top of page

CHILDREN'S ONLINE PRIVACY PROTECTION ACT (COPPA)

The Children's Online Privacy Protection Act of 1998,[1] commonly referred to as COPPA, requires businesses that collect personal information (PI) from kids under the age of 13 to provide information and some control over that data collection, use, retention, and transfer.[2] At the time of its enactment, federal legislators were particularly concerned about the collection of PI from children on the internet, thus COPPA only applies to website operators and online service provides (but this includes mobile app providers).[3]

 

The Federal Trade Commission (FTC) is tasked with issuance of regulations under COPPA and the Act's enforcement.[4] The latest iteration of those regulations, known as the COPPA Rule, took effect on July 1, 2013.[5] The COPPA Rule sets out an extensive legal regime regarding collection and use of PI regarding children under 13, with comprehensive parental rights and business obligations.

 

Under COPPA a business MUST:

  • post a privacy policy that is clear and fully describes how the business collects and uses the PI of kids under 13,[6]

  • provide direct parental notice of collection and use prior to any collection,[7]

  • obtain parental consent before collection,[8]

  • limit use of PI to the purpose for which it was collected,[9]

  • securely destroy PI retained once it is no longer needed for that purpose,[10]

  • Use robust confidentiality and security measures when in possession of children's PI,[11] and 

  • Ensure PI security and confidentiality upon any data transfer to a third party.[12]

 

Under COPPA parents have the RIGHT to:

  • choose whether their child's data is collected and used,[13]

  • access to any personal information that has been collected about their child,[14]

  • review the data, prohibit its disclosure to third parties, and in some circumstances have it deleted,[15] and

  • revoke consent to further collection and use of their child's data.[16]

 

Who Must Comply with COPPA?

For-profit entities that operate websites, mobile apps, and other online services directed at children under the age of 13 if children’s PI is collected, used, or disclosed.[17]

 

The Act also applies to online service providers who know their services are being used by children under the age of 13, even if the service is not directed at users in that age bracket.[18] Similarly, if an online service, like a plug-in or an advertising platform, knows that it is using PI collected by a website or online service directed at kids under 13, COPPA applies to that data use.[19]

 

Extraterritorial Reach

 

COPPA applies to U.S. businesses in their dealings with children whether the kids are located in the U.S. or abroad.[20] More controversially, the law states that COPPA also applies to foreign-based operators of websites and online services that are directed to children in the U.S., or know they are being used by kids in the U.S. under the age of 13.[21] To that end, the FTC has sent warning letters and prosecuted foreign-based website operators for COPPA violations. The most publicized being the prosecution of China-based Tiktok (at the time, Musical.ly) for knowingly collecting personal information from children under the age of 13 without parental consent. That litigation resulted in an agreement to comply with parental consent requirements in the future and a $5.7 million-dollar penalty. [22]

 

COPPA does not apply to not-for-profit entities, as these enterprises have traditionally been outside FTC jurisdiction.[23]

 

What Information is Covered by COPPA?

COPPA covers the collection and maintenance of personal information. That term is defined expansively to include:

  • name,

  • address,

  • email address,

  • IM user identification,

  • VOIP identifier,

  • screen or username,

  • phone number,

  • SSN,

  • any form of persistent identifier, like an IP address,

  • a persistent cookie,

  • photo, video, or radio file,

  • geolocation data, and

  • any information about the child or his parents combined with an identifier.[24]

 

What Activities are Proscribed by COPPA?

 

Generally, COPPA mandates that covered operators refrain from collecting personal information from children without providing notice and obtaining verifiable parental consent as specifically set out in the Amended COPPA Rules.[25] Operators must provide a reasonable way for parents both (1) to review what has been collected and (2) to refuse to allow an operator to continue to use or maintain the data. Children's personal information must be kept confidential and secure.[26]

 

Operators may not keep children's data any longer than necessary to meet the purpose for which the data was collected. Data must be deleted using reasonable security methods.[27]

 

Enforcement

 

The FTC is the primary enforcer of the COPPA Rule,[28] however States may also bring enforcement actions under the Act pursuant to Section 6504. Compliance for some specific industries is enforced by other federal agencies, for example, the DOT for air carriers and the Office of the Comptroller of the Currency for national banks.[29]

 

The penalty per COPPA violation can be as high as $51,744.[30] Additionally, companies can be ordered to pay redress to consumers, comply with injunctions that mandate the cessation of violating conduct, correct advertising, and submit to monitoring programs.[31] To date, the highest civil penalty for COPPA violations has been collected from Epic Games, producer of the Fortnite video game – $275 million dollars.[32]

 

The FTC has a range of tools at its disposal that it regularly uses for COPPA enforcement, including warning letters, negotiated settlements, administrative hearings, and appeals to federal court.

