Children’s Online Privacy Protection Act (COPPA) – An Overview

The Children’s Online Protection Act (COPPA) (sometimes shown as the Children’s Online Privacy Protection Rule, still with the COPPA acronym) is a federal privacy law in the United States that was passed in 1998 and came into effect in 2000. It has since been revised a number of times by the Federal Trade Commission (FTC). It protects the personal information of children under 13 years of age and requires website and online service operators to obtain parental or guardian consent for the collection of that personal information. To date the US does not have a federal privacy law that encompasses both adult and child residents.

The Children’s Online Privacy Protection Act applies to organizations that knowingly collect the personal information of children under age 13 online. However, because websites and social platforms are ecosystems, not silos, the law goes into more detail and applies to organizations that:

• Knowingly collect children’s personal information from users of another website or online service directed at children
• Knowingly collect children’s personal information even though the website or online service is directed at a general audience
• Run supplementary services with their website, app, or other service (e.g. ad network) and know that the supplementary services collect personal information from children under 13

Personal information within the scope of COPPA is fairly standard compared to other privacy laws, though is a little more detailed regarding online account identifiers and digital media. In Part 312.2 (Definitions) it includes:

• First and last name
• Home or other physical address
• Online contact information
• Screen name or username where it functions the same as online contact information
• Telephone number
• Social Security number
• A “persistent identifier” that can be used to recognize a user over time and across different websites or online services, including, but not limited to, customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier
• A photograph, video, or audio file containing the child’s image or voice
• Geolocation information sufficient to identify street name and name of a city or town
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier

COPPA became law in 1998 before many of today’s popular online social platforms were developed, and before the ubiquity of smartphones and apps. Sites like SixDegrees and Classmates existed in the late 1990s, but LinkedIn and MySpace didn’t launch until 2003. Facebook arrived in 2004, Twitter in 2006, and Instagram in 2010. TikTok existed in a previous form in 2015, but wasn’t available worldwide until 2018. The iPhone launched in 2007, kicking the smartphone revolution into high gear.

COPPA has been updated over the years to reflect digital advances, and its definition of a “website or online service” includes:

• mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
• internet-enabled gaming platforms
• plug-ins
• advertising networks
• internet-enabled location-based services
• voice-over internet protocol services
• connected toys or other Internet of Things devices

In Part 312.2 (Definitions), the Act states:

In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.

So, in short, the website or online service:

• Does not collect personal information from any visitor prior to collecting age information
• Prevents the collection, use, or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with notices and provisions regarding parental consent
• Only refers to or links to a commercial website or online service directed at children by the use of information location tools (link, index, etc.)

The personal information of children under 13 cannot be collected without verifiable parental consent if the data controller can reasonably know that the individual is a child and the personal information is identifiable.

In the United States, generally consent is only required prior to the collection of personal information where the data subject is a child or if the data is considered “sensitive”. (Learn more: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?) This is an “opt-out” model, and is used in California, Virginia and Colorado’s laws. The other common “opt-in” model is used in many other countries, including the European Union’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados Pessoais /General Data Protection Law (LGPD) and South Africa’s Protection of Personal Information (POPIA).

Before entities can collect, use, or disclose children’s personal information, they must obtain consent. Because children cannot legally consent themselves, it must be obtained from a parent or guardian. There is leeway in how parents/guardians are informed about the request to collect information, and the purposes for its use.

However, regardless of the technology or platform used, the method must clearly communicate what personal information from the child would be collected, and how, and how it would be used and potentially shared with any third parties.

The organization must also take reasonably robust steps to verify that the parent/guardian is the one providing the consent.

Acceptable methods of obtaining parental consent include:

• Fax, mail, or electronic scan
• Online payment system that provides the account holder of separate transaction notifications
• Calling a toll-free number staffed by trained personnel
• Video conferencing with trained personnel
• Providing a copy of government-issued identification verifiable against a database, provided the identification is expunged after the verification process
• Answering a series of knowledge-based questions difficult for someone other than the parent to answer
• Verifying a picture of a driver’s licence or other photo identification submitted by the parent and using facial recognition technology to compare it to a second photo also submitted by the parent

Parents also have the option to provide consent to the collection and use of the child’s personal information by the requesting organization, but refuse consent for the disclosure of the information to third parties.

If a child’s personal information will be collected but only used internally by the organization collecting it, and not disclosed, “email plus” consent and verification is acceptable. By this method, the organization emails the parent, who responds with their consent. Confirmation of consent is then sent to the parent via email, letter, or phone call.

Parents/guardians must be informed that they can revoke consent at any time, and if changes are made to the collection, use, or disclosure practices consented to, new notification must be provided and new consent obtained.

There are some instances wherein consent is not required to collect or use children’s personal information, though it should be noted that there may be specific notification requirements even if one or more of these conditions are met.

