Children's Online Privacy Protection Act (COPPA)
- State AGs Push Back Against Facebook's Plan to Launch Instagram for Children: More than 40 state attorneys general have sent a letter to Mark Zuckerberg pressuring Facebook to drop its plans to launch a version of Instagram for children younger than 13. The Attorneys General, led by Massachusetts Attorney General Maura Healey, expressed bipartisan support to protect children’s privacy and their physical and mental health. The AGs raised concerns about Facebook’s history of privacy incidents, stating “Facebook has a record of failing to protect the safety and privacy of children on its platform, despite claims that its products have strict privacy controls[.]” The Campaign for a Commercial-Free Childhood commented “If Facebook insists on plowing ahead, it’s the clearest sign yet that the company views itself as accountable to no one, even when it comes to the well-being of children, and must be regulated much more rigorously,” and lawmakers have similarly expressed concerns about children’s privacy issues with social media. EPIC signed on to a coalition letter by the Campaign for a Commercial-free Childhood that urged Zuckerberg to cancel plans to launch a version of Instagram for Children under 13. (May. 11, 2021)
- Senators Call on FTC to Investigate Ed Tech, Advertising Aimed at Children: A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA. (May. 8, 2020)
- EPIC Advises FTC to Strengthen the COPPA Rule to Protect Student Privacy: EPIC today submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eights of a data breach of children's data by a company subject to COPPA. EPIC said "the FTC must now establish clear safeguards for children's data gathered in schools." EPIC testified before Congress in 1996 in support of the original children's privacy law. The FTC previously considered EPIC's recommendations in an early review of the COPPA Rule and incorporated several of EPIC's recommendations in the 2013 regulations. (Dec. 11, 2019)
- Senators Call for FTC to Investigate Amazon Echo for Kids: Senators Markey (D-Mass), Blumenthal (D-Conn.), Durbin (D-Ill.), and Hawley (R-Mo.) sent a letter to the Federal Trade Commission to launch an investigation into new evidence of Amazon violations of the Children's Online Privacy Protection Act (COPPA) with an Amazon device targeted to children. The Senators wrote: "Children are a uniquely vulnerable population. We urge the Commission to take all necessary steps to ensure their privacy as 'Internet of Things' devices targeting young consumers come to market, including promptly initiating an investigation into the Amazon Echo Dot Kids Edition’s compliance with COPPA.: The letter cites a recent complaint to the FTC by Campaign for a Commercial-Free Childhood and joined by EPIC. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. (May. 9, 2019)
- Senators Markey, Hawley Introduce Children's Privacy Legislation: Senators Edward Markey (D-Mass.) and Josh Hawley (R-Mo.) have introduced legislation to update the Children's Online Privacy Protection Act (COPPA). The bill bans internet companies from collecting personal or location information from children under 13 without parental consent and from teens ages 13-15 without the user's consent. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. EPIC recently submitted comments in support of the FTC's proposed extension of the information collection requirements for COPPA, but said the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." (Mar. 12, 2019)
- FTC Obtains Fines TikTok for Violation of Children's Privacy: TikTok settled with the FTC for $5.7 million over allegations that the Chinese video app company violated the Children's Online Privacy Protection Act. The FTC complaint alleges that TikTok violated COPPA by collecting personal information from kids without parental consent. The $5.7 million fine is the Commission's largest COPPA penalty. The Commission's vote was unanimous. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 27, 2019)
- EPIC Joins Coalition Calling on FTC to Investigate Facebook for Deception of Children: A coalition of consumer groups sent a complaint to the FTC, charging that Facebook engaged in unfair and deceptive practices and violated the Children's Online Privacy Protection Act after court documents from a 2012 class action lawsuit revealed that Facebook encouraged children to make credit card purchases on Facebook's platform. Parents and minors repeatedly complained about the credit card charges, but the documents indicate that the company refused to refund charges and set up a complex complaint system to deter refund requests. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 21, 2019)
- EPIC Supports Extension of Children's Privacy Reporting Requirements: EPIC submitted comments in support of the FTC's proposed extension of the information collection requirements for the Children's Online Privacy Protection Act. EPIC explained the importance of the law that protects the personal data of children who use Internet services, but added that the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. Earlier this year, the FTC unanimously voted to approve EPIC's recommendations to create new safeguards for children's data in the gaming industry. (Dec. 3, 2018)
- Following EPIC Comments, FTC Strengthens Safeguards for Kids' Data in Gaming Industry: The FTC has unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children's data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules to (1) extend children's privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (Aug. 14, 2018)
- Congressional Leaders Reintroduce Bipartisan Bill To Protect Children's Online Privacy: Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy". (May. 23, 2018)
- Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. (Apr. 22, 2003)
The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:
- Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
- Disclosure to parents of any information collected on their children by the website.
