Children's Online Privacy Protection Act


The Children's Online Privacy Protection Act of 1998 is a United States federal law, located at .
The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age including children outside the U.S., if the company is U.S.-based. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing of those under 13.
While children under 13 can legally give out personal information with their parents' permission, many websites—particularly social media sites, but also other sites that collect most personal info—disallow children under 13 from using their services altogether due to the cost and work involved in complying with the law.

Background

In the 1990s, electronic commerce was on its rise of popularity, but various concerns were expressed about the data collection practices and the impact of Internet commerce on user privacy - especially children under 13, because very few websites had their own privacy policies. Center of Media Education petitioned the Federal Trade Commission to investigate the data collection and use practices of the KidsCom.com website, and take legal action since the data practices violated Section 5 of FTC Act concerning "unfair/deceptive practices". After the FTC completed its investigation, it issued the "KidsCom Letter" the report stated that the data collection and use practices were indeed subject to legal action. This resulted in the need to inform parents about the risks of children's online privacy, as well as to parental consent necessity. This utimately resulted in the drafting of COPPA.
The Federal Trade Commission has the authority to issue regulations and enforce COPPA. Also under the terms of COPPA, the FTC-designated "safe harbor" provisioning is designed to encourage increased industry self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants' compliance, such that website operators in Commission-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. the FTC has approved seven safe harbor programs operated by TRUSTe, ESRB, CARU, PRIVO, Aristotle, Inc., Samet Privacy, and the Internet Keep Safe Coalition.
In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the act since the issuance of the rules in 2000. The proposed rule changes expanded the definition of what it meant to "collect" data from children. The proposed rules presented a data retention and deletion requirement, which mandated that data obtained from children be retained only for the amount of time necessary to achieve the purpose that it was collected for. It also added the requirement that operators ensure that any third parties to whom a child's information is disclosed have reasonable procedures in place to protect the information.
The act applies to websites and online services operated for commercial purposes that are either directed towards children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA. However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently COPPA as well. The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Commission regulation that takes into account the manner in which the information is being collected and the uses to which the information will be put.

Violations

The FTC has brought a number of actions against website operators for failing to comply with COPPA requirements, including actions against Girls' Life, American Pop Corn Company, Lisa Frank, Inc., Mrs. Fields Cookies, and The Hershey Company.
In February 2004, UMG Recordings, Inc. was fined US$400,000 for COPPA violations in connection with a web site that promoted the then 13-year-old pop star Lil' Romeo and hosted child-oriented games and activities, and Bonzi Software, which offered downloads of an animated figure "BonziBuddy" that provided shopping advice, jokes, and trivia was fined US$75,000 for COPPA violations. Similarly, the owners of the Xanga website were fined US$1,000,000 in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent's consent.
In 2016, the mobile advertising network inMobi was fined US$950,000 for tracking the geo-location of all users without their knowledge. The advertising software continuously tracked user location despite privacy preferences on the mobile device. Other websites that were directed towards children and fined due to COPPA include Imbee, Kidswirl and Skid-e-Kids.
In February 2019, the FTC issued a fine of $5.7 million to ByteDance for failing to comply with COPPA with their TikTok app. Byte Dance agreed to pay the largest COPPA fine since the bill's enactment and to add a kids-only mode to the TikTok app.
Three dating apps by Wildec were pulled by Apple and Google from their respective app stores, after the FTC determined that the dating apps allowed users under 13 to register, that Wildec knew there were significant numbers of minor users, and that this allowed inappropriate contact with minors.
On September 4, 2019, the FTC issued a fine of $170 million to YouTube for COPPA violations, including tracking viewing history of minors in order to facilitate targeted advertising. As a result, YouTube announced that as part of the settlement, in 2020 it would require channel operators to mark videos that are "child-oriented" as such, and would use machine learning to automatically mark those as clearly "child-oriented" if not marked already. In the settlement terms, channel operators that failed to mark videos as "child-oriented" could be fined by the FTC for up to $42,000 per video, which has raised criticism towards the settlement terms.

