Children's Online Privacy Protection Act

Not to be confused with the Child Online Protection Act, abbreviated "COPA".

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 6501–6506 (Pub.L. 105–277, 112 Stat. 2581-728, enacted October 21, 1998).

The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents' permission, many websites altogether disallow underage children from using their services due to the amount of work involved.

Background

The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA. Also under the terms of COPPA, the FTC designated "safe harbor" provision is designed to encourage increased industry self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants' compliance, such that website operators in Commission-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. As of 17 May 2013, the FTC has granted safe harbor to five companies: Aristotle, Inc., TRUSTe, ESRB, CARU and Privo.^[1]

In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the Act since its rules were issued in 2000. The proposed rule changes expand the definition of what it means to "collect" data from children. The new rules would also present a data retention and deletion requirement, which would mandate that data that is obtained from children is only kept for the amount of time necessary to achieve the purpose that it was collected for and also add the requirement that operators ensure that any third parties to whom a child's information is disclosed have reasonable procedures in place to protect the information.^[2]

The Act applies to websites and online services operated for commercial purposes that are either directed to children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.^[3] However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently also COPPA.^[4] The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Commission regulation^[5] that takes into account the manner in which the information is being collected and the uses to which the information will be put.

Violations

The FTC has brought a number of actions against website operators for failure to comply with COPPA requirements, including actions against Girl's Life, Inc.,^[6] American Pop Corn Company,^[7] Lisa Frank, Inc.,^[8] Mrs. Field's Cookies, and Hershey Foods.^[9] In September 2006, the FTC levied substantial fines on several enterprises for COPPA violations. The website Xanga was fined US$1 million for COPPA violations, for repeatedly allowing children under 13 to sign up for the service without getting their parent's consent.^[10] Similarly, UMG Recordings, Inc. was fined US$400,000 for COPPA violations in connection with a Web site that promoted the then 13-year-old pop star Lil' Romeo, and hosted child-oriented games and activities, and Bonzi Software, which offered downloads of an animated figure "BonziBuddy" that provided shopping advice, jokes, and trivia was fined US$75,000 for COPPA violations.^[11]

Compliance

Website operators must use reasonable procedures to ensure they are dealing with the child's parent. These procedures may include:

• obtaining a signed form from the parent via postal mail or facsimile;
• accepting and verifying a credit card number;
• taking calls from parents on a toll-free telephone number staffed by trained personnel;
• email accompanied by digital signature;
• email accompanied by a PIN or password obtained through one of the verification methods above.

Operators who follow one of these procedures acting in good faith to a request for parental access are protected from liability under federal and state law for inadvertent disclosures of a child's information to someone who purports to be a parent.

International scope

This is an American law, however, the Federal Trade Commission has made it clear that the requirements of COPPA will apply to foreign-operated web sites if such sites "are directed to children in the U.S. or knowingly collect information from children in the U.S."^[12] Other countries like Australia have made similar laws protecting children under 13 online.

Criticisms

COPPA is highly controversial, and has been criticized as ineffective and potentially unconstitutional by many people.^[13] They say it attacks children's rights to freedom of speech, and self-expression.

Mark Zuckerberg, co-founder and CEO of Facebook, has expressed opposition to COPPA and stated "That will be a fight we take on at some point. My philosophy is that for education you need to start at a really, really young age."^[14]

See also

• Adultism
• California Online Privacy Protection Act (OPPA) effective as of July 1, 2004
• Child Online Protection Act (COPA)

References

1. "Safe Harbor Program". ftc. Retrieved 17 May 2013. 
2. "FTC Will Propose Broader Children's Online Privacy Safeguards". The National Law Review. Ifrah Law. 2012-12-22. Retrieved 2012-12-27. 
3. COPPA section 1302(2)(B)
4. "FTC v. California Dental Association, 526 U.S. 756 (1999)". 1999-5-24. Retrieved 2013-4-15. 
5. http://www.ftc.gov/os/1999/10/64fr59888.pdf
6. "Girls Life, Inc". Ftc.gov. 2011-06-24. Retrieved 2012-07-07. 
7. "Jolly Time". Ftc.gov. 2011-06-24. Retrieved 2012-07-07. 
8. "Lisa Frank, Inc". Ftc.gov. 2011-06-24. Retrieved 2012-07-07. 
9. http://www.ftc.gov/opa/2003/02/hersheyfield.shtm
10. "FTC fines Xanga for violating kids' privacy - $1 million penalty against social networking site is largest under 1998 law", September 7, 2006
11. "UMG Recordings, Inc. to Pay $400,000, Bonzi Software, Inc. To Pay $75,000 to Settle COPPA Civil Penalty Charges". Ftc.gov. Retrieved 2012-07-07. 
12. "FTC FAQ on COPPA. See, also, the COPPA Rule's definition of an "operator", which includes foreign websites that are involved in commerce in the United States or its territories. FTC Final Rule, Children's Online Privacy Protection Rule, 16 C.F.R. Part 312". Ftc.gov. Retrieved 2012-07-07. 
13. "Northwestern Journal of Law & Social Policy | Vol 5 | Iss 2". Law.northwestern.edu. 2010-08-19. Retrieved 2012-07-07. 
14. Lev-Ram, Michal (May 20, 2011). "Zuckerberg: Kids under 13 should be allowed on Facebook". Fortune. 

External links

• Children's Online Privacy Protection Act (COPPA) of 1998, via Federal Trade Commission
• 16 C.F.R. Part 312, the FTC's Children's Online Privacy Protection Rule, via Government Printing Office
• How to comply with COPPA, via Federal Trade Commission
• Kidz Privacy site, via Federal Trade Commission
• FTC FAQ on COPPA compliance, via Federal Trade Commission
• COPPA.org
• Cybertelecom :: COPPA Information on COPPA regulatory developments