The United States has not enacted a general federal privacy law as of 2019. Such legislation may be coming in a year or two, but for now, the only federal privacy laws we see are those addressing specific privacy subjects such as health records. The Children’s Online Privacy Protection Act (“COPPA”) is one such law. For online businesses collecting information from kids, the failure to comply with COPPA can lead to disaster.
COPPA In Brief
The Children’s Online Privacy Protection Act is a federal law in the United States that addresses how businesses can collect personal information from children online. Congress targeted kids who are “under 13” with the law. You are likely aware of this standard indirectly because you may have joined sites or made purchases where you were required to check a box indicating you are 13 or older – on Facebook, for instance.
When Senator Edward Markey introduced the bill and Congress passed the Children’s Online Privacy Protection Act in 1998, many individuals in the legal field couldn’t help but think of a famous line from that well-known legal drama – The Simpsons:
Unfortunately, the collection of personal information from children under 13 online is no longer a laughing matter.
Why Under 13?
Parents often question why the Children’s Online Privacy Protection Act incorporates an “under 13” standard. The answer is a combination of three factors. First, the government enacted the Act in 1998 when nobody was sure what the Internet would become, and there was a hesitancy to place limitations on the new medium. Second, tech companies fought to have the age lowered because it was obvious games and similar subjects of interest to teens were going to be popular. Third, and perhaps most surprising, civil liberty groups argued the age should be lowered to avoid depriving teens of the right to access information.
The original COPPA bill focussed on an “under 16” standard. When it became clear the bill was not going to pass, Senator Markley agreed to lower the targeted age. At that time, several laws were on the books that used an under 13 standard. These laws addressed marketing situations with the under 13 age target arising from studies showing kids with ages between 8 and 12 could understand when a piece of content was advertising or not. Of course, COPPA is not an advertising law, but that didn’t stop Congress from passing the bill and President Clinton signing it into law.
COPPA Personal Information Definition
The Children’s Online Privacy Protection Act applies to the collection of personal information from children under 13 online. If you are new to COPPA, you should understand that “collection” and “personal information” are likely defined more broadly than you might expect.
The FTC defines “collection” and its variations as follows.
“Collects or collection means the gathering of any personal information from a child by any means, including but not limited to:
(1) Requesting, prompting, or encouraging a child to submit personal information online;
(2) Enabling a child to make personal information publicly available in identifiable form. An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public and also to delete such information from its records; or
(3) Passive tracking of a child online.”
(16 CFR § 312.2.)
While you might expect the first classification, most online companies are surprised by the last two. The second sub-definition, for example, would apply in a situation where perhaps you have a forum or social media app that allows users to share information. The third sub-definition is even broader when you consider nearly every website or app employs cookies and other tracking software.
b. Personal Information
Congress and the FTC have given the definition of “personal information” an equally broad reach.
“Personal information means individually identifiable information about an individual collected online, including:
(1) A first and last name;
(2) A home or other physical address including street name and name of a city or town;
(3) Online contact information as defined in this section;
(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;
(5) A telephone number;
(6) A Social Security number;
(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
(8) A photograph, video, or audio file where such file contains a child’s image or voice;
(9) Geolocation information sufficient to identify street name and name of a city or town; or
(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
(16 CFR § 312.2.)
The first six categories are self-explanatory, but the definition grows a bit murkier from numbers 7 through 10. The persistent identifier inclusion is uniquely troublesome for most online businesses, particularly when necessary information such as an IP address falls within the definition. Put simply, most companies are going to need to seriously consider their data collection practices when contemplating COPPA compliance.
c. Who Provides?
COPPA contains an interesting quirk that serves to terminate the need to comply in many situations. The Act only applies where the child under 13 is the party providing the personal information. If mom posts images of her eight-year-old son’s birthday party on Facebook, COPPA does not apply because the child did not provide the information.
This concept clashes with the approach of other countries. In France, for example, a parent can go to jail for a year or be forced to pay a fine of 1,000 Euros for posting images of their children online. Seriously.
COPPA incorporates precise requirements, but how these requirements apply to a particular website or app depends on the nature of that online property and the information collection practices. As a general notion, COPPA requires the following:
- Publication of privacy notices explaining data collection practices for kids under 13.
- Obtain verified parental consent from parents before collecting personal information from children.
- Provide parents with the ability to withdraw consent after giving it.
- Provide parents with the ability to change the information collected for a child.
- Give parents the right to delete the personal information a company has collected online.
