Children's Online Privacy Protection Act (COPPA)
- Senators Markey, Hawley Introduce Children's Privacy Legislation: Senators Edward Markey (D-Mass.) and Josh Hawley (R-Mo.) have introduced legislation to update the Children's Online Privacy Protection Act (COPPA). The bill bans internet companies from collecting personal or location information from children under 13 without parental consent and from teens ages 13-15 without the user's consent. EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. EPIC recently submitted comments in support of the FTC's proposed extension of the information collection requirements for COPPA, but said the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." (Mar. 12, 2019)
- FTC Obtains Fines TikTok for Violation of Children's Privacy: TikTok settled with the FTC for $5.7 million over allegations that the Chinese video app company violated the Children's Online Privacy Protection Act. The FTC complaint alleges that TikTok violated COPPA by collecting personal information from kids without parental consent. The $5.7 million fine is the Commission's largest COPPA penalty. The Commission's vote was unanimous. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 27, 2019)
- EPIC Joins Coalition Calling on FTC to Investigate Facebook for Deception of Children: A coalition of consumer groups sent a complaint to the FTC, charging that Facebook engaged in unfair and deceptive practices and violated the Children's Online Privacy Protection Act after court documents from a 2012 class action lawsuit revealed that Facebook encouraged children to make credit card purchases on Facebook's platform. Parents and minors repeatedly complained about the credit card charges, but the documents indicate that the company refused to refund charges and set up a complex complaint system to deter refund requests. EPIC helped enact the children online privacy law and regularly submits comments to the FTC on children's privacy issues. (Feb. 21, 2019)
- EPIC Supports Extension of Children's Privacy Reporting Requirements: EPIC submitted comments in support of the FTC's proposed extension of the information collection requirements for the Children's Online Privacy Protection Act. EPIC explained the importance of the law that protects the personal data of children who use Internet services, but added that the law "would be more effective if the FTC established new limits on how firms can collect and use children's data." EPIC testified before Congress in support of the original children's privacy law and backed the 2013 regulations that updated the law. Earlier this year, the FTC unanimously voted to approve EPIC's recommendations to create new safeguards for children's data in the gaming industry. (Dec. 3, 2018)
- Following EPIC Comments, FTC Strengthens Safeguards for Kids' Data in Gaming Industry: The FTC has unanimously voted to approve EPIC’s recommendations to strengthen safeguards for children's data in the gaming industry. In a 5-0 vote, the FTC adopted EPIC's proposals to revise the Entertainment Software Rating Board's industry rules to (1) extend children's privacy protections in COPPA to all users worldwide; and (2) to implement privacy safeguards for the collection of data "rendered anonymous." The FTC wrote, "the Commission agrees with EPIC's comment. As COPPA's protections are not limited only to U.S. residents, the definition of 'child' in the ESRB program has been revised to remove the limitation." The Commission also strengthened protections for de-identified children's data: "companies must provide notice and obtain verifiable parental consent if personal information is collected, even if it is later anonymized." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (Aug. 14, 2018)
- Congressional Leaders Reintroduce Bipartisan Bill To Protect Children's Online Privacy: Senator Edward Markey (D-MA) and Congressman Joe Barton (TX-06), along with Senator Richard Blumenthal (D-CT) and Congressman Bobby L. Rush (IL-01), have reintroduced the Do Not Track Kids Act, a bill that would strengthen the Children's Online Privacy Protection Act (COPPA) by extending its protections to children under 15 and creating an "Eraser Button" that would allow parents and children to delete publicly available personal information. The bill would also prohibit targeted advertising to children, mandate data security standards for internet-connected devices sold to children, and establish a "Digital Marketing Bill of Rights for Minors" that would limit the collection of children's personal information, including geolocation information. EPIC recently warned the Federal Trade Commission not to weaken existing rules under COPPA that safeguard children's privacy. EPIC and a coalition of consumer groups have also urged the FTC to stop companies from selling dangerous, internet-connected "toys that spy". (May. 23, 2018)
- EPIC Advises FTC on Children's Privacy: In response to an industry proposal to diminish safeguards for children's privacy, EPIC reminded the FTC that industry guidelines must comply with the Children's Online Privacy Protection Act. EPIC also highlighted recent updates in the COPPA regulations that minimize data collection concerning children. EPIC wrote, "COPPA has evolved to address changes in technology and business practices." EPIC has testified several times before Congress on protecting children's data and supported the 2013 updates to COPPA. (May. 9, 2018)
- FTC Finally Takes Action on Connected Toys, Settles With Company That Violated Children's Privacy Law: The Federal Trade Commission announced a settlement with VTech Electronics over charges that the company collected personal information from children without parental consent and failed to provide data security. In 2015, Senators Edward Markey (D-MA) and Joe Barton (R-TX) inquired about VTech's privacy practices after the toy company was hacked, exposing the personal information of millions of children. EPIC and a coalition of consumer organizations recently renewed their call to the FTC to take action on toys that spy, one year after the groups filed a complaint with the FTC regarding dangerous internet-connected toys. The Children's Online Privacy Act (COPPA) sets forth strict requirements for the collection of information from children. In a recent interview with NBC Nightly News, EPIC's Sam Lester highlighted the dangers these toys pose from hackers. EPIC has supported numerous efforts to oppose toys that spy, including a successful effort in 2017 to recall Mattel's Aristotle. (Jan. 8, 2018)
- FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys: The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it. (Jun. 27, 2017)
- EPIC Asks FTC to Stop System for Secret Scoring of Young Athletes: EPIC has filed a complaint with the Federal Trade Commission to stop the secret scoring of young tennis players. The EPIC complaint concerns the "Universal Tennis Rating", a proprietary algorithm used to assign numeric scores to tennis players, many of whom are children under 13. "The UTR score defines the status of young athletes in all tennis-related activity; impacts opportunities for scholarship, education and employment; and may in the future provide the basis for 'social scoring' and government rating of citizens," according to EPIC. EPIC urged the FTC to “find that a secret, unprovable, proprietary algorithm to evaluate children is an unfair and deceptive trade practice.” In 2015, EPIC launched a campaign on "Algorithmic Transparency" and has pursued several cases, including one for rating travelers and another for assessing guilt or innocence, that draw attention to the social risks of secret algorithms. (May. 17, 2017)
- Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. (Apr. 22, 2003)
The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:
- Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
- Disclosure to parents of any information collected on their children by the website.
- A Right to revoke consent and have information deleted.
- Limited collection of personal information when a child participates in online games and contests.
- A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.
Congress' intent in passing the Act was to increase parental involvement in children's online activities, ensure children's safety during their participation in online activities, and most importantly, protect children's personal information.
- The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728.
- FTC's COPPA Regulation, 64 Fed. Reg. 212.
During the 1990s, the Internet became a major source for marketing, sales, and distribution of products and services. A growing segment of users of these services are children. By 1998, almost 10 million children in the United States had access to the Internet. The interactive nature of the Internet enabled marketers to collect personal information from children through their registration to chat rooms and discussion boards, to track behavior of web surfers through advertisements, and to promise gifts in exchange for personal information. Marketers, who collected such information about children and their families, compiled this information into files and sold it to third parties for various commercial purposes.
Dangerous list marketing abuses were also uncovered by investigative reports that heightened awareness of the power that can be exercised over individuals through the use of their personal information. CNN, on December 14, 1995, reported that look up services could be used to locate children: "There is no law on the books that prevents a stranger from calling a 900-number and getting information about your children. In fact, until a few weeks ago, a subsidiary of R. Donnelley provided a service that did just that." Additionally, a CBS television reporter was able to purchase a list of children's names using the name of a notorious killer. The San Francisco Examiner reported on May 12, 1996: "To prove how easy it is for pedophiles to obtain mailing list of kids, a Los Angeles television station reported that it obtained a detailed computer printout of the ages and addresses of 5,500 children living in Pasadena simply by sending $277 to a Chicago database firm."
Shortly after the 1995 news reports, EPIC sent a letter to Christine Varney, then Commissioner of the Federal Trade Commission. The EPIC letter urged an investigation of the R.R. Donnelley marketing company, which was reportedly selling children's personal information. The EPIC letter noted that FTC had pursued only weak protections for privacy law: "the Commission's only proposal thus far to protect the privacy of Americans and users of new telecommunication services are non-enforceable guidelines that are far weaker than a similar set of principles developed twenty years ago," referring to Fair Information Practices formulated in the 1970s.
Research conducted in 1996 by Kathryn Montgomery and Shelley Pasnik that was published by the Center for Media Education ("CME"), showed that young children cannot understand the potential effects of revealing their personal information; neither can they distinguish between substantive material on websites and the advertisements surrounding it. While some parents tried to monitor their children's use of the Internet services, many of them failed due to lack of time, computer skills, or awareness of risk. Targeting of children by marketing techniques resulted in the release of huge amounts of private information into the market and triggered the need for regulation.
EPIC testified in Congress in favor of privacy protections for children in September 1996. EPIC testified that there was already a sufficient record of problems in the marketing industry to warrant Congressional action, that industry self-regulation is not well suited to address privacy protections for children, and that protecting children's personal information would be consistent with prior privacy law. EPIC testified that collection and use of information constituted a growing threat to children:
"The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.
"With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.
In response to CME's request and growing public interest in children's privacy, in March 1998 the Federal Trade Commission ("FTC") presented the Congress with a report addressing the lack of regulation and protection of children's information online. In July 1998, Senators Richard Bryan (D-NV) and John McCain (R-AZ) introduced 105 S. 2326, titled "The Children's Online Privacy Protection Act of 1998." Portions of that bill were incorporated into 105 H.R. 4328, a Department of Transportation appropriations bill that was enacted by Congress and signed by President Clinton on October 21, 1998. The Act became effective on April 21, 2000.