Compliance

In December 2012, the Federal Trade Commission issued revisions effective July 1, 2013, which created additional parental notice and consent requirements, amended definitions, and added other obligations for organizations that operate a website or online service that is "directed to children" under 13 and that collects "personal information" from users or knowingly collects personal information from persons under 13 through a website or online service. After July 1, 2013, operators must:
According to a notice issued by the Federal Trade Commission, an operator has actual knowledge of a user's age if the site or service asks for – and receives – information from the user that allows it to determine the person's age. An example, cited by the FTC, includes an operator who asks for a date of birth on a site's registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they are under 13. Another example cited by the FTC is that an operator may have actual knowledge based on answers to "age identifying" questions like "What grade are you in?" or "What type of school do you go to? elementary; middle; high school; college."
A small fee is charged by Microsoft under COPPA as a way to verify parent consent. The fee is donated to the National Center for Missing and Exploited Children. Google, however, charges the small fee as a way to verify one's date of birth.
In the changes effective July 1, 2013, the definition of an operator was updated to make clear that COPPA covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors. The definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service. Websites and services that target children as a secondary audience may differentiate among users, and are required to provide notice and obtain parental consent only for those users who identify themselves as being younger than 13. The definition of personal information requiring parental notice and consent before collection now includes "persistent identifiers" that can be used to recognize users over time and across different websites or online services. However, no parental notice and consent is required when an operator collects a persistent identifier for the sole purpose of supporting the website or online service's internal operations. The definition of personal information after July 1, 2013, also includes geolocation information, as well as photos, videos, and audio files that contain a child's image or voice.
On November 19, 2015, the FTC announced it had approved an additional method for obtaining verifiable parental consent: "face match to verified photo identification". The two-step process allows a parent to submit a government-sanctioned ID for authentication, then submit an impromptu photo via mobile device or web camera, which is then compared to the photo on the ID.

International scope

The FTC has asserted that COPPA applies to any online service that is directed to U.S. users or knowingly collects information from children in the U.S., regardless of its country of origin. However, in practice, the FTC has never actually issued any enforcement actions against foreign companies, and attempts to do so may be frustrated by the lack of jurisdiction.

Criticisms

COPPA is controversial and has been criticized as ineffective and potentially unconstitutional by legal experts and mass media since it was drafted. Complaints leveled against the legislation include website owners banning users 12 and under — which only "encourages age fraud and allows websites to bypass the burden of obtaining parental consent" — and the active suppression of children's rights to freedom of speech, self-expression, and other First Amendment rights.
Delays in obtaining parental consent often result in children moving on to other activities that are less appropriate for their age or pose bigger privacy risk.
In addition, age restrictions and the "parental consent" process is easy for children to circumvent, and parents generally help them to lie about their age.
An Internet Safety Technical Task Force composed of experts from academia and commercial companies found in 2012 that mandatory age verification is not only a poor solution for privacy but also constitutes a violation of privacy. The law has also many safety flaws. For example, it does not protect kids from predatory advertising, it does not prevent kids from accessing pornography or lying about their age, and it doesn't ensure a totally safe environment online. Tech journalist Larry Magid, a long-time vocal opponent of the law — also notes that parents, not the government, hold the bulk of responsibility of protecting children online. COPPA has also been criticized for its potential chilling effect on children's apps, content, websites and online services. For example, Snapchat released a Snapkidz version of its app in June 2013, but unlike Snapchat, Snapkidz didn't allow photo sharing at all due to COPPA regulations. Similarly, it has been pointed out that the COPPA Rule was not necessarily about privacy protection but more about "enforcing the laws."
COPPA's penalties can be potentially catastrophic for small businesses, undermining their business model. By contrast, the FTC has been criticized, including by COPPA author Ed Markey, and FTC commissioner Rohit Chopra, for not fining major and big tech companies harshly enough for their COPPA violations, especially in comparison to their revenue. In contrast, violators of the European Union's General Data Protection Regulation may be fined up to 4% of their annual global revenue.
With the rise of virtual education, COPPA may inadequately represent the role of administrators, teachers, and the school in protecting student privacy under the assumption of loco parentis.
Mark Zuckerberg, co-founder and CEO of Facebook, has expressed opposition to COPPA in 2011 and stated "That will be a fight we take on at some point. My philosophy is that for education you need to start at a really, really young age." The next year, Jim Steyer, the CEO of Common Sense Media, has called for updates to COPPA, calling the time of the act's creation "the stone age of digital media" and pointing out the lack of platforms such as Google, YouTube, Facebook and Twitter at the time.
In 2019, the Government of the State of New York sued YouTube for violating COPPA by illegally retaining information related to children under 13 years of age. YouTube responded by dividing its content strictly into "for kids" and "not for kids". This has met with extremely harsh criticism from the YouTube community, especially from gamers, with many alleging that the FTC of the United States intends to fine content creators $42,530 for "each mislabeled video", possibly putting all users at risk. However, some have expressed skepticism over this, feeling that the fines may actually be in reference to civil penalties, possibly intended for the site's operators and/or warranted by more serious of COPPA violations or specific cases of "mislabeling videos."
Several bills have been proposed to amend COPPA. Markey and Josh Hawley introduced multiple bills proposing that COPPA ban the use of targeted advertising to users under 13, require personal consent before the collection of personal information from users ages 13-15, require connected devices and toys directed towards children to meet security standards and include a privacy policy disclosure on their packaging, and require services to offer an "eraser button" to "permit users to eliminate publicly available personal information content submitted by the child, when technologically feasible". In January 2020, Bobby Rush and Tim Walberg introduced a similar house bill known as the Preventing Real Online Threats Endangering Children Today Act, which would extend all existing COPPA consent requirements to users under the age of 16, and explicitly add mobile apps, "precise geolocation", and biometric data to its remit.