Children's Online Privacy Protection Act (COPPA)
- Bipartisan Introduction of Do Not Track Kids Legislation in Senate and House: Senators Markey (D-MA) and Kirk (R-IL), along with Representatives Barton (R-TX) and Rush(D-IL), have introduced the Do Not Track Kids Act, comprehensive children's online privacy legislation. The bill would amend the Children's Online Privacy Protection Act by extending protection to teens ages 13-15, requiring consent for the collection of personal information, and creating an "eraser button" that allows children to delete personal information. California recently enacted a bill, which also provides for an "eraser button" that would require websites to allow minors to remove their own information. The bill would also require online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for collection of personal information. EPIC recommended similar update to COPPA in testimony before the Senate Commerce Committee in 2010. For more information, see EPIC: Children's Privacy. (Nov. 18, 2013)
- California Enacts Strong Digital Privacy Law for Minors: California Gov. Jerry Brown today signed a law to protect Privacy Rights for California Minors in the Digital World. The law, which goes into effect Jan. 1, 2015, sets out a broad range of rights for minors concerning the collection and use of their personal information by commercial service providers. The law does not limit the rights of minors, it seeks to regulate the practices of businesses. EPIC has long advocated for the privacy rights of children, testifying before the House in 1996 in support of the Children's Online Privacy Protection Act and again before the Senate in 2010 as new technologies and business practices emerged. EPIC also wrote comments to the FTC in 2011 supporting stronger regulations to protect the data concerning children. Some organizations, financed by Internet companies, are opposing the legislation. For more information, see EPIC: Children's Online Privacy Protection Act. (Sep. 24, 2013)
- FTC Rejects Industry Effort to Delay Children’s Privacy Rules: The Federal Trade Commission has rejected an effort by several trade groups to delay implementation of the Children’s Online Privacy Protection Act Rule, currently scheduled to take effect on July 1. In voting unanimously to retain the date, the FTC noted that it had given covered entities at least 6 months to prepare for the Rule and that industry had "not raised any concrete facts to demonstrate that a delay is necessary." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for behavioral advertising purposes. EPIC joined a coalition of consumer, privacy, and children's advocates in urging the FTC to keep the original implementation date. EPIC also commented in support of both the proposed rule, and a revised version introduced in August 2012. The revised rule follows a report by the FTC finding that many child-directed mobile apps did not disclose their data practices. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (May. 6, 2013)
- Consumer Groups Oppose Delay for New Children’s Privacy Rules: A group of consumer, privacy, and children's advocates wrote to the Federal Trade Commission to oppose an industry effort to delay implementation of the new Children's Online Privacy Protection Act rule. The groups noted that two-and-a-half years have passed since the Commission proposed the updates to COPPA. They said there was no "compelling reason for giving the industry more time to comply with the law." The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or cookies), and prevents third-party advertisers from secretly collecting children's personal information without parental consent for advertising purposes. EPIC previously commented in support of the proposed rule and a revised version. The new safeguards follow a report by the FTC finding that many child-directed mobile apps conceal their data collection practices. For more information, see EPIC: FTC and EPIC: Children’s Online Privacy. (Apr. 23, 2013)
- FTC Reaches Settlement with Mobile App Path over Privacy Violations: The Federal Trade Commission announced a settlement with the social networking app Path over charges that the app secretly collected information from mobile users' address books without their consent. The FTC also fined the company $800,000 for violating the Children's Online Privacy Protection Act, which prohibits the collection of personal information from a children without obtaining parental consent. The consent order requires Path to implement a comprehensive privacy program and to submit to independent privacy assessments for the next 20 years. The FTC has released a series of reports documenting privacy problems with mobile apps that collect the personal information of children. Recently, EPIC submitted comments supporting the FTC’s proposed improvements to the children’s online privacy rule, which the agency ended up adopting. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Feb. 1, 2013)
- FTC Releases Updated Children’s Online Privacy Rule: The Federal Trade Commission has updated the Children's Online Privacy Protection Act. The new Rule expands the definition of personal information to include geolocation information and persistent identifiers (or "cookies)", and prevents third-party advertisers from secretly collecting children’s personal information without parental consent for behavioral advertising purposes. EPIC supported the changes and responded to criticisms from industry groups. In 2010, EPIC testified before the United States Senate that the 1998 law was critical to protect the privacy of children but that updates were also essential in light of new business practices, the emergence of social networks, smartphone apps. A subsequent FTC report found that many child-directed mobile apps lack adequate privacy safeguards. For more information, see EPIC: FTC and EPIC: Children's Online Privacy. (Dec. 19, 2012)
