Children's Online Privacy Protection Act (COPPA)
- FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys: The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it. (Jun. 27, 2017)
- EPIC Asks FTC to Stop System for Secret Scoring of Young Athletes: EPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC. EPIC urged the FTC to “find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice.” In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms. (May. 17, 2017)
- EPIC's "Toys That Spy" Complaint Spurs Congressional Investigation: Senator Edward Markey (D-MA) has sent letters to toy maker Genesis Toys and speech technology developer Nuance Communications requesting information on their data collection from young children. The investigation follows EPIC's complaint filed with the Federal Trade Commission over "toys that spy" on children in violation of federal privacy laws. EPIC's complaint, joined by the Campaign for Commercial Free Childhood, the Center for Digital Democracy, and Consumers Union, is part of coordinated, international efforts to ban these toys from the marketplace. Senator Markey and Rep. Joe Barton (R-TX), joined by Senator Mark Kirk (R-IL) and Rep. Bobby Rush (D-IL), introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation that updates the law to protect children's personal information. (Dec. 9, 2016)
- Markey and Barton Pursue VTech Data Breach: Senator Edward Markey (D-Mass.) and Congressman Joe Barton (R-Tex) have asked VTech, "How do you protect children's information?" The electronic toy produced,recently exposed the personal profiles of millions of children in a cyber hack. The personal date included names, mailing addresses, email addresses, download history, birthdates, and genders. Senator Markey and Congressman Barton asked about VTech's data and security practices, including compliance with the Children's Online Privacy Protection Act, data the company collects about children, and security standards. EPIC has testified several times before Congress on protecting children's data and supported the updates to the Childrens Online Privacy Protection Act. (Dec. 2, 2015)
- EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint: EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015)
- FTC Sues Amazon Over Billing for Childrens' In-App Purchases: The FTC has filed a lawsuit alleging that "Amazon.com, Inc. has billed parents and other account holders for millions of dollars in unauthorized in-app charges incurred by children." FTC Chairwoman Edith Ramirez said, "Amazon's in-app system allowed children to incur unlimited charges on their parents' accounts without permission. Even Amazon's own employees recognized the serious problem its process created." The FTC recently settled similar charges with Apple. In that case, the FTC charged Apple with "billing consumers for millions of dollars of charges incurred by children in kids' mobile apps without their parents' consent." Under the terms of the settlement, Apple must provide a refund for affected consumers and must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for items sold in mobile apps. Previously, EPIC filed a complaint with the FTC over Amazon's collection of children's data. EPIC explained that Amazon was violating the Children's Online Privacy Protection Act by allowing children to post content, including personally identifiable information, without their parents' permission. EPIC currently has several complaints pending with the FTC. For more information, see EPIC: FTC. (Jul. 11, 2014)
- Report Reveals Rise in Teens' Desire for Online Privacy: A report released by the Intelligence Group, a "youth-focused, research-based consumer insights company," reveals that teens want more online privacy than ever before. According to the report, only 11% of teens currently share "a lot about themselves online" - a 7% decrease from the same age group last year. By contrast, 17% of young adults aged 19- to 24 and 27% of adults aged 25 to 34 currently share "a lot about themselves online." The report also indicates that "about 18% of teens share content on social media at least once a day, including status updates, photos, pins, or articles, compared with 28% of 19- to 24-year-olds and 35% of 25- to 34-year-olds." Recently, EPIC objected to a settlement agreement that would allow Facebook to use images of teens in online advertising. EPIC has also filed comments with the FTC supporting stronger regulations to protect children's data online. For more information, see EPIC: Fraley v. Facebook, EPIC: COPPA and EPIC: FTC. (Apr. 25, 2014)
- Bipartisan Introduction of Do Not Track Kids Legislation in Senate and House: Senators Markey (D-MA) and Kirk (R-IL), along with Representatives Barton (R-TX) and Rush(D-IL), have introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation. The bill would amend the Children's Online Privacy Protection Act by extending protection to teens ages 13-15, requiring consent for the collection of personal information, and creating an "eraser button" that allows children to delete personal information. California recently enacted a bill, which also provides for an "eraser button" that would require websites to allow minors to remove their own information. The bill would also require online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information. EPIC recommended similar update to COPPA in testimony before the Senate Commerce Committee in 2010. For more information, see EPIC: Children's Privacy. (Nov. 18, 2013)
- California Enacts Strong Digital Privacy Law for Minors: California Gov. Jerry Brown today signed a law to protect Privacy Rights for California Minors in the Digital World. The law, which goes into effect Jan. 1, 2015, sets out a broad range of rights for minors concerning the collection and use of their personal information by commercial service providers. The law does not limit the rights of minors, it seeks to regulate the practices of businesses. EPIC has long advocated for the privacy rights of children, testifying before the House in 1996 in support of the Children's Online Privacy Protection Act and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also wrote comments to the FTC in 2011 supporting stronger regulations to protect the data concerning children. Some organizations, financed by Internet companies, are opposing the legislation. For more information, see EPIC: Children's Online Privacy Protection Act. (Sep. 24, 2013)
- FTC Rejects Industry Effort to Delay Children’s Privacy Rules: The Federal Trade Commission has rejected an effort by several trade groups to delay implementation of the Children’s Online Privacy Protection Act Rule, currently scheduled to take effect on July 1. In voting unanimously to retain the date, the FTC noted that it had given covered entities at least 6 months to prepare for the Rule and that industry had "not raised any concrete facts to demonstrate that a delay is necessary." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for behavioral advertising purposes. EPIC joined a coalition of consumer, privacy, and children's advocates in urging the FTC to keep the original implementation date. EPIC also commented in support of both the proposed rule, and a revised version introduced in August 2012. The revised rule follows a report by the FTC finding that many child-directed mobile apps did not disclose their data practices. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (May. 6, 2013)
- Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. (Apr. 22, 2003)
The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:
- Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
- Disclosure to parents of any information collected on their children by the website.
