Children’s Online Privacy Protection Act . Federal law carried out in the United States , in order to protect the personal information of children on websites. Placed in Title 15 of the United States Code. It was enacted on October 21 , 1998 . It is the gold standard for protecting the privacy of connected children. In 2013, with the update of COPPA, an awareness path was started to protect children when they are online. It currently includes boys up to 13 years old, but there are movements and campaigns to extend it until they are 16.
[ hide ]
- 1 COPPA Rule
- 1 Impact on the sites and services my children use
- 2 Operation of the COPPA Rule
- 3 Options
- 2 History
- 1 Federal Trade Commission (FTC)
- 2 Violations of the law
- 3 Compliance with the Law
- 4 The law in the international arena
- 3 Sources
The COPPA Rule was established to protect children’s personal information on websites and online services – including applications – directed at children under the age of 13. The Rule also applies to general audience sites that know they are collecting personal information from children of that age.
The COPPA Rule states that these sites and services must directly notify parents and obtain their approval before collecting, using or disclosing a child’s personal information. Within the scope of the COPPA Rule, personal information includes a child’s name, address, phone number, or email address; their physical locations; photos, videos, and audio recordings of the child; and persistent identifiers, such as IP addresses, that can be used to track a child’s activities over time and across various websites and online services.
Impact on the sites and services my children use
If the site or service does not collect your child’s personal information, the COPPA Rule is not a factor to consider. The COPPA Rule only applies when the sites subject to this Rule collect certain personal information from your children. In practical terms, the COPPA Rule gives you control of your child’s personal information.
Operation of the COPPA Rule
The COPPA Rule works like this: Let’s say for example that your child wants to use the features of a website or download an application that collects their personal information. Before the site or the operator of the application can do so, you must receive a notice written in clear and simple language in which you indicate what information the site will collect, how it will use it and how you can give your consent. For example, you may receive an email from a company informing you that your child has started the registration process for a site or service for which your child’s personal information is required. Or you could receive that notice on the same screen where you can consent to the collection of your child’s personal information.
That notice should also contain instructions for giving your consent. Sites and services have some flexibility to do so. For example, some may ask you to submit a short authorization form. Others may establish a toll-free phone line that you can call.
If you agree to allow the site or service to collect personal information about your child, they have a legal obligation to protect it.
The first option is to determine if you are comfortable with the information handling practices of the site. Start by reading how the company plans to use your child’s information.
Then you have to choose the scope of the permission you want to grant. For example, you could authorize the company to collect your child’s personal information, but you could refuse to allow her to share that information with others.
After you give a site or service your permission to collect personal information about your child, you remain in control. As a parent, you have the right to review the information collected about your child. Keep in mind that if you want to see the information, the website operators need to verify in advance that you are the father or mother of the child. You also have the right to withdraw your consent at any time and request that the information collected about your child be deleted.
Known in its acronym in English as the Children’s Online Privacy Protection Act (COPPA), this legislation came into effect on April 21, 2000. It applies to the online collection of personal information by persons or entities under the jurisdiction of the States. States , especially children under the age of 13, including children outside of that country.
Children under the age of 13 can legally provide personal information with their parents’ permission, on many websites – including social media sites – but also other sites that collect most personal information, do not allow children under the age of 13 years use their services fully due to cost and work involved in law enforcement.
In the 1990s, e-commerce increased in popularity, but several concerns were raised about data collection practices and the impact of Internet commerce on user privacy, especially those under the age of 13, because very few websites they had their own privacy policies.
Federal Trade Commission (FTC)
The Center for Media Education requested the Federal Trade Commission (FTC) to investigate the data collection and use practices of the KidsCom.com website , and to take legal action as the data practices violated Section 5 of the FTC “Unfair / Deceptive Practices” Act. After the FTC completed its investigation, issued the “KidsCom Letter,” the report indicated that the data collection and use practices were actually subject to legal action.
This resulted in the need to inform parents about the risks of children’s online privacy, as well as the need for parental consent. This resulted in the drafting of COPPA.
The FTC has the authority to issue regulations and enforce the COPPA law. Also under the terms of COPPA, the FTC designated “safe harbor” provisioning is designed to encourage greater industry self-regulation. Under this provision, industry groups and others may seek Commission approval of self-regulatory guidelines to regulate participant compliance, so that website operators in Commission-approved programs would first be subject to the Safe Harbor program disciplinary procedures in lieu of FTC enforcement.
As of June 2016 , the FTC has approved seven safe harbor programs operated by TRUSTe, Entertainment Software Rating Board | ESRB, CARU, PRIVO, Aristotle, Inc., Samet Privacy (kidSAFE) and the Internet Keep Safe Coalition (iKeepSafe) .
In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the law since the rules were issued in 2000. The proposed rule changes expanded the definition of what it meant to “collect” data from children.
The proposed rules introduced a data retention and deletion requirement, mandating that data obtained from children be retained only for as long as necessary to achieve the purpose for which it was collected. It also added a requirement that operators ensure that any third party to whom a child’s information is disclosed has reasonable procedures to protect the information.