- A Right to revoke consent and have information deleted.
- Limited collection of personal information when a child participates in online games and contests.
- A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.
Congress' intent in passing the Act was to increase parental involvement in children's online activities, ensure children's safety during their participation in online activities, and most importantly, protect children's personal information.
- The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728.
- FTC's COPPA Regulation, 64 Fed. Reg. 212.
During the 1990s, the Internet became a major source for marketing, sales, and distribution of products and services. A growing segment of users of these services are children. By 1998, almost 10 million children in the United States had access to the Internet. The interactive nature of the Internet enabled marketers to collect personal information from children through their registration to chat rooms and discussion boards, to track behavior of web surfers through advertisements, and to promise gifts in exchange for personal information. Marketers, who collected such information about children and their families, compiled this information into files and sold it to third parties for various commercial purposes.
Dangerous list marketing abuses were also uncovered by investigative reports that heightened awareness of the power that can be exercised over individuals through the use of their personal information. CNN, on December 14, 1995, reported that look up services could be used to locate children: "There is no law on the books that prevents a stranger from calling a 900-number and getting information about your children. In fact, until a few weeks ago, a subsidiary of R. Donnelley provided a service that did just that." Additionally, a CBS television reporter was able to purchase a list of children's names using the name of a notorious killer. The San Francisco Examiner reported on May 12, 1996: "To prove how easy it is for pedophiles to obtain mailing list of kids, a Los Angeles television station reported that it obtained a detailed computer printout of the ages and addresses of 5,500 children living in Pasadena simply by sending $277 to a Chicago database firm."
Shortly after the 1995 news reports, EPIC sent a letter to Christine Varney, then Commissioner of the Federal Trade Commission. The EPIC letter urged an investigation of the R.R. Donnelley marketing company, which was reportedly selling children's personal information. The EPIC letter noted that FTC had pursued only weak protections for privacy law: "the Commission's only proposal thus far to protect the privacy of Americans and users of new telecommunication services are non-enforceable guidelines that are far weaker than a similar set of principles developed twenty years ago," referring to Fair Information Practices formulated in the 1970s.
Research conducted in 1996 by Kathryn Montgomery and Shelley Pasnik that was published by the Center for Media Education ("CME"), showed that young children cannot understand the potential effects of revealing their personal information; neither can they distinguish between substantive material on websites and the advertisements surrounding it. While some parents tried to monitor their children's use of the Internet services, many of them failed due to lack of time, computer skills, or awareness of risk. Targeting of children by marketing techniques resulted in the release of huge amounts of private information into the market and triggered the need for regulation.
EPIC testified in Congress in favor of privacy protections for children in September 1996. EPIC testified that there was already a sufficient record of problems in the marketing industry to warrant Congressional action, that industry self-regulation is not well suited to address privacy protections for children, and that protecting children's personal information would be consistent with prior privacy law. EPIC testified that collection and use of information constituted a growing threat to children:
"The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.
"With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.
In response to CME's request and growing public interest in children's privacy, in March 1998 the Federal Trade Commission ("FTC") presented the Congress with a report addressing the lack of regulation and protection of children's information online. In July 1998, Senators Richard Bryan (D-NV) and John McCain (R-AZ) introduced 105 S. 2326, titled "The Children's Online Privacy Protection Act of 1998." Portions of that bill were incorporated into 105 H.R. 4328, a Department of Transportation appropriations bill that was enacted by Congress and signed by President Clinton on October 21, 1998. The Act became effective on April 21, 2000.
- EPIC Letter to Christine Varney on Direct Marketing Use of Children's Data, EPIC, December 14, 1995.
- Testimony and Statement for the Record of Marc Rotenberg, director Electronic Privacy Information Center on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508 Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime, September 12, 1996
- Center for Media Education.