- FTC Report Finds Privacy Problems for Children’s Mobile Apps: A report by the Federal Trade Commission found little progress on transparency for child-directed mobile applications. The FTC surveyed apps from Google Play and Apple App stores and concluded that "many apps included interactive features or shared kids' information with third parties without disclosing these practices to parents." The report commits the FTC to another review of the app marketplace and indicates that the agency has launched "multiple non-public" investigations to determine whether certain apps had engaged in unfair and deceptive trade practices or violated the Children’s Online Privacy Protection Act. The FTC recently proposed revisions to the COPPA Rule, which EPIC supported. For more information, see EPIC: Children’s Online Privacy and EPIC: Federal Trade Commission. (Dec. 10, 2012)
- Pew Survey Finds Most Parents Concerned About Children's Online Privacy: A new report from the Pew Research Center and the Berkman Center for Internet & Society finds that 81% of parents are concerned about how much information advertisers can learn about their child's online behavior. Also, 69% of parents of online teens are concerned about how their child’s online activity might affect their future academic or employment opportunities. And 63% of parents of teens ages 12-13 say they are "very" concerned about their child's interactions with people they do not know online. Many parents reported taking steps to address these risks, such as talking to their children or helping them configure privacy settings. The Federal Trade Commission is considering new privacy rules to strengthen the Children’s Online Privacy Protection Act. EPIC strongly supports the proposed changes. For more information, see EPIC: Children's Online Privacy and EPIC: Federal Trade Commission. (Nov. 21, 2012)
- FTC Proposes Additional Changes to Children’s Online Privacy Rule: The Federal Trade Commission proposed additional changes to the Children's Online Privacy Protection Act Rule. The revised rule would clarify that operators of websites who choose to use advertising services and plug-ins that collect data about children would have to comply with COPPA. The rule would also allow mixed-audience websites to age-screen visitors, and would clarify the circumstances in which persistent identifiers such as cookies or IP addresses are considered "personal information." The revisions modify an earlier rule that was proposed by the FTC in September 2011. EPIC commented on the September 2011 rule, noting that "the proposed revisions update the COPPA Rule by taking better account of the increased use of mobile devices by users and of new data collection practices by businesses." For more information, see EPIC: Children's Online Privacy Protection Act and EPIC: Federal Trade Commission. (Aug. 1, 2012)
- FTC Announces Settlement with RockYou Over Security Flaws, COPPA Violations: The Federal Trade Commission announced a settlement with the social game site RockYou over charges that the site's poor security allowed hackers to access the personal information of 32 million users. The FTC also alleged that RockYou violated the Children's Online Privacy Protection Act Rule by knowingly collecting approximately 179,000 children's email addresses and associated passwords without the consent of their parents. The settlement prohibits future deceptive claims by the company regarding privacy and data security and future violations of the COPPA Rule, and requires the company to implement a data security program and to pay a $250,000 civil penalty. Last year, the FTC proposed new COPPA rules to better protect children, about which EPIC submitted comments. For more information, see EPIC: Children’s Online Privacy and EPIC: FTC. (Mar. 27, 2012)
- Coalition Alleges Children's Privacy Violation. EPIC and 11 consumer organizations alleged in a complaint to the Federal Trade Commission (FTC) today that Amazon.com has illegally collected and disclosed children's personal information in violation of the Children's Online Privacy Protection Act (COPPA). The FTC has taken action in previous cases where companies direct web sites towards children and collect the personal information of children. (Apr. 22, 2003)
The Children's Online Privacy Protection Act ("COPPA") specifically protects the privacy of children under the age of 13 by requesting parental consent for the collection or use of any personal information of the users. The Act took effect in April 2000. The Act was passed in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without any parental notification. The Act applies to commercial websites and online services that are directed at children. The main requirements of the Act that a website operator must comply with include:
- Acquisition of a verifiable parental consent prior to collection of personal information from a child under the age of 13.
- Disclosure to parents of any information collected on their children by the website.
- A Right to revoke consent and have information deleted.
- Limited collection of personal information when a child participates in online games and contests.
- A general requirement to protect the confidentiality, security, and integrity of any personal information that is collected online from children.
Congress' intent in passing the Act was to increase parental involvement in children's online activities, ensure children's safety during their participation in online activities, and most importantly, protect children's personal information.
- The Child Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728.
- FTC's COPPA Regulation, 64 Fed. Reg. 212.
During the 1990s, the Internet became a major source for marketing, sales, and distribution of products and services. A growing segment of users of these services are children. By 1998, almost 10 million children in the United States had access to the Internet. The interactive nature of the Internet enabled marketers to collect personal information from children through their registration to chat rooms and discussion boards, to track behavior of web surfers through advertisements, and to promise gifts in exchange for personal information. Marketers, who collected such information about children and their families, compiled this information into files and sold it to third parties for various commercial purposes.
