The Children’s Online Privacy Protection Act (COPPA)
One of the older federal laws centered on privacy is the Children’s Online Privacy Protection Act (COPPA), passed in 1998. Enacted to protect children’s safety and privacy in the new age of the internet, COPPA went into effect in April 2000. The law imposed obligations on commercial operators of online services directed to children under the age of 13. However, even when not directed at children under 13, if there is actual knowledge concerning the collection of personal information of users below 13 years old, COPPA applies.
Obligations Imposed
At its core, COPPA prohibits operators of websites and other related internet properties from collecting, using, or disclosing personal information of children under 13 without receiving necessary parental consent.
In 2013, the FTC expanded the definition of “personal information” under COPPA to include persistent identifiers such as IP addresses. The expansion effectively forbids operators of web properties directed to children under 13 from using cookies and IP addresses to track users, including advertising and selling data.
Enforcement Actions
COPPA gives the FTC the authority to impose fines of up to $42,530 for each violation of the Act. The state attorney generals are also given enforcement authority under the law.
We have listed several of the most notable enforcement actions below to illustrate some common areas of regulatory risk exposure.
COPPA In The Educational Context
New Mexico’s attorney general spearheaded a 2020 case against Google concerning its products and services utilized in schools. The complaint alleges that Google failed to comply with COPPA by not getting parental authorization before collecting personal information from children under 13 using its products and services. In December 2021, Google settled the children’s privacy action brought by New Mexico.
Apps & COPPA
The FTC levied a penalty of $5.7 million after settling with the app Musical.ly (now TikTok) in February 2019 for failing to comply with COPPA. At the time, it was the largest COPPA-related fine since the law’s passage. The complaint alleged that the app operators were aware that many users were younger than 13 and did not notify or gain the requisite parental consent.
COPPA & YouTube
The FTC and the New York State Attorney General filed a complaint against YouTube and its parent company, Google, for failure to comply with COPPA. Specifically, the complaint alleged that Youtube illegally collected personal information from children without their parent’s consent.
FTC Chairman Joe Simons stated:
“YouTube touted its popularity with children to prospective corporate clients. Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There’s no excuse for YouTube’s violations of the law.”
YouTube agreed to a $170 million penalty to settle the joint action. The settlement was the most substantial penalty collected by the FTC in a COPPA-centered action.
In addition to the monetary aspect of the agreement, YouTube also instituted a policy that requires channel partners to identify the content they upload if directed at children. YouTube also utilizes machine learning to detect videos it deems oriented toward children. Videos marked as such, are in turn, not served personalized ads. The development has angered many creators partly because the earning potential on videos is reduced drastically due to not being eligible for user-specific ads.
Complying With COPPA
COPPA requires a uniquely scenario-specific analysis to assess compliance responsibilities since ascertaining whether a website or other application is “directed at children” contains considerable nuance. With that said, we have outlined several fundamental measures to incorporate.
- Post a clear and complete privacy policy describing the practices utilized relating to personal information collected from children under the age of 13.
- Ensure reasonable efforts are employed, considering available means and technological tools, to provide parents with notice of practices concerning collecting, using, or disclosing personal information from children under the age of 13.
- Obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
- Where there are material changes to practices that the parents have previously consented to, there must be supplementary consent
- Ensure that reasonable security procedures are in place to protect the confidentiality of personal information collected from children under the age of 13.
- Maintain data minimization practices for personal information collected from a child by collecting and keeping such data only to the extent and as long as necessary to fulfill the purpose for which it was collected.
Due to the onerous and rigorous measures required when knowingly collecting data from children under 13, many operators explicitly state that such age segments are not permitted to use their web properties.
The FTC has partnered with industry-specific regulators to form COPPA “safe harbor” frameworks to provide further clarity in an area with significant vagueness. As a result, operators in FTC-approved programs benefit from self-regulatory procedures instead of what is generally more costly and damaging than direct FTC enforcement. As of 2016, the FTC has approved seven safe harbor programs, including TRUSTe (now TrustArc), ESRB, and CARU (the FTC announced in August 2021 that one of the seven previously approved self-regulatory organizations, Aristotle International, Inc., is no longer certified due to unsatisfactory enforcement).
An Effort To Update COPPA
An administrative agency, the FTC, issues regulations and continuing guidance on COPPA compliance as the digital landscape continues to evolve.
In our view, COPPA is one of the more vague regulations in the privacy and marketing realm. Analysis of compliance benchmarks and associated responsibilities is often viewed more from a totality of the circumstances than a bright line. For example, when it comes to YouTube videos, it is sometimes evident if the content is directed at children, while it is entirely unclear at other times.
The vagueness has only increased as the internet has progressed into once unforeseen territory. The massive changes in the new realities of our web-based world have led to the FTC’s announcement that they are reevaluating rules propagated under COPPA. As part of the process, the agency requested comments from the public. As a sign of the many views around COPPA, the agency received more than 175,000 comments. Many of these comments are from YouTubers who have concerns about how COPPA’s current interpretation has harmed their earning potential and exposed them to enforcement action. In addition, some of the website’s most prominent creators put out a call to action for comment submission. Such a concerted communal effort explains why past requests for feedback during the last review of COPPA (2013) resulted in only slightly more than 500 comments.
Legislators also pressured the FTC to update the rules concerning COPPA. For example, in 2022, Senator Markey (who authored COPPA), Senator Richard Blumenthal, and Representatives Kathy Castor and Lori Trahan sent a letter to the FTC urging an update to the rule.
What To Do And What Comes Next
Performing an in-depth review of potential exposure to COPPA should be a priority if there is a possibility that web properties are collecting information from those under the age of 13.
Further, as the process for updating the COPPA rules propagated by the FTC progresses and states pass child-specific laws, such as the California Age-Appropriate Design Code Act, attention to compliance should be a priority.