- Companies use reasonable security measures to protect the child’s information.
While these requirements may not be intimidating at first glance, the devil is in the details when it comes to providing the necessary functionality and record keeping.
FTC and COPPA Rule
Congress authorized the Federal Trade Commission (“FTC”) to enforce the Children’s Online Privacy Protection Act. The Legislature also gave the FTC the power to issue regulations guiding companies on how to comply with the law on a daily basis. These regulations are known as the “COPPA Rule.”
The FTC issued the first COPPA Rule in 1999. That version of the Rule was antiquated within a few years as the Internet evolved at a breakneck pace from 2000 to 2010. Companies such as Google and Facebook were rising during this period, and entrepreneurs began to realize that monetizing data was an excellent strategy for amassing a fortune. The 1999 COPPA Rule was woeful at addressing the new online paradigm, and the FTC showed little interest in updating the Rule despite critics and Congress calling it to the carpet numerous times.
In 2013, the FTC could no longer ignore the changing online environment. The Commission issued an updated COPPA Rule addressing the modern world of data collection and closing loopholes. The FTC addressed topics such as data collection by pass-through ad networks, plug-ins, and third-party platforms in the new Rule. The definition of personal information was also expanded dramatically to include data such as geolocation information and persistent identifiers. The old Rule was so out of date that the FTC even had to clarify that COPPA applied to these new-fangled things known as “apps.” Yes, the 1999 version of the Rule didn’t address apps! Here’s what the FTC had to say after the 2013 update:
As I write this article in September 2019, the powers that be at the FTC are considering whether they should update the COPPA Rule again. The Commission appears to be motivated by the fact other countries and states are creating comprehensive legislation protecting children online, including the GDPR and California Privacy Protection Act. Check our blog for updates as we learn more over time.
Who Must Comply
The Children’s Online Privacy Protect Act applies to companies that collect personal information from children under 13 when either of two standards is met – the “directed at” or “actual knowledge” standards.
a. Directed At Standard
As the name suggests, a website or app directed at children under 13 must comply with COPPA. For example, consider a site for Dora the Explorer. The show targets kids ages 2 to 6, so COPPA compliance is a must.
Ah, but what about a website or app that is directed at a wide range of teens? For example, consider sites that focussed on teen sensations such as Justin Bieber, Rihanna, Demi Lovato, and Selena Gomez when they first came on the scene? Those sites would target a wide range of teens [with no taste in music!]. Ages could range from 10 to 17.
The FTC provided guidance in the COPPA Rule, noting:
“In determining whether a website or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.”
Put another way, the FTC employs a “we’ll know it when we see it” scale. As an online provider, the best approach for addressing this issue is to work with legal counsel to analyze your property and then prepare a pro-active defense to any FTC claim the property is directed at kids under 13.
And what happened with the teen singer sites? The FTC fined the company behind the sites a cool $1,000,000 for violating COPPA.
b. Actual Knowledge Standard
While we in the legal field try to strive for clear legal standards, the truth is the Internet does not lend itself to such simplicity. Whatever you may think of Facebook, how could it possibly know if a child signing up for an account is 12 or 13? With this in mind, COPPA incorporates an “actual knowledge” standard.
Being the intelligent person you are, you likely already realize that this standard is triggered when the parties running an online property become aware kids under 13 are on the site. If you run a gaming forum and a child posts a message about how all the kids in their third-grade class are playing a particular game, you have actual knowledge of a child under 13. COPPA will apply.
COPPA Verified Parental Consent
The Children’s Online Privacy Protection Act requires several compliance steps, but none more critical than obtaining verified parental consent before collecting personal information from children under 13. This requirement can be complicated when we get into the details, so consider the following more of a Cliff’s Notes version.
a. Giving Notice
The notice published on the website or app must include:
“(1) The name, address, telephone number, and email address of all operators collecting or maintaining personal information from children through the Web site or online service. Provided that: The operators of a Web site or online service may list the name, address, phone number, and email address of one operator who will respond to all inquiries from parents concerning the operators’ privacy policies and use of children’s information, as long as the names of all the operators collecting or maintaining personal information from children through the Web site or online service are also listed in the notice;
(2) A description of what information the operator collects from children, including whether the Web site or online service enables a child to make personal information publicly available; how the operator uses such information; and, the operator’s disclosure practices for such information; and
(3) That the parent can review or have deleted the child’s personal information, and refuse to permit further collection or use of the child’s information, and state the procedures for doing so.”