 

COPPA Safe Harbor Programs

 

Businesses that would prefer to delegate determining how to best comply with the COPPA Rule to a third-party can participate in approved compliance programs set up by various groups.[33] Compliance with those approved programs protects businesses from being found liable under the Act,[34] however sometimes those regimes have additional requirements not appealing to website operators.

 

Proposed Changes

 

On January 11, 2024, the FTC published a Noticed of Proposed Rulemaking seeking to update and strengthen the COPPA Rule (last updated in 2013). The proposed changes are currently in their notice and comment period, with the FTC requesting public comments be submitted by March 11, 2024. Some suggested updates include:

  • Requiring Operators to obtain a separate verifiable parental consent to disclose children’s information to third parties,

  • Limitations and heightened disclosures regarding push notifications directed at children that encourage additional time online,

  • Increased restrictions prohibiting education technology companies partnered with schools from using student PI, commercial purposes, and

  • Expanding the definition of “personal information” under the COPPA Rule to include biometric identifiers.

 

Where to Find More Information

 

The FTC website has an impressive depth of information on COPPA, with detailed advice for both businesses and parents. Information can also be found online on the websites of Safe Harbor Program providers, like TRUSTe and kidSAFE, as well as the Electronic Privacy Information Center.

 

______________________________________________

[1] 15 U.S.C. § 6501, et seq.

[2] 15 U.S.C. § 6501(1) (definition of “child”); § 6502 (actions prohibited and conditions requiring parental notice).

[3] 15 U.S.C. § 6501(2); 16 C.F.R. § 312.2; Federal Trade Commission, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business (June 2017), https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.

[4] 15 U.S.C. § 6501(3).

[5] See 16 C.F.R. § 312, et seq.

[6] 15 U.S.C. § 6502(b)(A)(i); Federal Trade Commission, supra note 3.

[7] 15 U.S.C. § 6501(9) (definition of “verifiable parental consent”); § 6502(b)(A)(ii).

[8] Id.

[9] 16 C.F.R. § 312.5(a)(1).

[10] 16 C.F.R. § 312.10.

[11] 16 C.F.R. §§ 312.2(e) & 312.8.

[12] 16 C.F.R. § 312.8.

[13] 16 C.F.R. § 312.5(a)(1) & (2).

[14] 16 C.F.R. § 312.6(a)(3).

[15] 16 C.F.R. § 312.6(a)(2) & (3).  See also § 312.5(a)(2).

[16] 16 C.F.R. § 312.6(a)(2).

[17] 15 U.S.C. §§ 6501(2)(A) & 6502 (a)(1).

[18] 15 U.S.C. § 6502(a)(1).

[19] Federal Trade Commission, supra note 3. 16 C.F.R. § 312.2 (definition of “operator”).

[20] 15 U.S.C. § 6501(2).

[21] 15 U.S.C. § 6501(2)(A).

[22] See U.S. v. Musical.ly, Case No. 2:19-dv-01439 (C.D. Cal. 2/27/19), Stipulated Order for Civil Penalties, Permanent Injunction, and Other Relief, https://www.ftc.gov/system/files/documents/cases/musical.ly_proposed_order_ecf_2-27-19.pdf

[23] 15 U.S.C. § 6501(2)(B).

[24] 16 C.F.R. § 312.2.

[25] 15 U.S.C. §§ 6502(a)(1) & (b)(A).

[26] 16 C.F.R. § 312.3.

[27] 16 C.F.R. § 312.10.

[28] 15 U.S.C. § 6505.

[29] 15 U.S.C. § 6505 (b).

[30] Federal Trade Commission, Adjustments to Civil Penalty Amounts, 89 Fed. Reg. 1445 (January 10, 2024).

[31] 15 U.S.C. §§ 5 (b), 5(I) & § 13(b).

[32] See United States v. Epic Games, Inc., No. 5:22-cv-00518 (E.D.N.C. 2023), Stipulated Order For Permanent Injunction And Civil Penalty Judgment, https://www.ftc.gov/system/files/ftc_gov/pdf/1923203epicgamesfedctorder.pdf.

[33] See https://www.ftc.gov/safe-harbor-program.

[34] 15 U.S.C. § 6503(b)(2).

bottom of page