Children'S Online Privacy Protection Act (COPPA)
Children'S Online Privacy Protection Act (COPPA)
The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to limit the collection and use of personal information about children by the operators of Internet services and Web sites. Passed by the U.S. Congress in 1998, the law took effect in April 2000. It is administered and enforced by the Federal Trade Commission (FTC). COPPA is "the first U.S. privacy law written for the Internet," Melissa Campanelli wrote in Entrepreneur. "It was written specifically for Internet marketers that operate Web sites visited by children under the age of 13 and collect personal information from those kids. Its purpose is to regulate that collection."
The FTC conducted a survey of 212 Web sites in 1998 and found that 89 percent of them collected personal information from children. Of those that collected data from children, 46 percent did not disclose this fact or explain how the information was used. The law was intended to address this potential problem by requiring Web sites and other online services directed toward children under the age of 13—as well as general audience sites that collect personal information from children—to obtain verifiable consent from the children's parents. "Its stated purpose is to protect children from micro-targeting by advertisers and to minimize the potential for contact with dangerous individuals through chat rooms, e-mail, and bulletin boards by involving parents in kids' online activities," Monica Rogers explained in Crain's Chicago Business.
REQUIREMENTS OF COPPA
COPPA applies to a variety of Web sites and services with content that may appeal to children. "In determining whether a Web site is directed toward children, the FTC will consider, among other things, the site's content, language, advertising and intended audience, as well as the use of child-oriented graphics or features," Antony Marks and Keith Klein noted in the Los Angeles Business Journal.
But the law also affects general interest sites that collect information from children, whether the site's operators intend to do so or not. "The arm of COPPA is very long because it also applies to general audience Web sites that have actual knowledge that they are collecting personal information from children," Robert Carson Godbey wrote in Hawaii Business. "You can easily, and inadvertently, fall into this category. If you invite browsers of your Web site to submit individually identifiable information—which can include name, address, e-mail address, hobbies, interests, information collected through cookies, basically anything that can be individually identified to the person responding, for a variety of reasons, and that information includes age—then you may have 'actual knowledge' that you have collected personal information from children if anyone under 13 responds to your invitation."
The FTC rules cite several acceptable methods for Web site operators to verify parental consent, including a signed form sent via fax or regular mail, a credit card number provided online, calls made on a toll-free telephone staffed by trained personnel, and e-mail accompanied by a digital signature or password. The method used by a certain Web site depends on the type of information collected from children and the way it is used. For example, e-mail consent is acceptable for Web sites that collect personal information only for internal purposes, like marketing to a child based on his or her preferences. Stricter methods are required when the information is made available to third parties.
The FTC applies penalties for noncompliance ranging up to $11,000 per incident. Although the financial penalty is stiff, a business that failed to comply with the law would likely suffer even worse consequences as a result of negative publicity. After all, who would want their Web site to be known as one that put children at risk? Unfortunately, COPPA compliance can be complicated. "The goals of COPPA are no doubt admirable. The implementation, however, can be daunting," Godbey noted. "The difficulty comes from the requirement of 'verifiable consent' from a parent … How do you obtain verifiable parental consent? How do you verify parental consent in an online environment where the children probably know more about the family computer than their parents do?"
In response to complaints from Web site operators about the cost of compliance, the FTC noted that COPPA was not intended to block kids' access to information on the Internet. Instead, the law's objective is to involve parents in the decision about whether to release children's personal information. Lawmakers argue that children under 13 are not sophisticated enough to make such decisions on their own.
Like all Internet laws, COPPA is somewhat difficult to enforce. For example, tech-savvy youngsters may find ways to forge parental consent. In addition, the law only applies to companies doing business in the United States, whereas the Internet is global in scope. Some entrepreneurs resent the restrictions imposed by COPPA, arguing that the government should not become involved in regulating the Internet. "One of the beauties of the Internet is that an entrepreneur can begin his or her business with minimal investment and regulatory scrutiny," Campanelli noted. They argue that regulation increases costs for small business owners. But other operators of small Web sites for children believe it is their responsibility to protect their users' privacy, even though it can be expensive. "If you're going to play in the kids' arena, you've got to offer safety, even if it costs," Alison Pohn, marketing director for a children's Web site, told Rogers. "If you operate a school or a camp, you invest in having the safest playground equipment and the best lifeguard at the pool. This is no different."
Bagner, Jessica, Amanda Evansburg, Vanessa Kaye Watson, and J. Brooke Welch. "Largest COPPA Civil Penalties to Date in FTC Settlements with Mrs. Fields Cookies and Hershey Food Corporation." Intellectual Property & Technology Law Journal. June 2003.
Campanelli, Melissa. "The Wizard of Laws." Entrepreneur. February 2001.
