Children are especially vulnerable to online privacy violations. Accordingly, Congress enacted the Children’s Online Privacy Protection Act, one of the few federal privacy laws in the U.S. Unfortunately, enforcement of the Act often falls behind new technology, tech companies’ mergers and acquisitions, and insufficient FTC action to stop violations. EPIC advocates for a dedicated agency to fully protect all individuals online and supports comprehensive federal privacy legislation.
CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
The Children’s Online Privacy Protection Act (“COPPA”) specifically aims to protect the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000 and was revised in 2013. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:
- Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
- Disclosure to parents of any information collected on their children by the website.
- A Right to revoke consent and have information deleted.
- Limited collection of personal information when a child participates in online games and contests.
- A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.
Congress’ intent in passing the Act was to increase parental involvement in children’s online activities, ensure children’s safety during their participation in online activities, and most importantly, protect children’s personal information.
- The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728.
- FTC’s COPPA Regulation, 64 Fed. Reg. 212.
COPPA sets forth a framework of Fair Information Practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.
At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $43,792 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.
In 2019, EPIC submitted comments to the FTC on the agency’s regulatory review of the Children’s Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should: (1) maintain the strong safeguards for children’s data, (2) reject the “school official exception”, (3) the FTC define the term “commercial purpose” and ensure that children’s personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eights of a data breach of children’s data by a company subject to COPPA. EPIC said “the FTC must now establish clear safeguards for children’s data gathered in schools.” EPIC testified before Congress in 1996 in support of the original children’s privacy law. The FTC previously considered EPIC’s recommendations in an early review of the COPPA Rule and incorporated several of EPIC’s recommendations in the 2013 regulations.
SOCIAL MEDIA AND TECH COMPANIES’ VIOLATIONS OF COPPA
Since the enactment of COPPA, several social media and tech companies have violated the Act. As early as 2003, EPIC, along with 11 consumer organizations, alleged in a complaint to the Federal Trade Commission (FTC) that Amazon illegally collected and disclosed children’s personal information in violation of the Children’s Online Privacy Protection Act (COPPA).
In August 2018, FTC unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children’s data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC’s proposals to revise the Entertainment Software Rating Board’s industry rules to (1) extend children’s privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data “rendered anonymous.” The FTC wrote, “the Commission agrees with EPIC’s comment. As COPPA’s protections are not limited only to U.S. residents, the definition of ‘child’ in the ESRB program has been revised to remove the limitation.” The Commission also strengthened protections for de-identified children’s data: “companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized.”
EPIC, along with a coalition of consumer groups, sent a complaint to the FTC in February 2019, charging that Facebook engaged in unfair and deceptive practices and violated the Children’s Online Privacy Protection Act after court documents from a 2012 class action lawsuit revealed that Facebook encouraged children to make credit card purchases on Facebook’s platform. Parents and minors repeatedly complained about the credit card charges, but the documents indicate that the company refused to refund charges and set up a complex complaint system to deter refund requests.
TikTok settled with the FTC for $5.7 million over allegations that the Chinese video app company violated the Children’s Online Privacy Protection Act in February 2019. The FTC complaint alleged that TikTok violated COPPA by collecting personal information from kids without parental consent. The $5.7 million fine was the Commission’s largest COPPA penalty at the time. The Commission’s vote was unanimous.
The FTC announced in September 2019 that Google and its subsidiary YouTube would pay a $170 million fine to settle the FTC’s allegations that YouTube collected children’s personal information without parental consent. YouTube collected information from children on pages specifically directed towards children, such as videos about children’s toys and nursery rhymes. Although the fine was a record, Commissioner Chopra explained that it did not penalize Google or YouTube for its ill-gotten gains.
CONGRESSIONAL ACTION TO PROTECT CHILDREN’S PRIVACY
In March 2019, Senators Edward Markey (D-Mass.) and Josh Hawley (R-Mo.) introduced legislation to update the Children’s Online Privacy Protection Act (COPPA). The bill bans internet companies from collecting personal or location information from children under 13 without parental consent and from teens ages 13-15 without the user’s consent. EPIC backed the 2013 regulations that updated the law.
Senators Markey (D-Mass), Blumenthal (D-Conn.), Durbin (D-Ill.), and Hawley (R-Mo.) sent a letter in May 2019 to the Federal Trade Commission to launch an investigation into new evidence of Amazon violations of the Children’s Online Privacy Protection Act (COPPA) with an Amazon device targeted to children. The Senators wrote: “Children are a uniquely vulnerable population. We urge the Commission to take all necessary steps to ensure their privacy as ‘Internet of Things’ devices targeting young consumers come to market, including promptly initiating an investigation into the Amazon Echo Dot Kids Edition’s compliance with COPPA. The letter cited a complaint to the FTC by Campaign for a Commercial-Free Childhood and joined by EPIC.
A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children’s data practices in the educational technology and digital advertising sectors. In a May 2020 letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said “The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children.”
In July 2021, U.S. Rep. Kathy Castor (FL14) introduced an updated “Protecting the Information of our Vulnerable Children and Youth Act” or the “Kids PRIVCY Act” to strengthen the Children’s Online Privacy Protection Act (COPPA). “Representative Castor’s bill makes critical updates to our children’s privacy laws to address the dangers of today’s technologies,” said Caitriona Fitzgerald, Deputy Director, Electronic Privacy Information Center (EPIC). “Everyone deserves strong privacy protections online, but children and teens especially need to be protected from corporate surveillance and manipulative targeted advertising. The Kids PRIVCY Act prohibits behavioral ad targeting to children and teens and includes strong enforcement mechanisms to ensure that companies comply with the law. EPIC is proud to support this bill and encourages Congress to move this legislation forward in order to protect children and teens online.”
Recent Documents on Children’s Privacy
EPIC's complaint alleges that Echometrix engages in unfair and deceptive trade practices by representing that the software protects children online while simultaneously collecting and disclosing information about children's online activity.