The following conditions and purposes outline when the child’s, parent’s, or contact information of both can be collected without consent.

• The child’s and parent’s name and online contact information may be collected for the purpose of:
  • Protecting the child’s safety
  • Obtaining parental consent, and must be deleted if consent is not obtained within a reasonable period of time
  • Directly responding more than once to a child’s specific request (child’s newsletter subscription request), but this cannot be combined with any other information about the child
• The parent/guardian’s online contact information may be collected for the purpose of:
  • Providing notification about the child’s participation on a site or service that does not collect personal information
• The child’s online contact information may be collected for the purpose of:
  • Directly responding to a child’s specific one-time request (e.g. entering a contest), provided the information is not used again for any other purpose and is deleted after responding
  • Protecting the security or integrity of the website or online service, to take precautions against liability, to respond to judicial process, or (as permitted by law) to provide information to law enforcement
• A persistent identifier may be used for the purpose of:
  • Supporting internal operations of the website or online service, including:
    • maintaining or analyzing the functioning of the site
    • performing network communications
    • authenticating users of the site or personalizing content
    • serving contextual ads or frequency capping
    • protecting the security or integrity of the user or the site
    • legal or regulatory compliance
    • fulfilling a child’s request under the one-time contact or multiple contact exceptions
  • If the operator has actual knowledge that a person’s information was collected through a child-directed site, but their previous registration indicates the person is 13 or over, with exceptions if:
    • the operator only collects a persistent identifier and no other personal information
    • the individual affirmatively interacts with the website or online service to trigger the collection; and
    • the operator has already conducted an age-screen of the person indicating they are 13 or over

Since COPPA is meant to protect children, unsurprisingly companies’ obligations outlined in the Act are fairly detailed. As already noted, parental consent must be obtained under many circumstances before children’s personal data can be collected or used. Organizations must also have reasonable procedures to protect the confidentiality and security of the information they collect, which is standard in all privacy law.

Companies must also provide an easily accessible privacy policy listing the following:

• All third parties collecting children’s personal information, e.g. social platform plug-ins, ad networks, etc.
  • Name and contact information for each third party (phone number, address, email address)
  • How those organizations will use the personal information
• Description of what personal information is collected, and how it’s used
  • Must include types of personal information collected, e.g. name, address, email address, hobbies, etc.
  • How the personal information is collected, e.g. via the child’s direct input, through cookies, etc.
  • How the personal information will be used, e.g. marketing to the child, contest notification, enabling the child to make the information publicly available, like on the website
  • Whether the personal information is disclosed to third parties (if so, see above re. requirements about those organizations)
• Description of parental rights
• • Children will not be required to disclose any more information than is reasonably necessary to participate in an activity
  • Parents can review children’s personal information, direct the organization to delete it, and refuse further collection or use of the information
  • Parents can agree to collection and use of children’s personal information but refuse to allow disclosure to third parties, unless that is part of the service (e.g. social platforms)
  • Procedures for exercising their rights

COPPA violators may be fined up to US $43,280 per violation, with enforcement handled by the Federal Trade Commission. Google was fined US $170 million in 2019 for violations on YouTube, where children’s personal information was collected without consent and used to target them with advertising. Outside of the US, a class action lawsuit filed in the UK in 2020 seeks US $3.2 billion for similar violations of children’s data privacy on YouTube.

It should be noted that, while foreign companies are subject to COPPA if they collect or use the personal information of American children, the FTC rarely pursues enforcement actions against foreign companies, in good part due to a number of practical challenges. One significant recent exception is the US $5.7 million settlement against Chinese company ByteDance, owners of the TikTok app. TikTok has a significant user base in the United States, and legal action has been brought against it (and ByteDance) over privacy violations under the California Consumer Privacy Act (CCPA).

As the mobile industry continues to grow, more children have mobile devices and spend more time in front of screens, so privacy laws will need to continue to evolve regarding protecting children, and further enforcement and penalties for violations (globally) are to come.

Data retention and deletion requirements were introduced into COPPA in the 2011 revisions. Under Section 312.10, Children’s personal information could only be retained for as long as was necessary to achieve the purpose for which it was collected. This is fairly standard in other privacy laws as well. Additionally, reasonable measures must be taken in deleting the information to protect it from unauthorized access or use.

As noted above, prior to deletion, if the purpose for collection changed, either by the organization that collected it or an approved third party processor, the parent/guardian had to be notified and new consent obtained for the new use. Also added in 2011 was the requirement that third parties to which children’s personal information was disclosed have reasonable security measures in place to protect data.

Australia

Australia’s Privacy Act has been in place since 1988, with significant amendments in 2000. It does not make any specific reference to children or protection of their personal information. However, government representatives have said that such stipulations and related penalties would be added, however, that would be contingent upon their party’s re-election.

