on children's apps, content, websites and online services. For example, Snapchat released a Snapkidz version of its app in June 2013, but unlike Snapchat, Snapkidz did not allow photo sharing at all due to COPPA regulations. Similarly, it has been pointed out that the COPPA Rule was not necessarily about privacy protection but more about "enforcing the laws." COPPA's penalties ($40,000 per violation) can be potentially catastrophic for small businesses, undermining their business model. By contrast, the FTC has been criticized, including by COPPA author
Ed Markey Edward John Markey (born July 11, 1946) is an American lawyer, politician, and former Army reservist who has served as the junior United States senator from Massachusetts since 2013. A member of the Democratic Party, he was the U.S. representa ...
, and FTC commissioner Rohit Chopra, for not fining major and big tech companies harshly enough for their COPPA violations, especially in comparison to their revenue. In contrast, violators of the
European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been de ...
's General Data Protection Regulation (GDPR) may be fined up to 4% of their annual global revenue. With the rise of virtual education, COPPA may inadequately represent the role of administrators, teachers, and the school in protecting student privacy under the assumption of '' loco parentis''. Mark Zuckerberg, co-founder and CEO of
Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...
, expressed opposition to COPPA in 2011 and stated "That will be a fight we take on at some point. My philosophy is that for education you need to start at a really, really young age." The next year, Jim Steyer, the CEO of
Common Sense Media Common Sense Media (CSM) is an organization that reviews and provides ratings for media and technology with the goal of providing information on their suitability for children.
, has called for updates to COPPA, calling the time of the act's creation "the stone age of digital media" and pointing out the lack of platforms such as Google, YouTube, Facebook and Twitter at the time. In 2019, the
Government of the State of New York The Government of the State of New York, headquartered at the New York State Capitol in Albany, New York, Albany, encompasses the administrative structure of the U.S. state of New York (state), New York, as established by the New York State Co ...
sued
YouTube YouTube is a global online video sharing and social media platform headquartered in San Bruno, California. It was launched on February 14, 2005, by Steve Chen, Chad Hurley, and Jawed Karim. It is owned by Google, and is the second mo ...
for violating COPPA by illegally retaining information related to children under 13 years of age. YouTube responded by dividing its content strictly into "for kids" and "not for kids". This has met with extremely harsh criticism from the YouTube community, especially from gamers, with many alleging that the FTC of the United States intends to fine content creators $42,530 for "each mislabeled video", possibly putting all users at risk. However, some have expressed skepticism over this, feeling that the fines may actually be in reference to civil penalties, possibly intended for the site's operators and/or warranted by more serious of COPPA violations or specific cases of "mislabeling videos". As of December 2022, no YouTuber has been fined. Several bills have been proposed to amend COPPA. Markey and
Josh Hawley Joshua David Hawley (born December 31, 1979) is an American politician and lawyer who has served as the junior United States senator from Missouri since 2019. A member of the Republican Party, Hawley served as the 42nd attorney general of Mi ...
introduced multiple bills (in the house in 2018 as the "Do Not Track Kids Act", and in 2019 as a senate measure) proposing that COPPA ban the use of
targeted advertising Targeted advertising is a form of advertising, including online advertising, that is directed towards an audience with certain traits, based on the product or person the advertiser is promoting. These traits can either be demographic with a focu ...
to users under 13, require personal consent before the collection of personal information from users ages 13–15, require connected devices and toys directed towards children to meet security standards and include a privacy policy disclosure on their packaging, and require services to offer an "eraser button" to "permit users to eliminate publicly available personal information content submitted by the child, when technologically feasible". In January 2020,
Bobby Rush Bobby Lee Rush (born November 23, 1946) is an American politician, activist and pastor who served as the U.S. representative for for three decades. A civil rights activist during the 1960s, Rush co-founded the Illinois chapter of the Black Pant ...
and
Tim Walberg Timothy Lee Walberg (born April 12, 1951) is an American politician serving as the U.S. representative from since 2023. A member of the Republican Party, he previously represented the from 2007 to 2009 and from 2011 to 2023. Early life, educa ...
introduced a similar house bill known as the Preventing Real Online Threats Endangering Children Today (PROTECT Kids) Act, which would extend all existing COPPA consent requirements to users under the age of 16, and explicitly add
mobile app A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on d ...
s, "precise geolocation", and biometric data to its remit.


See also

* Adultism * Child Online Protection Act (COPA) * Child Protection Registry Acts *
Do Not Track legislation Do Not Track legislation protects users’ right to choose whether or not they want to be tracked by third-party websites. It is often called the online version of " Do Not Call". The legislation is supported by privacy advocates and opposed by a ...
* General Data Protection Regulation * California Online Privacy Protection Act (OPPA) effective since July 1, 2004 *
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...


References


External links


Children's Online Privacy Protection Act (COPPA) of 1998
via Federal Trade Commission

via Government Printing Office
Six Step Compliance Plan for Your Business via Federal Trade Commission, Business Center

Children's Privacy
via Federal Trade Commission
FTC FAQ on COPPA compliance
via Federal Trade Commission

Information on COPPA regulatory developments {{Authority control Acts of the 105th United States Congress Child safety Children's rights legislation American children's websites Internet law in the United States Privacy law in the United States United States federal communications legislation United States federal computing legislation United States federal privacy legislation Ageism