In an age of near-constant online access, it is natural to worry about your child’s safety and privacy online. After all, tech giants and social media platforms are often in the news for collecting our data and selling it to the highest bidder.
Fortunately, there are regulations in place designed to shield children from being taken advantage of by website operators. One such set of rules is called the Children’s Online Privacy Act (“COPPA”).
The Children’s Online Privacy Protection Act (COPPA) became law in 1998. Its purpose is to protect children under age 13 by:
- Requiring verifiable parental consent before collecting data from children under 13;
- Outlining rules for the handling of children’s data once it has been collected.
At Minc Law, we have extensive experience dealing with privacy issues, cybersecurity, and online risk monitoring. We receive over 7,000 annual requests for help from individuals like you who are worried about their privacy and security online and are interested in how to remove personal information from the internet.
If you are concerned about your child’s privacy or if you are unsure how to keep your business compliant with complex regulations, you are not alone. Read on for an overview of COPPA, relevant court cases, the remedies for victims, and a few tips for website operators who wish to stay compliant.
Overview of COPPA
As the internet gained popularity in the 1990s, data collection practices and user privacy on websites became an issue. The Federal Trade Commission (FTC) began investigating risks to children’s privacy online.
This investigation ultimately led to COPPA.
The Children’s Online Privacy Act is a U.S. federal law designed to protect children under 13 years old who access the internet. COPPA (cited as 15 U.S.C. § 6501 – 6506) was enacted in 1998 and became effective on April 21, 2000.
COPPA outlines how a website operator should behave when it comes to children, including:
- When and how to seek verifiable consent from a parent or guardian;
- The website operator’s responsibilities to protect children’s privacy online, including restrictions on marketing.
What Are the Goals of COPPA?
COPPA was enacted to prevent website operators from collecting and using personal information about children without a parent’s consent. COPPA restricts the personal information website operators can collect from children. It also seeks to allow parents a degree of control over their children’s personal data.
For example, your child may access an online children’s game or set of educational videos on a website. COPPA is in place to prevent website operators from gathering, retaining, and/or selling personal information provided by children when they interact with a website. That information could be personal information your child might give up, like their name and location. Or, it could be behind-the-scenes data like their website search history for the purposes of presenting targeted ads.
What Significant Changes Have Been Made to COPPA Since It Was First Passed?
In 2011, the FTC proposed several revisions to the original COPPA rule. The restrictions expanded to other data collection activities and personal information. Websites must now delete children’s personal information after achieving the original purpose of its collection.
For example, if a website collects a child’s birthday or school year information for the purpose of providing content suggestions to that child, the website must then delete that personal information after the purpose is served (i.e. providing content suggestions to the child).
Additionally, the amended rule requires that operators who sell or otherwise provide a child’s personal data to third parties must ensure the third party has reasonable procedures in place to protect the information.
Who is Affected by COPPA?
COPPA protections apply to children under the age of 13.
The restrictions imposed by COPPA apply to all individuals or business entities who operate a website targeting children or collecting personal information from them.
If an online service provider or website is operating commercially and directed at children under 13, they are subject to COPPA requirements. This rule also applies if (a) the website is directed at a general audience, and not even specifically children, and (b) the provider has actual knowledge that they [website/provider] are incidentally collecting information from children under the age of 13. This includes mobile apps or social networking platforms, like Facebook and Instagram. It also includes internet-enabled gaming platforms or geolocation services.
COPPA applies to websites and services based outside of the United States if they either:
- Direct the websites to children in the United States, or
- Knowingly collect personal information from children in the United States.
Companies based in the United States must also follow COPPA standards for children living outside the United States.
There are exceptions to these restrictions, however. COPPA restrictions exclude most non-profit organizations’ websites unless they benefit members’ businesses. Essentially, if the website or service provider is subject to FTC regulations, it must also follow the COPPA rules.
What Does “Personal Information” Mean under COPPA?
COPPA defines personal information as any “individually identifiable information about an individual collected online.” This includes:
- Full or partial names,
- Home or other physical addresses,
- Email addresses,
- Phone numbers,
- Social security numbers,
- Similar information used to identify children.
COPPA also considers “persistent identifiers” to be within the definition of personal information. A persistent identifier is anything that can be used to identify a user over time or across different online platforms. Common examples include cookies and IP addresses.
COPPA does not apply to personal information about children provided by or collected from parents or other adults. It only applies to the information provided by children. If a child provides personal information about a parent or other adult, it is protected under COPPA.