Dangerous list marketing abuses were also uncovered by investigative reports that heightened awareness of the power that can be exercised over individuals through the use of their personal information. CNN, on December 14, 1995, reported that look up services could be used to locate children: "There is no law on the books that prevents a stranger from calling a 900-number and getting information about your children. In fact, until a few weeks ago, a subsidiary of R. Donnelley provided a service that did just that." Additionally, a CBS television reporter was able to purchase a list of children's names using the name of a notorious killer. The San Francisco Examiner reported on May 12, 1996: "To prove how easy it is for pedophiles to obtain mailing list of kids, a Los Angeles television station reported that it obtained a detailed computer printout of the ages and addresses of 5,500 children living in Pasadena simply by sending $277 to a Chicago database firm."
Shortly after the 1995 news reports, EPIC sent a letter to Christine Varney, then Commissioner of the Federal Trade Commission. The EPIC letter urged an investigation of the R.R. Donnelley marketing company, which was reportedly selling children's personal information. The EPIC letter noted that FTC had pursued only weak protections for privacy law: "the Commission's only proposal thus far to protect the privacy of Americans and users of new telecommunication services are non-enforceable guidelines that are far weaker than a similar set of principles developed twenty years ago," referring to Fair Information Practices formulated in the 1970s.
Research conducted in 1996 by Kathryn Montgomery and Shelley Pasnik that was published by the Center for Media Education ("CME"), showed that young children cannot understand the potential effects of revealing their personal information; neither can they distinguish between substantive material on websites and the advertisements surrounding it. While some parents tried to monitor their children's use of the Internet services, many of them failed due to lack of time, computer skills, or awareness of risk. Targeting of children by marketing techniques resulted in the release of huge amounts of private information into the market and triggered the need for regulation.
EPIC testified in Congress in favor of privacy protections for children in September 1996. EPIC testified that there was already a sufficient record of problems in the marketing industry to warrant Congressional action, that industry self-regulation is not well suited to address privacy protections for children, and that protecting children's personal information would be consistent with prior privacy law. EPIC testified that collection and use of information constituted a growing threat to children:
"The collection of data about children is growing at a phenomenal rate. Government agencies, private organizations, universities, associations, businesses, and club all gather information on kids of all ages. Records on our children are collected literally at the time of birth, segmented, compiled, and in some cases resold to anyone who wishes to buy them.
"With a few exceptions, there are no clear legal standards that regulate any of these activities. It is also very difficult to determine how detailed these lists have become and what unreported abuses and misuses of personal information have already occurred. But there is a growing record which makes clear that current practices, which ignore standard privacy procedures followed in other industries and other market sectors, pose a substantial threat to the privacy and safety of young people.
In response to CME's request and growing public interest in children's privacy, in March 1998 the Federal Trade Commission ("FTC") presented the Congress with a report addressing the lack of regulation and protection of children's information online. In July 1998, Senators Richard Bryan (D-NV) and John McCain (R-AZ) introduced 105 S. 2326, titled "The Children's Online Privacy Protection Act of 1998." Portions of that bill were incorporated into 105 H.R. 4328, a Department of Transportation appropriations bill that was enacted by Congress and signed by President Clinton on October 21, 1998. The Act became effective on April 21, 2000.
- EPIC Letter to Christine Varney on Direct Marketing Use of Children's Data, EPIC, December 14, 1995.
- Testimony and Statement for the Record of Marc Rotenberg, director Electronic Privacy Information Center on the Children's Privacy Protection and Parental Empowerment Act, H.R. 3508 Before the House of Representatives, Committee on the Judiciary, Subcommittee on Crime, September 12, 1996
- Center for Media Education.
- Web of Deception: Threats to Children from Online Marketing, CME.
- Privacy Online, FTC report to Congress, March 1988.
COPPA sets forth a framework of fair information practices governing the collection, access to, and use of personal information by website directed to children. The Act does not apply to general audience websites; however, operators of such sites, who have specific sections for children or actual knowledge of children using their site, must follow the COPPA regulations. Also, COPPA applies to foreign websites that are directed at US children.
Second, COPPA requires a website operator to obtain verifiable parental consent before collecting any personal information from children. COPPA did not specify an exact method for obtaining such consent; however, the FTC indicated several acceptable ways for compliance with this requirement. An operator can supply consent forms to be signed and mailed or faxed to the operator, require a parent to use a credit card, have a parent call a toll-free number, or accept an email accompanied by a digital signature. Some exceptions are provided, and an operator is allowed to collect a child's information when:
- Notifying a parent and requesting consent.