Brazil

The LGPD, enacted in 2020, follows the model of requiring enhanced protections for children’s personal information. Like in COPPA, companies must clearly state what data they plan to collect, and for what purposes. Reasonable efforts must also be made to obtain parental/guardian consent for data collection, and verify that consent has actually come from the parent/guardian.

Brazil’s data protection authority will also introduce further regulation and enforcement regarding protection of children’s personal information online.

China

China has had Provisions on the Cyber Protection of Children’s Personal Information in place since 2019, and now in addition the Personal Information Protection Law (PIPL) comes into effect November 1st, 2021. Under Article 15 of the PIPL, children’s age of consent is 14, and for children who are younger, consent for data collection and use must be obtained from the child’s parent or guardian.

PIPL is also extra territorial, applying also to organizations outside of China where the purpose is to provide products or services to “domestic natural persons”, to analyze and evaluate activities of domestic natural persons and/or other circumstances covered by law or administrative regulation. Article 39 of the PIPL includes stipulations about cross-border transfer of personal information, which requires a separate consent, and children’s personal information is included under that.

A number of international privacy laws include children’s personal information under their definitions of “sensitive”, however, the PIPL has specific stipulations regarding children’s sensitive personal information in Article 29, defining it as “the personal information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts and personal whereabouts.”

While parental/guardian consent is already required to collect or use children’s information, additional, explicit consent must be obtained for children’s sensitive personal information under the PIPL.

European Union & UK

The GDPR has had enhanced protections for children since 2018, but still lacks explicit detail regarding what higher standards for protecting children’s personal information should be. As a result, some EU countries have begun to implement their own laws and enforcement regarding data rights and protections of children.

An inconsistent patchwork of regulation presents its own difficulties, however, since, for example, under the GDPR, member states can set their own age at which children can provide their own consent. The youngest allowable age is 13, but in Ireland and the Netherlands, for example, it’s 16. Robust age verification online does remain a consistent issue across the EU in terms of regulation, however, especially as the types and volume of online services continues to grow.

India

India does not yet have a privacy law in effect, but legislation does have child-specific data protection provisions, and defines children as under age 18. The legislation would ban directly targeting ads to children, as well as profiling, tracking or monitoring their behavior online.

Children’s privacy and protection has become a notable issue on other fronts as well. For example, TikTok was banned by the high court, though that was overturned. It was still ordered removed from the Apple and Android app stores, however. TikTok has 119 million users in India, many of whom are assumed to be children under 18.

South Africa

South Africa has had a privacy law in place since 2013, and under Section 1 of the POPIA children are defined as under age 18, and “not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself”.

Under POPIA verification from the “competent person” is not required, so it is not explicitly required that this person be a parent or guardian. However, Section 35 outlines further stipulations regarding children’s personal information, including circumstances under which it can be processed, when consent of the aforementioned competent person does or does not need to be obtained, and other conditions.

South Korea

Korean privacy law was updated for 2020. Under it, explicit consent has to be obtained from a parent or guardian for the collection or use of children’s personal information if they are age 14 or under.

Interestingly, Korean lawmakers clearly understand the broad societal influence of mobile technology, and viable parental consent methods include text message, smartphone authentication, or payment information, with companies then sending agreements back to the parent or guardian.

Stronger provisions for consent verification were introduced in addition to broader consent requirements for data processing, with the goal of improving enforcement, as it was found that some online service providers were not rigorous in their duty to obtain and verify consent before collecting children’s personal information.

Organizations are also required to use “clear and easily understandable language” in communication of privacy policies to children.

United States

Protecting children’s privacy seems to be a rare bipartisan issue in the US, and in addition to COPPA, children’s privacy and consent for usage of their data has been addressed in state-level laws passed to date. California, Virginia and Colorado all specify the “sensitive” nature of children’s personal information, and have stipulations regarding consent for its collection and use. It is very likely all future state-level laws will follow suit, as would any federal-level law that is eventually passed, unless it explicitly defers to COPPA. COPPA has also undergone revisions in the two decades since it was passed, and it is likely that it will continue to be revised as technologies change.

To date, provisions for children’s data privacy are not ubiquitous globally, but then, neither are privacy laws in general. However, with ever-evolving technology and more and more children spending more and more time with smartphones, protecting and securing their privacy and data is an ongoing and growing concern for many governments.

The importance of the issue in an increasingly digital world is illustrated in the United States, where the Children’s Online Privacy Protection Act has been in place for over 20 years, and continues to be updated as the media and technology landscapes change.

Such privacy laws must continue to address the types of data that can be collected and used. For example, biometric data is becoming increasingly available. How data is used also continues to evolve, with AI being increasingly used for processing and decision-making. Ideally, advances in technology will also be used to improve verification methods for consent.

If you have questions about consent management for websites and apps, we’re happy to help. Contact one of our experts!