How COPPA Works
According to the COPPA regulations, “It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates” (15 USC § 6502(1)).
COPPA does not traditionally appear in terms of defamation litigation and claims. However, COPPA is an important law that can come into play when trying to remove information posted from accounts registered by children.
Business/Website Operator Requirements
Website operators are required to “maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children” (15 USC § 6502(1)(D)). If a business/website operator has actual knowledge that it is collecting personal information from a child, it must:
- Provide notice of the kinds of data that the website operator collects,
- Provide details about how the operator uses that data and how the data is shared with others,
- Obtain verifiable parental consent for the collection, use, or disclosure of personal information obtained from children.
What is Verifiable Parental Consent?
Website operators obtain verifiable parental consent by making a reasonable effort to ensure that a parent receives notice of (and gives authorization for) the collection, use, and disclosure practices relating to the child’s personal data — before the information is collected from the child.
Verifiable parental consent is not required when:
- Contact information collected from a child is used on a one-time basis only to respond directly to a specific request from the child and is not used to recontact the child. That information is not retained or disclosed by the website operator.
- Disclosures are made to:
- Protect the security or integrity of the website;
- Take precautions against liability;
- Respond to a judicial process;
- Provide information to law enforcement agencies or for an investigation on a matter related to public safety, to the extent permitted under other provisions of law.
Even if verifiable parental consent is not required upfront, keep in mind that the website may still be required to provide notice to the parents later.
Website operators must provide certain information relating to a child’s collected personal data to the child’s parents upon request. This includes:
- A description of the specific types of personal information collected from the child by the operator
- The opportunity to refuse to permit the operator’s further use or maintenance in retrievable form or future online collection of personal information from the child
- A reasonable means for the parent to obtain the personal information collected from a child
Websites cannot condition a child’s participation in a game or similar activity on the child’s disclosure of more personal information than is reasonably necessary to participate in that activity. However, website operators may terminate their website’s service to a child whose parent has refused to permit the further use of their child’s personal data.
Parental Rights Under COPPA
If you do not want your child’s personal information to be collected, COPPA’s intention is to give you a say in the matter. Parents generally have the right to provide or refuse consent to collect, use, or disclose their children’s personal information, with minimal exceptions.
In almost all instances, parents should receive notice of a website operator’s use or collection of their child’s personal information. Parents can request a website operator to give them a description of the personal information collected from their children.
How Does a Website Operator Know Whether Children Are Using Their Service?
Sometimes, children use websites directed at a general audience. In these cases, the FTC provides several guidelines to help website operators determine whether content on their website is directed at children. Website operators can consider whether:
- A portion of their intended audience is children,
- The website involves child-oriented activities or subject categories such as animated movies or educational resources,
- The website operator has any actual knowledge or evidence available about the age distribution of users.
Just because a website is accessible by children, that does not mean it is targeted to children. Websites that involve adult-oriented activities or subject matters such as finance or politics are not generally considered to be directed towards children.
Note that the FTC does not require website operators to ask their users’ age. COPPA regulations only come into play if a website operator has actual knowledge that a user is 13 years old or younger.
If a website (such as a liquor sales company) chooses to screen its users with a question on age, it is free to rely on its users’ answers, even if that information is not accurate. However, if the website operator later discovers that a user is under 13 years old, COPPA requirements immediately apply.
Minc Law Online Privacy Fact: Some parts of the world are working to address the permanence of private data and information floating around on the internet. The European Union and Argentina have both drafted comprehensive legislation and procedures for persons seeking to remove themselves from popular search engines and websites, manifesting itself in the form of the “Right to be forgotten.”
Significant Court Cases Interpreting COPPA
In the more than two decades since COPPA’s establishment in 1998, several court cases have affected how the Act is enforced and interpreted in the United States. Not only has it become clearer which entities are subject to COPPA regulations, but prominent companies also faced steep penalties for attempting to gather their website users’ data covertly.
California Dental Association v. Federal Trade Commission
While not directly relating to COPPA, this 1999 case dealt with whether a non-profit organization (the California Dental Association), which operates websites for the benefit of its members’ commercial activities, is subject to FTC regulation. The Ninth Circuit found this to be the case.
This ruling set a precedent that even if a website is operated by a non-profit organization, it falls under FTC regulation (and, therefore, COPPA regulation) if its purpose is to benefit members’ commercial activities. California Dental Association v. Federal Trade Commission, 526 U.S. 756 (9th Cir., 1999).
