Focusing public attention on emerging privacy and civil liberties issues

Children's Online Privacy Protection Act (COPPA)

Top News

  • EPIC Urges Federal Trade Commission to Strengthen Childrens' Privacy Rule: EPIC filed comments urging the Federal Trade Commission to improve the Childrens' Online Privacy Protection Act Rule. The rule is the principal federal protection for childrens' privacy, and limits how companies may collect and disclose childrens' personal information. "The need for the COPPA Rule has become increasingly urgent in light of new business practices and recent technological developments, such as social networking sites and mobile devices," EPIC wrote. "Existing provisions need to be strengthened and new provisions need to be added." In April, EPIC testified before Congress concerning childrens' privacy. For more, see EPIC: COPPA and EPIC: FTC. (Jul. 9, 2010)
  • EPIC Urges Congress to Extend Children's Privacy Law to Teenagers and Social Network Services, Says Current Law Has Failed to Keep Up with New Business Practices: EPIC President Marc Rotenberg testified today before the Senate Commerce Committee. He said that "COPPA did not anticipate the immersive online experience that a social network service would provide or the extensive data collection of both the trivial and the intimate information that children would share with friends." Mr. Rotenberg also pointed to the FTC's failure to enforce children's privacy rights despite clear-cut violations of the fedral law. EPIC recommended updates that would expand COPPA protections to teens and clarify the law's application to mobile and social network services. EPIC'S press release can be found here. For more, see EPIC: COPPA (Apr. 28, 2010)
  • Study Finds that Children’s Privacy has been Compromised: A Fordham Law School study found that state educational databases across the country ignore key privacy protections for the nation’s school children. The study reports that at least 32% of states warehouse children’s social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records. Some states outsource the data processing without any restrictions on use or confidentiality for children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives. These findings come as Congress is considering the Student Aid and Financial Responsibility Act, which would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. For more information on children’s privacy issues see EPIC Children’s Online Privacy Protection Act and EPIC DOD Recruiting Database. (Nov. 2, 2009)
  • EPIC to FTC: "Parental Control" Software Firm Gathers Data for Marketing: EPIC filed a complaint with the Federal Trade Commission against Echometrix, the developer of parental control software that monitors children’s online activity. Echometrix analyzes the information collected from children and sells the data to third parties for market-intelligence research. The EPIC complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity. The complaint further alleges that Echometrix’s practices violate the Children’s Online Privacy Protection Act by collecting and disclosing information from children under the age of 13. The EPIC complaint asks the FTC to stop these practices, seek compensation for victims, and ensure that Echometrix’s collection and disclosure practices comply with COPPA. For more information on the Children’s Online Privacy Protection Act, see EPIC COPPA. (Sep. 29, 2009)
  • Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. (Apr. 22, 2003)

Introduction

The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:

  • Incorporation of a detailed privacy policy that describes the information collected from its users.
  • Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
  • Disclosure to parents of any information collected on their children by the website.
  • A Right to revoke consent and have information deleted.
  • Limited collection of personal information when a child participates in online games and contests.
  • A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.

Congress' intent in passing the Act was to increase parental involvement in children's online activities, ensure children's safety during their participation in online activities, and most importantly, protect children's personal information.

History

During the 1990s, the Internet became a major source for marketing, sales, and distribution of products and services. A growing segment of users of these services are children. By 1998, almost 10 million children in the United States had access to the Internet. The interactive nature of the Internet enabled marketers to collect personal information from children through their registration to chat rooms and discussion boards, to track behavior of web surfers through advertisements, and to promise gifts in exchange for personal information. Marketers, who collected such information about children and their families, compiled this information into files and sold it to third parties for various commercial purposes.

Dangerous list marketing abuses were also uncovered by investigative reports that heightened awareness of the power that can be exercised over individuals through the use of their personal information. CNN, on December 14, 1995, reported that look up services could be used to locate children: "There is no law on the books that prevents a stranger from calling a 900-number and getting information about your children. In fact, until a few weeks ago, a subsidiary of R. Donnelley provided a service that did just that." Additionally, a CBS television reporter was able to purchase a list of children's names using the name of a notorious killer. The San Francisco Examiner reported on May 12, 1996: "To prove how easy it is for pedophiles to obtain mailing list of kids, a Los Angeles television station reported that it obtained a detailed computer printout of the ages and addresses of 5,500 children living in Pasadena simply by sending $277 to a Chicago database firm."

Shortly after the 1995 news reports, EPIC sent a letter to Christine Varney, then Commissioner of the Federal Trade Commission. The EPIC letter urged an investigation of the R.R. Donnelley marketing company, which was reportedly selling children's personal information. The EPIC letter noted that FTC had pursued only weak protections for privacy law: "the Commission's only proposal thus far to protect the privacy of Americans and users of new telecommunication services are non-enforceable guidelines that are far weaker than a similar set of principles developed twenty years ago," referring to Fair Information Practices formulated in the 1970s.

Research conducted in 1996 by Kathryn Montgomery and Shelley Pasnik that was published by the Center for Media Education ("CME"), showed that young children cannot understand the potential effects of revealing their personal information; neither can they distinguish between substantive material on websites and the advertisements surrounding it. While some parents tried to monitor their children's use of the Internet services, many of them failed due to lack of time, computer skills, or awareness of risk. Targeting of children by marketing techniques resulted in the release of huge amounts of private information into the market and triggered the need for regulation.