- Responding directly, on a one-time basis, to a specific request from a child. In this case, an operator is allowed to collect only the child's email address, which must be deleted after its use.
- Protecting the safety of the child.
- Protecting the security and integrity of the website.
Third, a website operator must provide parents with the opportunity to review any information collected on their children by the website. The FTC issued a commentary explaining that the right of parental review can enable parents to delete certain information but not alter it.
The fourth requirement prohibits website operators from conditioning a child's participation in online games and contests to disclosure of "unnecessary" personal information.
Fifth, site operators must protect the confidentiality, security, and integrity of any personal information that is collected online from children. The FTC suggested use of passwords to access personal information on the website, installation of intrusion-detection software to monitor unauthorized access, and use of secure web servers and firewalls to ensure confidentiality.
An "operator" includes all the people that operate or maintain a website for profit. If more than one operator exists, all are jointly responsible for complying with the rules. In determining an "operator," FTC will consider the ownership and control of the information available on the website, the financial sponsor of the website and the information it contains, and the role of the website in collecting information from its users.
COPPA defines the term "child" as an individual under the age of thirteen." In determining whether a site is targeted at children, FTC will consider whether the site includes a special children's area, the subject matter and its presentation to the users, and whether it has child-oriented incentives like games, animated characters, etc.
The Act specifically forbids the collection of children's first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, or any other personal identifiers of the child or his/her parents, such as IP addresses or customer IDs in cookies. Also, COPPA authorizes the FTC to expand the definitions of personal information.
At the federal level, COPPA violations are considered to be unfair or deceptive trade practices under § 5 of the Federal Trade Commission Act, and the FTC can impose civil penalties for its violation. In order to ensure compliance with the rule, the FTC monitors the Internet and encourages complaints from parents on its website. Violators could be liable for up to $11,000 per violation. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the FTC regulations and to obtain damages or other forms of compensation and relief.
The FTC's most recent survey, Protecting Children's Privacy Under COPPA: A Survey On Compliance, conducted in April 2002, shows that the general trend of the sites is of increased compliance, even though some COPPA provisions, such as requirements about specific disclosures, have been followed less consistently. In 2007, the FTC reported to Congress that in five years of COPPA enforcement, the FTC had successfully sought to protect children’s privacy without unduly burdening website operators.
- Protecting Children's Privacy Under COPPA, FTC, April 2002.
- Implementing the Children’s Online Privacy Protection Act, FTC, February 2007
An industry group may avoid compliance with COPPA Rule if the group were to generate self-regulatory guidelines approved by the FTC. An industry group can request approval for such guidelines by providing the FTC with the proposed guidelines and an accompanying commentary showing compliance of the guidelines with the COPPA regulation.
To be entitled for a safe harbor treatment, the proposed guidelines must contain requirements that are substantially similar to COPPA, a mechanism for evaluation of the operators' compliance with the guidelines, and incentives for compliance. Suggested mechanisms to determine compliance include periodic and random reviews of operators' practices, periodic industry or independent reviews of practices of all subject operators, and comprehensive information practices reviews as a condition of membership in self-regulatory programs.
Constitutional and Economic Drawbacks of the Verification Systems
According to COPPA provisions, an operator of a website directed at children must obtain verifiable parental consent before collecting or using any personal information from children visiting the website. In addition, the operator must also implement a reliable method for determining the age of the website's users, and whether any of the users are under the age of 13.
Critics have claimed that the methods outlined by the FTC for verification - sending/faxing signed printed forms, supplement of credit card numbers, calling toll-free numbers, or forwarding digital signatures through email - are too costly, cumbersome, and inadequate in protecting personal information. Even though new technologies are being developed, the current verification methods are too slow and impractical. The process of verification of mails, emails, and credit card numbers may take over a day. Further, disclosure of credit card information will expose the parents to the same privacy risks that they are trying to protect their children from and deter them from using such online services in general. As a consequence, children may manipulate information to access these websites, and in the long run, online businesses may either eliminate children-focused sites. Some sites simply claim that they do not sell products to children, and therefore do not need to comply with COPPA. An example for such a site is Amazon.com, where the online privacy notice states that no products are sold to children, and such products can be purchased only by people over 18 or with the involvement of a parent or guardian.
Even if websites do develop technology that enables easier compliance with the verification requirement, an important constitutional issue will remain unsolved. As EPIC has testified, any personal identification requirements from Internet users as a condition to access online content chills free speech and infringe on the First Amendment right to communicate anonymously.
Finally, the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way. EPIC has filed complaints that have gone unanswered by the FTC, even as other Federal entities have deemed the offending companies to be in violation of COPPA, as in the case of Echometrix.