- A Right to revoke consent and have information deleted.
- Limited collection of personal information when a child participates in online games and contests.
- A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.
Congress' intent in passing the Act was to increase parental involvement in children's online activities, ensure children's safety during their participation in online activities, and most importantly, protect children's personal information.
- The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728.
- FTC's COPPA Regulation, 64 Fed. Reg. 212.
During the 1990s, the Internet became a major source for marketing, sales, and distribution of products and services. A growing segment of users of these services are children. By 1998, almost 10 million children in the United States had access to the Internet. The interactive nature of the Internet enabled marketers to collect personal information from children through their registration to chat rooms and discussion boards, to track behavior of web surfers through advertisements, and to promise gifts in exchange for personal information. Marketers, who collected such information about children and their families, compiled this information into files and sold it to third parties for various commercial purposes.
Dangerous list marketing abuses were also uncovered by investigative reports that heightened awareness of the power that can be exercised over individuals through the use of their personal information. CNN, on December 14, 1995, reported that look up services could be used to locate children: "There is no law on the books that prevents a stranger from calling a 900-number and getting information about your children. In fact, until a few weeks ago, a subsidiary of R. Donnelley provided a service that did just that." Additionally, a CBS television reporter was able to purchase a list of children's names using the name of a notorious killer. The San Francisco Examiner reported on May 12, 1996: "To prove how easy it is for pedophiles to obtain mailing list of kids, a Los Angeles television station reported that it obtained a detailed computer printout of the ages and addresses of 5,500 children living in Pasadena simply by sending $277 to a Chicago database firm."
Shortly after the 1995 news reports, EPIC sent a letter to Christine Varney, then Commissioner of the Federal Trade Commission. The EPIC letter urged an investigation of the R.R. Donnelley marketing company, which was reportedly selling children's personal information. The EPIC letter noted that FTC had pursued only weak protections for privacy law: "the Commission's only proposal thus far to protect the privacy of Americans and users of new telecommunication services are non-enforceable guidelines that are far weaker than a similar set of principles developed twenty years ago," referring to Fair Information Practices formulated in the 1970s.
Research conducted in 1996 by Kathryn Montgomery and Shelley Pasnik that was published by the Center for Media Education ("CME"), showed that young children cannot understand the potential effects of revealing their personal information; neither can they distinguish between substantive material on websites and the advertisements surrounding it. While some parents tried to monitor their children's use of the Internet services, many of them failed due to lack of time, computer skills, or awareness of risk. Targeting of children by marketing techniques resulted in the release of huge amounts of private information into the market and triggered the need for regulation.
EPIC testified in Congress in favor of privacy protections for children in September 1996. EPIC testified that there was already a sufficient record of problems in the marketing industry to warrant Congressional action, that industry self-regulation is not well suited to address privacy protections for children, and that protecting children's personal information would be consistent with prior privacy law. EPIC testified that collection and use of information constituted a growing threat to children:
"The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.
"With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.
In response to CME's request and growing public interest in children's privacy, in March 1998 the Federal Trade Commission ("FTC") presented the Congress with a report addressing the lack of regulation and protection of children's information online. In July 1998, Senators Richard Bryan (D-NV) and John McCain (R-AZ) introduced 105 S. 2326, titled "The Children's Online Privacy Protection Act of 1998." Portions of that bill were incorporated into 105 H.R. 4328, a Department of Transportation appropriations bill that was enacted by Congress and signed by President Clinton on October 21, 1998. The Act became effective on April 21, 2000.