- Web of Deception: Threats to Children from Online Marketing, CME.
- Privacy Online, FTC report to Congress, March 1988.
COPPA sets forth a framework of fair information practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.
Second, COPPA requires a website operator to obtain verifiable parental consent before collecting any personal information from children. COPPA did not specify an exact method for obtaining such consent; however, the FTC indicated several acceptable ways for compliance with this requirement. An operator can supply consent forms to be signed and mailed or faxed to the operator, require a parent to use a credit card, have a parent call a toll-free number, or accept an email accompanied by a digital signature. Some exceptions are provided, and an operator is allowed to collect a child's information when:
- Notifying a parent and requesting consent.
- Responding directly, on a one-time basis, to a specific request from a child. In this case, an operator is allowed to collect only the child's email address, which must be deleted after its use.
- Protecting the safety of the child.
- Protecting the security and integrity of the website.
Third, a website operator must provide parents with the opportunity to review any information collected on their children by the website. The FTC issued a commentary explaining that the right of parental review can enable parents to delete certain information but not alter it.
The fourth requirement prohibits website operators from conditioning a child's participation in online games and contests to disclosure of "unnecessary" personal information.
Fifth, site operators must protect the confidentiality, security, and integrity of any personal information that is collected online from children. The FTC suggested use of passwords to access personal information on the website, installation of intrusion-detection software to monitor unauthorized access, and use of secure web servers and firewalls to ensure confidentiality.
An "operator" includes all the people that operate or maintain a website for profit. If more than one operator exists, all are jointly responsible for complying with the rules. In determining an "operator," FTC will consider the ownership and control of the information available on the website, the financial sponsor of the website and the information it contains, and the role of the website in collecting information from its users.
COPPA defines the term "child" as an individual under the age of thirteen." In determining whether a site is targeted at children, FTC will consider whether the site includes a special children's area, the subject matter and its presentation to the users, and whether it has child-oriented incentives like games, animated characters, etc.
The Act specifically forbids the collection of children's first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, or any other personal identifiers of the child or his/her parents, such as IP addresses or customer IDs in cookies. Also, COPPA authorizes the FTC to expand the definitions of personal information.
At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $11,000 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.
The FTC's most recent survey, Protecting Children's Privacy Under COPPA: A Survey On Compliance, conducted in April 2002, shows that the general trend of the sites is of increased compliance, even though some COPPA provisions, such as requirements about specific disclosures, have been followed less consistently. In 2007, the FTC reported to Congress that in five years of COPPA enforcement, the FTC had successfully sought to protect children’s privacy without unduly burdening website operators.
- Protecting Children's Privacy Under COPPA, FTC, April 2002.
- Implementing the Children’s Online Privacy Protection Act, FTC, February 2007
An industry group may avoid compliance with COPPA Rule if the group were to generate self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with the COPPA regulation.
To be entitled for a safe harbor treatment, the proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.
Constitutional and Economic Drawbacks of the Verification Systems
According to COPPA provisions, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children visiting the website. In addition, the operator must also implement a reliable method for determining the age of the website's users, and whether any of the users are under the age of 13.
Critics have claimed that the methods outlined by the FTC for verification - sending/faxing signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email - are too costly, cumbersome, and inadequate in protecting personal information. Even though new technologies are being developed, the current verification methods are too slow and impractical. The process of verification of mails, emails, and credit card numbers may take over a day. Further, disclosure of credit card information will expose the parents to the same privacy risks that they are trying to protect their children from and deter them from using such online services in general. As a consequence, children may manipulate information to access these websites, and in the long run, online businesses may either eliminate children-focused sites. Some sites simply claim that they do not sell products to children, and therefore do not need to comply with COPPA. An example for such a site is Amazon.com, where the online privacy notice states that no products are sold to children, and such products can be purchased only by people over 18 or with the involvement of a parent or guardian.
Even if websites do develop technology that enables easier compliance with the verification requirement, an important constitutional issue will remain unsolved. As EPIC has testified, any personal identification requirements from Internet users as a condition to access online content chills free speech and infringe on the First Amendment right to communicate anonymously.
Finally, the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way. EPIC has filed complaints that have gone unanswered by the FTC, even as other Federal entities have deemed the offending companies to be in violation of COPPA, as in the case of Echometrix.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.