The notice provided directly to the parent must include:
“(i) That the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;
(ii) That the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;
(iii) The additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;
(iv) A hyperlink to the operator’s online notice of its information practices required under paragraph (d) of this section;
(v) The means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and
(vi) That if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records.”
(16 CFR § 312.4(c).)
If you are attempting to comply with COPPA, contact me to set up the proper notices and procedures.
b. Parental Consent Mechanisms
The FTC has provided a list of approved methods for obtaining verified parental consent from parents:
(1) An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.
(2) Existing methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include:
(i) Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan;
(ii) Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
(iii) Having a parent call a toll-free telephone number staffed by trained personnel;
(iv) Having a parent connect to trained personnel via video-conference;
(v) Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, where the parent’s identification is deleted by the operator from its records promptly after such verification is complete; or
(vi) Provided that, an operator that does not “disclose” (as defined by § 312.2) children’s personal information, may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: Sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call. An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email.
(16 CFR § 312.5(c).)
While the FTC include a simple email exchange as an option, companies should be wary of this approach. The potential for misuse is significant.
The Children’s Online Privacy Protection Act provides significant and painful enforcement options. While the FTC has the authority to pursue COPPA claims, the Act also authorizes states to do so as well. The penalties equate to just over $40,000 per violation. A violation is a breach of COPPA per child or use. If you are not compliant with COPPA and have collected information from 5,000 kids under 13, the potential damages could be as high as $200,000,000. Is such an outcome likely? No, but there will be pain as Google recently discovered.
YouTube has always been an interesting platform for several reasons. From a COPPA perspective, the platform was particularly fascinating given all the videos on topics that were directed at young kids. For example, I once ran across a Dora the Explorer video with 35 million views. Either a lot of adults enjoy a show targeting kids 2 to 5, or the vast majority of those views were by young children. Did such data constitute “actual knowledge” on the part of YouTube or Google? We’ll never know since the video mysteriously vanished after a site on COPPA compliance published an article about it.
Regardless, many other videos on YouTube have raised similar questions. It was no surprise, thus, to learn Google recently agreed to a $170,000,000 settlement with the FTC and State of New York for COPPA violations associated with videos on YouTube.
Other well-known settlements include:
- TikTok app pays $5,700,000 for COPPA violations.
- VTech pays $650,000 for COPPA violations.
- RetroDreamer pays $360,000.
- Yelp pays $450,000.
- Path app pays $800,000.
- RockYou app pays $250,000.
b. Real-Worldish Example
Believe it or not, but the popular show Silicone Valley filmed an episode where the CEO learns about the joys of COPPA penalties. The video contains cursing [as one might expect when you think about it], but I felt it was worth including because I’ve had real-world clients go through the same experience when I alert them to COPPA.
You should also note the fine per violation has increased from $16,000 to over $40,000 per violation. So, the $21 billion penalty mentioned in the clip would be something closer to $50,000,000,000.
In reality, COPPA penalties are measured against the finances of the defendant. The FTC is not going to require a forum bringing in $1,000 a month gross to settle COPPA violations for a billion dollars, but there will be a hefty financial penalty. Perhaps worse, the FTC usually requires settling defendants to agree to a 20 year audit period where reports must be submitted each year for review by FTC attorneys. By the end of the 20 years, most businesses would’ve preferred the billion-dollar fine.
Enforcements Pick Up
The FTC hasn’t always been enthusiastic about COPPA enforcement. From 1999 through roughly 2015, the Commission typically popped off two enforcement actions a year. Those actions were usually against low hanging fruit – companies obviously violating COPPA. However, millions of websites and apps violate COPPA, so the enforcement efforts were weak. Those of us in the privacy law world used to joke the “COPPA department” at the FTC was a dusty desk in the basement with an old rotary phone that wasn’t connected to the phone jack.
The situation is now changing.
Privacy law is a hot topic in the United States and abroad these days. The FTC can no longer afford to appear lax, so we’ve seen renewed interest in enforcements. The fact the EU included a COPPA-like provision in the GDPR, but set the age to “under 16,” is serving as an electric prod to the fannies at the FTC who know the EU will aggressively pursue enforcement actions.
Ultimately, companies need to realize the days of ignoring COPPA are over. The FTC and states are showing enthusiasm for privacy issues, and nothing furthers a political career more than striking a blow against evil businesses while protecting innocent children.
If you are collecting personal information from children under 13 or suspect you may be, get your ducks in order. Speak with your legal counsel or feel free to contact me for a consultation.
Richard A. Chapo, Esq.