- EPIC Letter to Christine Varney on Direct Marketing Use of Children's Data, EPIC, December 14, 1995.
- Testimony and Statement for the Record of Marc Rotenberg, director Electronic Privacy Information Center on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508 Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime, September 12, 1996
- Center for Media Education.
- Web of Deception: Threats to Children from Online Marketing, CME.
- Privacy Online, FTC report to Congress, March 1988.
COPPA sets forth a framework of fair information practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.
Second, COPPA requires a website operator to obtain verifiable parental consent before collecting any personal information from children. COPPA did not specify an exact method for obtaining such consent; however, the FTC indicated several acceptable ways for compliance with this requirement. An operator can supply consent forms to be signed and mailed or faxed to the operator, require a parent to use a credit card, have a parent call a toll-free number, or accept an email accompanied by a digital signature. Some exceptions are provided, and an operator is allowed to collect a child's information when:
- Notifying a parent and requesting consent.
- Responding directly, on a one-time basis, to a specific request from a child. In this case, an operator is allowed to collect only the child's email address, which must be deleted after its use.
- Protecting the safety of the child.
- Protecting the security and integrity of the website.
Third, a website operator must provide parents with the opportunity to review any information collected on their children by the website. The FTC issued a commentary explaining that the right of parental review can enable parents to delete certain information but not alter it.
The fourth requirement prohibits website operators from conditioning a child's participation in online games and contests to disclosure of "unnecessary" personal information.
Fifth, site operators must protect the confidentiality, security, and integrity of any personal information that is collected online from children. The FTC suggested use of passwords to access personal information on the website, installation of intrusion-detection software to monitor unauthorized access, and use of secure web servers and firewalls to ensure confidentiality.
An "operator" includes all the people that operate or maintain a website for profit. If more than one operator exists, all are jointly responsible for complying with the rules. In determining an "operator," FTC will consider the ownership and control of the information available on the website, the financial sponsor of the website and the information it contains, and the role of the website in collecting information from its users.
COPPA defines the term "child" as an individual under the age of thirteen." In determining whether a site is targeted at children, FTC will consider whether the site includes a special children's area, the subject matter and its presentation to the users, and whether it has child-oriented incentives like games, animated characters, etc.
The Act specifically forbids the collection of children's first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, or any other personal identifiers of the child or his/her parents, such as IP addresses or customer IDs in cookies. Also, COPPA authorizes the FTC to expand the definitions of personal information.
At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $11,000 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.
The FTC's most recent survey, Protecting Children's Privacy Under COPPA: A Survey On Compliance, conducted in April 2002, shows that the general trend of the sites is of increased compliance, even though some COPPA provisions, such as requirements about specific disclosures, have been followed less consistently. In 2007, the FTC reported to Congress that in five years of COPPA enforcement, the FTC had successfully sought to protect children’s privacy without unduly burdening website operators.
- Protecting Children's Privacy Under COPPA, FTC, April 2002.
- Implementing the Children’s Online Privacy Protection Act, FTC, February 2007
An industry group may avoid compliance with COPPA Rule if the group were to generate self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with the COPPA regulation.
To be entitled for a safe harbor treatment, the proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.
Constitutional and Economic Drawbacks of the Verification Systems
According to COPPA provisions, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children visiting the website. In addition, the operator must also implement a reliable method for determining the age of the website's users, and whether any of the users are under the age of 13.
Critics have claimed that the methods outlined by the FTC for verification - sending/faxing signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email - are too costly, cumbersome, and inadequate in protecting personal information. Even though new technologies are being developed, the current verification methods are too slow and impractical. The process of verification of mails, emails, and credit card numbers may take over a day. Further, disclosure of credit card information will expose the parents to the same privacy risks that they are trying to protect their children from and deter them from using such online services in general. As a consequence, children may manipulate information to access these websites, and in the long run, online businesses may either eliminate children-focused sites. Some sites simply claim that they do not sell products to children, and therefore do not need to comply with COPPA. An example for such a site is Amazon.com, where the online privacy notice states that no products are sold to children, and such products can be purchased only by people over 18 or with the involvement of a parent or guardian.
Even if websites do develop technology that enables easier compliance with the verification requirement, an important constitutional issue will remain unsolved. As EPIC has testified, any personal identification requirements from Internet users as a condition to access online content chills free speech and infringe on the First Amendment right to communicate anonymously.
Finally, the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way. EPIC has filed complaints that have gone unanswered by the FTC, even as other Federal entities have deemed the offending companies to be in violation of COPPA, as in the case of Echometrix.