The COPPA7 passed in November 1998 and first went into effect in April 2000. COPPA governs how websites collect information from children under the age of 13. The FTC oversees COPPA compliance and has the power to make rules for COPPA compliance. The FTC rule governing COPPA, called the COPPA Rule, was first drafted in 1999 and most recently revised in 2013. In 2019 the FTC began the process of revising the COPPA Rule because of the fast pace of technology change. However, it may take years before an updated rule is finalized and released.
NOTE
The three conditions for defining obscenity are known as the Miller test.
Websites must follow specific rules under COPPA to collect and use information from children. There are several important definitions in the COPPA Rule:
The primary purpose of COPPA is to protect children’s privacy on the internet, as well as protect them from age-inappropriate content and online marketing. Websites must follow specific rules if they collect or use a child’s personal information. For example, they must obtain a parent’s consent before doing so. They must also post a privacy policy explaining their practices.
Personal information includes:
Any personal information that is collected must be protected. This means that the website operator must protect the confidentiality, security, and integrity of this data. Website operators must ensure the information is not made publicly available to others. This includes making sure it is not displayed on a home page of a website, on a message board, or in a chatroom. The law allows website operators to share this kind of data only for specific reasons. However, when website operators share this information, they must share it only with third parties who can properly protect it.9
NOTE
COPPA is not the same as the Child Online Protection Act (COPA). COPA was enacted in 1998 to protect minors from access to harmful material on the internet. However, courts ruled that COPA violated free speech and the law never went into effect. The Children’s Internet Protection Act (CIPA) is similar to what COPA attempted to accomplish and is discussed later in this chapter.
COPPA applies to anyone operating online services that collect or use information about children under the age of 13. This includes situations where the website operator directly collects the information, as well as situations where the website operator lets third parties collect the information. Even general-audience websites might have to follow the COPPA Rule. If operators of general-audience sites know they are collecting data from children, then they must comply with COPPA. For example, an operator might know that its site is collecting data from children if it asks users to share their birth date. An operator that collects demographic data such as school attendance and grade completion might also know that children are using its website. Website operators are also required to protect the security of any information that they do properly collect from children.
The definition of website or online service is broad. In addition to websites, it also includes:
COPPA has two main rules that websites must follow in order to comply with the rule. Operators must:
Under COPPA, websites must post a privacy policy.11 The privacy policy states the kind of information the site collects about children. It also states how the site will use the information. The COPPA Rule tells operators the terms that must be included in the privacy policy.
COPPA requires that a website privacy policy should be easily visible and accessible. The rule requires that a link to the privacy policy should be included on the home page of the website. The rule also requires that the link should be posted on every area of the website where a child’s personal information is collected.12 A COPPA-compliant privacy policy must be accessible from a clear and prominent link. This means the link needs to stand out and be noticeable to users of the website. A website designer can achieve this in a variety of ways. For example, the designer can use different type sizes, fonts, colors, or contrasting backgrounds to highlight the link. In addition, the privacy policy must be clearly labeled to indicate it is a privacy policy. The most common label is “Privacy Policy.” Other examples of clear labels are “Privacy Statement” and “Information Practices Statement.”
NOTE
COPPA does not specifically use the phrase “privacy policy.” It requires website operators to provide a notice on their websites that identifies the collected information. However, the FTC’s COPPA Rule calls this notice a “privacy policy.”
The privacy policy needs to contain specific information to be COPPA-compliant. For example, it must be clearly written and easy to read. The format is not as important as the content. At a minimum, the policy must contain:
COPPA has specific rules about getting parental consent. This consent is required if a website wants to use and collect data from a child. Website operators must take reasonable steps to make sure that a parent receives direct notice of the operator’s data collection practices. This notice must include:
Under COPPA, parental consent must be verifiable. Only a parent can give consent. A website operator must verify the identity of the parents that it contacts. This becomes especially important if the parent requests to see the information held about his or her child. Website operators must have measures in place to prevent the information from being released to the wrong party.14
Parents have other rights under the COPPA Rule. The website must re-notify parents whenever it changes its data collection and use procedures. Parents must be allowed to review information collected from their children. They also must be allowed to revoke their consent. If a parent revokes his or her consent, website operators must stop collecting, using, or disclosing that data immediately. Parents also can request that a website operator delete data held on their children. Website operators must make parents aware of how to exercise these additional rights.
NOTE
There are many websites directed toward children. Next time you visit one of them, see if you can find the website’s privacy policy. Is it easy to find? Does it contain the terms discussed in this section?
Consent is not required at all in some instances. Websites do not need parental consent if they are collecting an email address to respond to a one-time request from a child. Nor do they need consent to provide the initial notice to the parent. Consent is also not required to collect a child’s name and online contact information to protect the security of the website.
In some instances, upfront consent is not required. In these special circumstances, the website must still later tell parents that it collected data. For example, a website can collect a child’s name, parent’s name, and online contact information in order to protect a child’s safety. If a website collects this information, it must later tell parents that it collected the information and it must not use this information for any other purpose.15
Verifying Parental Consent
A website operator can use one of several methods to verify a person is a parent of a child and get consent for data collection. These include:
Some operators suggest that these methods are too costly to be practical. Therefore, many websites try to avoid the law. They do not collect information on children, and their privacy statement reflects this. Users are required to indicate they are at least 13 years old before information is collected. They might do this by entering their age on a website form or checking a box indicating they are at least 13 years old. However, it is possible for children to easily overcome these types of controls.
The FTC provides oversight for COPPA. The FTC investigates complaints of websites that violate COPPA. It can also bring enforcement actions and impose civil penalties for COPPA violations. The FTC provides many tools to help website operators comply with the law.
NOTE
The FTC summarizes the COPPA Rule at http://www.business.ftc.gov/privacy-and-security/childrens-privacy.