DiSabatino, Jennifer. "FTC OKs Self-Regulation to Protect Children's Privacy." Computerworld. 12 February 2001.
"Firms May Need to Examine Kid-Oriented Privacy." Financial Net News. 31 July 2000.
Godbey, Robert Carson. "The Law of the Line." Hawaii Business. November 2000.
Jarvis, Steve. "COPPA Minefield." Marketing News. 4 December 2000.
Marks, Antony, and Keith Klein. "Coping with COPPA." Los Angeles Business Journal. 31 July 2000.
Retsky, Maxine Lans. "Sites Find COPPA Compliance Mandatory." Marketing News. 28 August 2000.
Rogers, Monica. "Kids' Privacy Act Stings Web Sites; New Guidelines Limit Sharing of Data with Others." Crain's Chicago Business. 15 May 2000.
Rosencrance, Linda. "FTC Warns Sites to Comply with Children's Privacy Law." Computerworld. 24 July 2000.
Hillstrom, Northern Lights
updated by Magee, ECDI
Children's Online Privacy Protection Act (1998)
Children's Online Privacy Protection Act (1998)
Michael H. Koby
The Children's Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277, 112 Stat. 2681) protects the online privacy of children under thirteen by requiring commercial Web sites and online services to request parental consent for the collection, use, and disclosure of a child's personal information.
This legislation grew out of the fact that by 1998 roughly ten million American children had access to the Internet, and at the same time, studies indicated that children were unable to understand the potential effects of revealing their personal information online, and parents failed to monitor their children's use of the Internet. The targeting of children by marketers resulted in the release of large amounts of private information into the market and triggered the need for regulation.
In March 1998 the Federal Trade Commission (FTC) presented Congress with a report addressing the inadequate protection of children's information online. In July 1998 Senator Richard Bryan, a Democrat of New York, along with Republican Senators John McCain of Arizona and Conrad Burns of Montana, introduced the Children's Online Privacy Protection Act of 1998. The Senate Communications Committee held a hearing in September 1998, and the full Senate Commerce Committee passed an amended version of the bill by a unanimous vote on October 1. The House of Representatives incorporated portions of that bill into 105 H.R. 4328, a Department of Transportation appropriations bill enacted by Congress and signed by President Clinton on October 21, 1998. COPPA became effective on April 21, 2000.
The act applies to commercial Web sites and online services (both foreign and domestic) that are directed at children in the United States. And while the act does not apply to general audience Web sites, operators of such sites who have actual knowledge of children using their sites must comply with the act's regulations. Congress's intent in passing COPPA was to increase parental involvement in children's online activities, thereby ensuring safety during participation in such activities and protecting children's personal information.
Under COPPA it is unlawful for an operator of a commercial Web site or online service that targets children, or knowingly collects their personal information, to gather such information without:
- receiving verifiable parental consent;
- offering parents an opportunity to revoke consent and have personal information deleted;
- limiting collection of personal information from children participating in online games; and
- establishing reasonable procedures to protect the confidentiality, security, and integrity of any personal information collected from children.
Personal information covered by the act includes Social Security numbers, names, addresses (mailing and e-mail), and telephone numbers. Verifiable parental consent is defined as any reasonable effort to ensure that a parent or legal guardian of a child receives notice of and gives authorization for the operator's personal information collection, use, and disclosure practices. Operators may avoid compliance with these regulations, however, if they propose, and the FTC approves, similar self-regulatory guidelines.
An FTC survey conducted in April 2002 showed that the general trend with respect to COPPA is one of increased compliance among Web sites, although some provisions have been followed less consistently. Importantly, courts are willing to strictly interpret these provisions and grant damages or other forms of relief against Web site operators who violate the act, and this trend may contribute to the high level of compliance. Moreover, at the federal level, COPPA violations are treated like unfair or deceptive trade practices under section 5 of the Federal Trade Commission Act, for which the FTC can impose civil penalties. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the regulations, as well as to obtain compensation and relief.
Critics of the act have argued that it is the responsibility of the parents to control their children's online activity, and that the act draws an arbitrary line between teenagers and younger children. Furthermore, critics claim the methods outlined by the FTC for verification are insufficient and impractical, and that they infringe on First Amendment free speech rights.
See also: COMPUTER SECURITY ACT OF 1987; COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1984.
Colton, Campbell C., and John F. Stack, Jr., eds. Congress and the Politics of Emerging Rights. Lanham, MD: Rowman & Littlefield, 2002.
Jennings, Charles, and Lori Fena. The Hundredth Window: Protecting Your Privacy and Security in the Age of the Internet. New York: Free Press, 2000.
Kutais, B. G., ed. Internet Policies and Issues. Commack, NY: Nova Science Publishers, 1999.
Peters, Thomas A. Computerized Monitoring and Online Privacy. London: McFarland, 1999.