The law applies to websites and online services operated for commercial purposes that are directed at children under the age of 13 or have actual knowledge that children under the age of 13 are providing information online. Most recognized non-profit organizations are exempt from most of the COPPA requirements. However, the Supreme Court ruled that non-profit organizations operated for the benefit of their members’ business activities are subject to regulation by the FTC and, consequently, also by COPPA.
The type of “verifiable parental consent” required before collecting and using information provided by children under the age of 13 is based on a “sliding scale” established in a regulation of the [[Federal Trade Commission that takes into account the How the information is collected and the uses to which the information will be put.
Violations of the law
The FTC has filed a series of actions against website operators for failure to comply with the requirements of COPPA, including actions against Girls ‘Life’, American Pop Corn Company, Lisa Frank, inc., Mrs. Fields Cookies and The Hershey Company.
In February 2004, UMG Recordings, Inc. was fined US $ 400,000 for COPPA violations in connection with a website promoting rap star Romeo Miller — he was 13 at the time — and was host of games and activities for children.
In the same month, Bonzi Software that offered downloads of an animated figure called “BonziBuddy” that provided shopping tips, pranks and trivia, was fined US $ 75,000 for COPPA violations. In 2016, the mobile ad network in Mobi was fined $ 950,000 for tracking the geographic location of all users (including those under the age of 13) without their knowledge. Adware continuously tracked the user’s location despite privacy preferences on the mobile device.
In February 2019, the FTC issued a US $ 5.7 million fine to ByteDance for failing to comply with COPPA with its TikTok app . ByteDance agreed to pay the largest COPPA fine since the law was enacted and add a kids-only mode to the TikTok app.
Apple and Google pulled three dating apps from their respective app stores, after the FTC determined that dating apps allowed users under the age of 13 to sign up, Wildec knew that there were a significant number of under-users, and that this allowed for inappropriate contact with minors.
On September 4, 2019, the FTC issued a US $ 170 million fine to YouTube for violations of the law, including tracking the viewing history of minors to facilitate targeted advertising for users.
As a result, YouTube announced that in 2020 it would require content creators to mark “this video is kid-friendly” videos as such, and that machine learning be used to mark them as “kid-friendly” if it’s not already marked. Under the terms of the agreement, content creators who did not mark the videos as “kid-friendly” could be fined up to $ 42,000 per video by the FTC, drawing criticism of the terms of the agreement.
Compliance with the Law
The Federal Trade Commission issued revisions effective July 1, 2013, where they created additional parental consent and notification requirements, modified definitions and added other obligations for organizations:
- Operate a website or online service that is “directed at children under 13” and that collects personal information from users.
- Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator’s practices regarding the collection, use, or disclosure of personal information from individuals under the age of 13, including notice of any material changes parents have previously consented to such practices.
- Obtain verifiable parental consent, with limited exceptions, before any collection, use, and / or disclosure of personal information from persons under the age of 13.
- Provide a reasonable means for a parent to review the personal information collected from their child and to refuse to allow its use or further maintenance.
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children under the age of 13, including taking reasonable steps to disclose such personal information only to parties capable of maintaining its confidentiality and security.
- Retain personal information collected online from a child under the age of 13 only for as long as necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against unauthorized access or use.
- Prohibit operators from conditioning a child’s participation in an online activity on the child by providing more information than is reasonably necessary to participate in that activity.
According to a notice issued by the Federal Trade Commission, the operator has actual knowledge of the age of a user if the site or service requests and receives information from the user that allows it to determine the age of the person:
An example, cited by the FTC, includes an operator requesting a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year suggesting they are under the age of 13 Another example cited according to the FTC is that a trader may have real insight based on answers to “age identification” questions such as: “What grade are you in?” or “What kind of school do you attend?”:
- High school.
Microsoft has a small tool under the COPPA law as a way to verify parental consent, this fee is donated to the [[National Center for Missing and Exploited Children.
In the changes that took place as of July 1, 2013, the definition of operator was updated to make it clear that COPPA covers a site or service aimed at children that integrates external services, such as plugins or ad networks, that collect personal information of your visitors.
The definition of a website or online service directed at children is expanded to include plugins or ad networks that have actual knowledge that they are collecting personal information through a website or online service directed at children.
Websites and services that target children as a secondary audience may differentiate between users, and must notify and obtain parental consent only for those users who identify as under 13 years of age. The definition of personal information that requires parental notification and consent prior to collection now includes “persistent identifiers” that can be used to recognize users over time and across different websites or online services.
However, parental notification or consent is not required when an operator collects a persistent identifier for the sole purpose of supporting the website or the internal operations of the online service. The definition of personal information after July 1, 2013 also includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice.
On November 19, 2015, the FTC announced that it had approved an additional method of obtaining parental consent verification: “match verified photo identification” (FMVPI). The two-step process allows parents to submit a government-authorized ID for authentication, then submit an impromptu photo via mobile device or webcam, which is then matched against the photo on the ID
The law in the international arena
The FTC has asserted that COPPA applies to any online service that targets users in the United States that collects information from children in the United States or regardless of their country of origin. However, in practice, the FTC has never issued enforcement actions against foreign companies, and attempts to do so may be thwarted by a lack of jurisdiction.