Google, Inc. & YouTube Case Settled For $170 Million
In September of 2019, Google, Inc settled a case brought against it by the FTC for COPPA violations perpetrated by YouTube.
YouTube was charged with illegally gathering children’s personal data via persistent identifiers such as identification codes used to track web browsing activity without verifiable parental consent. YouTube used cookies to deliver targeted advertisements to viewers of child-directed YouTube channels without first obtaining parental permission.
The settlement included the largest recorded fine for a COPPA violation, but even so, not everyone was happy with this outcome. Many felt that the FTC was too lenient on Google for its activity and that the tech giant’s actions warranted further penalties.
In 2016, mobile advertising company InMobi was fined $950,000 for tracking the locations of consumers (including children) without their knowledge or parental consent for the purposes of geolocation-targeted advertising.
The company claimed it would only track customer locations if the customers opted in, but evidence showed that the company was carrying out the activities regardless of and in direct opposition to customer privacy preferences.
Minc Law online privacy tip: If you do not have one, a virtual private network (VPN) is a great way to help protect your privacy online. Consider investing in a VPN service to help mask personal data such as your identity, browsing history, and location as you browse the internet.
YouTube Channel Owners & COPPA: Is Your Content “Made For Kids?”
After YouTube and Google were fined by the FTC for violating COPPA, the companies agreed to create a mechanism for channel owners to designate which of the videos they upload to YouTube are “directed to children.” YouTube channel owners should be aware of COPPA guidelines and how their content might potentially violate them.
In COPPA’s eyes, YouTube channel owners are the same as website or app operators. Depending on the type of content and information that is collected, COPPA may consider a YouTube channel to meet the definition of a website or online service.
A good rule of thumb for YouTube creators when determining if your content is “made for kids” is to consider whether their content falls into traditionally adult-oriented topics like politics, home improvement, or travel; if so, the channel probably does not fall under COPPA regulation unless the content is explicitly geared toward children under 13.
On the other hand, if your content includes traditionally child-oriented topics or activities like sing-alongs, dress-up, or school, you may need to worry about COPPA.
What Are Civil or Criminal Remedies For COPPA Violations?
Violations of COPPA, such as the information gathering and lack of disclosure practices described above, are considered unfair or deceptive trade practices. If the FTC determines that a website operator or business has violated the provisions of COPPA, the FTC may bring civil actions against those businesses and impose substantial fines or other penalties (like injunctions) to prevent future violations.
A court can impose fines for up to $43,280 per violation. Penalties are evaluated on a case-by-case basis, and the FTC can choose to seek no civil penalties for a violation. The factors the FTC uses to decide on a penalty include:
- The extent of the violations,
- How many children were involved,
- Whether the website operator has violated COPPA regulations before,
- How much and what kind of personal information was collected,
- How the website operator used the information,
- The offending company’s size.
For example, in February 2019, the FTC fined ByteDance, the parent company of TikTok, $5.7 million for failing to verify the age information of account holders on TikTok’s predecessor-platform, Musical.ly. The company violated COPPA by:
- Failing to provide notice on their website of personal information they collect from children, how the information is used, and their disclosure practices;
- Failing to provide direct notice to parents;
- Failing to get consent from parents before collecting children’s personal information;
- Failing to delete personal information collected from children upon parent requests;
- Retaining the personal information for longer than reasonably necessary.
How Can Website Operators Violate COPPA?
Owners and operators of commercial websites can violate the terms of COPPA by failing to provide a sufficient and prominent privacy notice on the website. They can also violate COPPA by failing to provide adequate direct notice of information collection to parents (under 16 C.F.R. § 312.4(c)).
It is the responsibility of the website operator to self-regulate according to FTC guidelines and stay current on all FTC regulations pertaining to COPPA. Violating any of the requirements listed above under “Business/Website Operator Requirements” will leave website operators open to legal action and penalties from the FTC.
What Should You Do if You Believe Your Business May Have Violated COPPA?
If you are worried that your business has violated COPPA rules, the first thing you should do is stop the collection and distribution activity in question immediately. Remember that each violation can be the basis for a fine of over $40,000. The sooner you stop any questionable action, the more you can protect yourself from compounding fines.
Then, seek legal representation to review the activity you believe may be a violation. Review your policies and activities with a legal authority that is experienced in COPPA regulations.
When reviewing your business’s actions to determine if you have violated COPPA regulations, focus on:
- What information you collect,
- How you collect it,
- How it is used,
- Whether it is necessary to collect that information based on the nature of your website or online service,
- Whether your privacy statement includes all necessary notices and information,
- Whether you have adequate mechanisms for providing parents with notice and obtaining verifiable consent,
- Whether parents can review and delete children’s information from your service.