- EPIC Letter to Christine Varney on Direct Marketing Use of Children's Data, EPIC, December 14, 1995.
- Testimony and Statement for the Record of Marc Rotenberg, director Electronic Privacy Information Center on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508 Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime, September 12, 1996
- Center for Media Education.
- Web of Deception: Threats to Children from Online Marketing, CME.
- Privacy Online, FTC report to Congress, March 1988.
COPPA sets forth a framework of fair information practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.
Second, COPPA requires a website operator to obtain verifiable parental consent before collecting any personal information from children. COPPA did not specify an exact method for obtaining such consent; however, the FTC indicated several acceptable ways for compliance with this requirement. An operator can supply consent forms to be signed and mailed or faxed to the operator, require a parent to use a credit card, have a parent call a toll-free number, or accept an email accompanied by a digital signature. Some exceptions are provided, and an operator is allowed to collect a child's information when:
- Notifying a parent and requesting consent.
- Responding directly, on a one-time basis, to a specific request from a child. In this case, an operator is allowed to collect only the child's email address, which must be deleted after its use.
- Protecting the safety of the child.
- Protecting the security and integrity of the website.
Third, a website operator must provide parents with the opportunity to review any information collected on their children by the website. The FTC issued a commentary explaining that the right of parental review can enable parents to delete certain information but not alter it.
The fourth requirement prohibits website operators from conditioning a child's participation in online games and contests to disclosure of "unnecessary" personal information.
Fifth, site operators must protect the confidentiality, security, and integrity of any personal information that is collected online from children. The FTC suggested use of passwords to access personal information on the website, installation of intrusion-detection software to monitor unauthorized access, and use of secure web servers and firewalls to ensure confidentiality.
An "operator" includes all the people that operate or maintain a website for profit. If more than one operator exists, all are jointly responsible for complying with the rules. In determining an "operator," FTC will consider the ownership and control of the information available on the website, the financial sponsor of the website and the information it contains, and the role of the website in collecting information from its users.
COPPA defines the term "child" as an individual under the age of thirteen." In determining whether a site is targeted at children, FTC will consider whether the site includes a special children's area, the subject matter and its presentation to the users, and whether it has child-oriented incentives like games, animated characters, etc.
The Act specifically forbids the collection of children's first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, or any other personal identifiers of the child or his/her parents, such as IP addresses or customer IDs in cookies. Also, COPPA authorizes the FTC to expand the definitions of personal information.
At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $11,000 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.
The FTC's most recent survey, Protecting Children's Privacy Under COPPA: A Survey On Compliance, conducted in April 2002, shows that the general trend of the sites is of increased compliance, even though some COPPA provisions, such as requirements about specific disclosures, have been followed less consistently. In 2007, the FTC reported to Congress that in five years of COPPA enforcement, the FTC had successfully sought to protect children’s privacy without unduly burdening website operators.
- Protecting Children's Privacy Under COPPA, FTC, April 2002.
- Implementing the Children’s Online Privacy Protection Act, FTC, February 2007
An industry group may avoid compliance with COPPA Rule if the group were to generate self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with the COPPA regulation.
To be entitled for a safe harbor treatment, the proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.
Constitutional and Economic Drawbacks of the Verification Systems
According to COPPA provisions, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children visiting the website. In addition, the operator must also implement a reliable method for determining the age of the website's users, and whether any of the users are under the age of 13.
Critics have claimed that the methods outlined by the FTC for verification - sending/faxing signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email - are too costly, cumbersome, and inadequate in protecting personal information. Even though new technologies are being developed, the current verification methods are too slow and impractical. The process of verification of mails, emails, and credit card numbers may take over a day. Further, disclosure of credit card information will expose the parents to the same privacy risks that they are trying to protect their children from and deter them from using such online services in general. As a consequence, children may manipulate information to access these websites, and in the long run, online businesses may either eliminate children-focused sites. Some sites simply claim that they do not sell products to children, and therefore do not need to comply with COPPA. An example for such a site is Amazon.com, where the online privacy notice states that no products are sold to children, and such products can be purchased only by people over 18 or with the involvement of a parent or guardian.
Even if websites do develop technology that enables easier compliance with the verification requirement, an important constitutional issue will remain unsolved. As EPIC has testified, any personal identification requirements from Internet users as a condition to access online content chills free speech and infringe on the First Amendment right to communicate anonymously.
Finally, the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way. EPIC has filed complaints that have gone unanswered by the FTC, even as other Federal entities have deemed the offending companies to be in violation of COPPA, as in the case of Echometrix.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,