Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to limit the collection and use of personal information about children by the operators of Internet services and Web sites. Passed by the U.S. Congress in 1998, the law took effect in April 2000. It is administered and enforced by the Federal Trade Commission (FTC). COPPA is "the first U.S. privacy law written for the Internet," Melissa Campanelli wrote in Entrepreneur. "It was written specifically for Internet marketers that operate Web sites visited by children under the age of 13 and collect personal information from those kids. Its purpose is to regulate that collection."

The FTC conducted a survey of 212 Web sites in 1998 and found that 89 percent of them collected personal information from children. Of those that collected data from children, 46 percent did not disclose this fact or explain how the information was used. The law was intended to address this potential problem by requiring Web sites and other online services directed toward children under the age of 13—as well as general audience sites that collect personal information from children—to obtain verifiable consent from the children's parents. "Its stated purpose is to protect children from micro-targeting by advertisers and to minimize the potential for contact with dangerous individuals through chat rooms, e-mail, and bulletin boards by involving parents in kids' on-line activities," Monica Rogers explained in Crain's Chicago Business.

Requirements of Coppa

COPPA applies to a variety of Web sites and services with content that may appeal to children. "In determining whether a Web site is directed toward children, the FTC will consider, among other things, the site's content, language, advertising and intended audience, as well as the use of child-oriented graphics or features," Anthony Marks and Keith Klein noted in the Los Angeles Business Journal.

But the law also affects general interest sites that collect information from children, whether the site's operators intend to do so or not. "The arm of COPPA is very long because it also applies to general audience Web sites that have actual knowledge that they are collecting personal information from children," Robert Carson Godbey wrote in Hawaii Business. "You can easily, and inadvertently, fall into this category. If you invite browsers of your Web site to submit individually identifiable information—which can include name, address, e-mail address, hobbies, interests, information collected through cookies, basically anything that can be individually identified to the person responding, for a variety of reasons, and that information includes age—then you may have 'actual knowledge' that you have collected personal information from children if anyone under 13 responds to your invitation."

COPPA requires the operators of these types of Web sites to include a clearly written privacy notice on their home page and anywhere on their site where user data is collected. The privacy policy must reveal who is collecting and maintaining the information children supply to the Web site and provide information about how to contact them; explain how the children's personal information will be used; and state whether it will be made available to third parties. In addition, COPPA requires Web site operators to obtain "verifiable parental consent" in advance of collecting or using personal information from children. Even when parental consent has been granted once, the site operators must seek consent again any time they make changes in their privacy policies. Exceptions to COPPA's parental consent requirements are allowed for the collection of e-mail addresses in order to seek consent, protect the safety of a child, or respond to a child's one-time request (provided that the e-mail address is deleted immediately afterwards).

The FTC rules cite several acceptable methods for Web site operators to verify parental consent, including a signed form sent via fax or regular mail, a credit card number provided online, calls made on a toll-free telephone number staffed by trained personnel, and e-mail accompanied by a digital signature or password. The method used by a certain Web site depends on the type of information collected from children and the way it is used. For example, e-mail consent is acceptable for Web sites that collect personal information only for internal purposes, like marketing to a child based on his or her preferences. Stricter methods are required when the information is made available to third parties.

Coppa Compliance

The FTC applies penalties for noncompliance ranging up to $11,000 per incident. Although the financial penalty is stiff, a business that failed to comply with the law would likely suffer even worse consequences as a result of negative publicity. After all, who would want their Web site to be known as one that put children at risk? Unfortunately, COPPA compliance can be complicated. "The goals of COPPA are no doubt admirable. The implementation, however, can be daunting," Godbey noted. "The difficulty comes from the requirement of 'verifiable consent' from a parent…. How do you obtain verifiableparental consent? How do you verify parental consent in an online environment where the children probably know more about the family computer than their parents do?"

Many online businesses have also complained that COPPA compliance is expensive. According to Campanelli, some of the major costs of compliance include employing staff to compose and maintain the online privacy policy statements, hiring attorneys to review the policies, and coordinating the collection and secure storage of parental consent forms. Experts estimate that these costs would amount to between fifty cents and three dollars per child interaction, or up to $100,000 per year, for a medium-sized Web site.

Faced with these potential costs, some sites were forced to limit access to children over the age of 13. Other sites—like the popular United Kingdom-based site for the "Thomas the Tank Engine" series of books and toys—decided to eliminate their e-mail and chat room features because they could not afford to comply with COPPA.

In response to complaints from Web site operators about the cost of compliance, the FTC noted that COPPA was not intended to block kids' access to information on the Internet. Instead, the goal of the law was to involve parents in the decision about whether to release children's personal information. Lawmakers argue that children under 13 are not sophisticated enough to make such decisions on their own.