You may also want to investigate and consider enrolling in an approved Safe Harbor Program, where your business can request FTC approval of self-regulatory guidelines that you plan to implement to ensure compliance with COPPA regulations.
Remedies For COPPA Violations
The FTC may bring an action against a website operator or online service provider if the site or service misleads consumers, and it affects consumers’ behavior or decisions about the product or service.
Because a COPPA violation is considered an unfair or deceptive practice, the FTC may impose fines or seek injunctive relief to prevent further violations. If you believe that you have been affected by a company’s violation of COPPA, you should report it to the FTC.
What Steps Should You Take to Stay in Compliance With COPPA?
- The contact information (name, address, phone number, email address) of the website operators who collect or maintain personal information through your website (or the designated agent who handles inquiries about your data retention practices);
- The types of personal information the website operators collect from children;
- Whether the information collected from children is publicly available;
- How the operator uses the information collected from children;
- Under what circumstances the operator would disclose that information;
- Notification to parents that they may review and request the deletion of their children’s personal information currently retained by your website;
- Notification that the parents may refuse to allow the collection of similar information in the future — including specific procedures for making such requests.
Your site should provide direct notice to parents before collecting any personal information from children. The requirements of a “direct notice” vary depending on the information an operator intends to collect and the intended use or disclosure of the information. You should consult 16 C.F.R. § 312.4(c)(1-4) for the different requirements.
Also, make sure to obtain verifiable parental consent when applicable. This can be done in a number of different ways, such as:
- Providing a consent form to be printed, signed, and returned to the website operator,
- Requiring the parent to enter a credit card that provides notices of each transaction to the parent-account holder,
- Other means reasonably calculated to obtain the consent.
Finally, it is a good idea to become a member of a Safe Harbor Program and adhere to those guidelines.
Note that this information is a general summary of the COPPA compliance standards and may not be representative of everything a website operator must do to ensure compliance with COPPA. If you believe you may be in violation of COPPA or wish to ensure your compliance with all FTC regulations, contact either a Safe Harbor Program, the FTC, or an attorney specializing in this area.
For the full compliance guide, see the FTC’s Six-Step Compliance Plan for Your Business and Complying with COPPA: Frequently Asked Questions.
Minc Law COPPA Compliance Tip: There are some limited exceptions to the COPPA requirements that allow you to collect information without parental consent. For example, if a child wants to enter a contest on your site, you are permitted to gather their online contact information to respond directly to that specific one-time request. However, you cannot use the information to contact the child again, and that information must be deleted immediately after you respond to the request.
Defenses & Exceptions Safe Harbors (15 USC § 6503)
COPPA provides a “safe harbor” (15 USC § 6503) for website operators who follow a set of self-regulatory guidelines issued by the FTC, representatives of online industries, or other approved authorities.
In these instances, a website operator who has complied with the FTC’s regulation guidelines receives a complaint or faces liability for a potential violation of COPPA, that website operator can request that the FTC grant them a safe harbor to protect them from that liability.
If a safe harbor member website follows the FTC’s guidelines and regulations, it is automatically considered in compliance with COPPA.
According to 15 USC § 6502, a website operator or their agent is not liable for disclosures made in good faith that follow reasonable procedures in response to a request for disclosure of personal information to a child’s parent.
The current approved safe harbor programs/guidelines are:
- Aristotle International Inc.
- Children’s Advertising Review Unit (CARU)
- Entertainment Software Rating Board (ESRB)
- Privacy Vaults Online, Inc. (d/b/a PRIVO)
For more information, see the FTC’s webpage on the COPPA Safe Harbor Program.
Privacy: An Essential Concern for All
Since its inception two decades ago, the Children’s Online Privacy Protection Act has served as an effective guardrail for children’s protection and privacy online. Websites and online platform operators are held to regulatory standards, including publishing privacy policies, obtaining verifiable parental consent, and a reasonable means for the parent to obtain the personal information collected from a child.
“Minc was easy to contact and replied to my questions quickly and kept me up to date on my status. Communications was a bonus. Success with the outcome was icing on the cake.”
Darren G., Apr 14, 2020
If you are concerned that you are a victim of COPPA violations or you are a business that needs assistance complying with COPPA regulations, reach out to our experienced team at Minc Law today to evaluate your situation. Get in touch with us by calling (216) 373-7706, speaking with a Chat representative, or filling out our online contact form.