EPIC testified in Congress in favor of privacy protections for children in September 1996. EPIC testified that there was already a sufficient record of problems in the marketing industry to warrant Congressional action, that industry self-regulation is not well suited to address privacy protections for children, and that protecting children's personal information would be consistent with prior privacy law. EPIC testified that collection and use of information constituted a growing threat to children:

"The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.

"With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.

In response to CME's request and growing public interest in children's privacy, in March 1998 the Federal Trade Commission ("FTC") presented the Congress with a report addressing the lack of regulation and protection of children's information online. In July 1998, Senators Richard Bryan (D-NV) and John McCain (R-AZ) introduced 105 S. 2326, titled "The Children's Online Privacy Protection Act of 1998." Portions of that bill were incorporated into 105 H.R. 4328, a Department of Transportation appropriations bill that was enacted by Congress and signed by President Clinton on October 21, 1998. The Act became effective on April 21, 2000.

COPPA's Provisions

COPPA sets forth a framework of fair information practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.

First, COPPA requires an operator to post a clear and detailed privacy policy that states the names and addresses of the website operators, the type of information collected from children, the way such information will be used, and an indication of whether the information collected is disclosed to third parties. A link to a privacy policy must be posted in a visible place on every page where personal information is collected, and it should clearly imply that the use of the site is conditioned upon the acceptance of the privacy policy.

Second, COPPA requires a website operator to obtain verifiable parental consent before collecting any personal information from children. COPPA did not specify an exact method for obtaining such consent; however, the FTC indicated several acceptable ways for compliance with this requirement. An operator can supply consent forms to be signed and mailed or faxed to the operator, require a parent to use a credit card, have a parent call a toll-free number, or accept an email accompanied by a digital signature. Some exceptions are provided, and an operator is allowed to collect a child's information when:

  • Notifying a parent and requesting consent.
  • Responding directly, on a one-time basis, to a specific request from a child. In this case, an operator is allowed to collect only the child's email address, which must be deleted after its use.
  • Protecting the safety of the child.
  • Protecting the security and integrity of the website.

Third, a website operator must provide parents with the opportunity to review any information collected on their children by the website. The FTC issued a commentary explaining that the right of parental review can enable parents to delete certain information but not alter it.

The fourth requirement prohibits website operators from conditioning a child's participation in online games and contests to disclosure of "unnecessary" personal information.

Fifth, site operators must protect the confidentiality, security, and integrity of any personal information that is collected online from children. The FTC suggested use of passwords to access personal information on the website, installation of intrusion-detection software to monitor unauthorized access, and use of secure web servers and firewalls to ensure confidentiality.

Key Definitions

"Operator"

An "operator" includes all the people that operate or maintain a website for profit. If more than one operator exists, all are jointly responsible for complying with the rules. In determining an "operator," FTC will consider the ownership and control of the information available on the website, the financial sponsor of the website and the information it contains, and the role of the website in collecting information from its users.

"Child"

COPPA defines the term "child" as an individual under the age of thirteen." In determining whether a site is targeted at children, FTC will consider whether the site includes a special children's area, the subject matter and its presentation to the users, and whether it has child-oriented incentives like games, animated characters, etc.

"Personal information"

The Act specifically forbids the collection of children's first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, or any other personal identifiers of the child or his/her parents, such as IP addresses or customer IDs in cookies. Also, COPPA authorizes the FTC to expand the definitions of personal information.

Enforcement of COPPA

At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $11,000 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.

The FTC's most recent survey, Protecting Children's Privacy Under COPPA: A Survey On Compliance, conducted in April 2002, shows that the general trend of the sites is of increased compliance, even though some COPPA provisions, such as requirements about specific disclosures, have been followed less consistently. In 2007, the FTC reported to Congress that in five years of COPPA enforcement, the FTC had successfully sought to protect children’s privacy without unduly burdening website operators.

Safe Harbor

An industry group may avoid compliance with COPPA Rule if the group were to generate self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with the COPPA regulation.

To be entitled for a safe harbor treatment, the proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.

Criticism of COPPA

Constitutional and Economic Drawbacks of the Verification Systems

According to COPPA provisions, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children visiting the website. In addition, the operator must also implement a reliable method for determining the age of the website's users, and whether any of the users are under the age of 13.

Critics have claimed that the methods outlined by the FTC for verification - sending/faxing signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email - are too costly, cumbersome, and inadequate in protecting personal information. Even though new technologies are being developed, the current verification methods are too slow and impractical. The process of verification of mails, emails, and credit card numbers may take over a day. Further, disclosure of credit card information will expose the parents to the same privacy risks that they are trying to protect their children from and deter them from using such online services in general. As a consequence, children may manipulate information to access these websites, and in the long run, online businesses may either eliminate children-focused sites. Some sites simply claim that they do not sell products to children, and therefore do not need to comply with COPPA. An example for such a site is Amazon.com, where the online privacy notice states that no products are sold to children, and such products can be purchased only by people over 18 or with the involvement of a parent or guardian.

Even if websites do develop technology that enables easier compliance with the verification requirement, an important constitutional issue will remain unsolved. As EPIC has testified, any personal identification requirements from Internet users as a condition to access online content chills free speech and infringe on the First Amendment right to communicate anonymously.

Finally, the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way. EPIC has filed complaints that have gone unanswered by the FTC, even as other Federal entities have deemed the offending companies to be in violation of COPPA, as in the case of Echometrix.