Like all Internet laws, COPPA is somewhat difficult to enforce. For example, tech-savvy youngsters may find ways to forge parental consent. In addition, the law only applies to companies doing business in the United States, whereas the Internet is global in scope. Some entrepreneurs resent the restrictions imposed by COPPA, arguing that the government should not become involved in regulating the Internet. "One of the beauties of the Internet is that an entrepreneur can begin his or her business with minimal investment and regulatory scrutiny," Campanelli noted. They argue that regulation increases costs for small business owners. But other operators of small Web sites for children believe it is their responsibility to protect their users' privacy, even though it can be expensive. "If you're going to play in the kids' arena, you've got to offer safety, even if it costs," Alison Pohn, marketing director for a children's Web site, told Rogers. "If you operate a school or a camp, you invest in having the safest playground equipment and the best lifeguard at the pool. This is no different."

In any case, it is important for small business owners involved in online commerce to be aware of the provisions of COPPA. The full text of the Children's Online Privacy Protection Act is available on the FTC Web site. In addition, the Direct Marketing Association offers a guide to COPPA compliance and a "privacy policy generator" that walks users through the process of creating a compliant policy. Both are available on the DMA Web site.

Further Reading:

Campanelli, Melissa. "The Wizard of Laws." Entrepreneur. February 2001.

Di Sabatino, Jennifer. "FTC Oks Self-Regulation to Protect Children's Privacy." Computerworld. February 12, 2001.

"Firms May Need to Examine Kid-Oriented Privacy." Financial Net News. July 31, 2000.

Godbey, Robert Carson. "The Law of the Line." Hawaii Business. November 2000.

Jarvis, Steve. "COPPA Minefield." Marketing News. December 4, 2000.

Marks, Antony, and Keith Klein. "Coping with COPPA." Los Angeles Business Journal. July 31, 2000.

Retsky, Maxine Lans. "Sites Find COPPA Compliance Mandatory." Marketing News. August 28, 2000.

Rogers, Monica. "Kids' Privacy Act Stings Web Sites; New Guidelines Limit Sharing of Data with Others." Crain's Chicago Business. May 15, 2000.

Rosencrance, Linda. "FTC Warns Sites to Comply with Children's Privacy Law." Computerworld. July 24, 2000.

The Children's Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277, 112 Stat. 2681) protects the online privacy of children under thirteen by requiring commercial Web sites and online services to request parental consent for the collection, use, and disclosure of a child's personal information.

This legislation grew out of the fact that by 1998 roughly ten million American children had access to the Internet, and at the same time, studies indicated that children were unable to understand the potential effects of revealing their personal information online, and parents failed to monitor their children's use of the Internet. The targeting of children by marketers resulted in the release of large amounts of private information into the market and triggered the need for regulation.

In March 1998 the Federal Trade Commission (FTC) presented Congress with a report addressing the inadequate protection of children's information online. In July 1998 Senator Richard Bryan, a Democrat of New York, along with Republican Senators John McCain of Arizona and Conrad Burns of Montana, introduced the Children's Online Privacy Protection Act of 1998. The Senate Communications Committee held a hearing in September 1998, and the full Senate Commerce Committee passed an amended version of the bill by a unanimous vote on October 1. The House of Representatives incorporated portions of that bill into 105 H.R. 4328, a Department of Transportation appropriations bill enacted by Congress and signed by President Clinton on October 21, 1998. COPPA became effective on April 21, 2000.

The act applies to commercial Web sites and online services (both foreign and domestic) that are directed at children in the United States. And while the act does not apply to general audience Web sites, operators of such sites who have actual knowledge of children using their sites must comply with the act's regulations. Congress's intent in passing COPPA was to increase parental involvement in children's online activities, thereby ensuring safety during participation in such activities and protecting children's personal information.

Under COPPA it is unlawful for an operator of a commercial Web site or online service that targets children, or knowingly collects their personal information, to gather such information without:

1. incorporating a detailed privacy policy that describes the information collected from its users;
2. receiving verifiable parental consent;
3. offering parents an opportunity to revoke consent and have personal information deleted;
4. limiting collection of personal information from children participating in online games; and
5. establishing reasonable procedures to protect the confidentiality, security, and integrity of any personal information collected from children.

Personal information covered by the act includes Social Security numbers, names, addresses (mailing and e-mail), and telephone numbers. Verifiable parental consent is defined as any reasonable effort to ensure that a parent or legal guardian of a child receives notice of and gives authorization for the operator's personal information collection, use, and disclosure practices. Operators may avoid compliance with these regulations, however, if they propose, and the FTC approves, similar self-regulatory guidelines.

An FTC survey conducted in April 2002 showed that the general trend with respect to COPPA is one of increased compliance among Web sites, although some provisions have been followed less consistently. Importantly, courts are willing to strictly interpret these provisions and grant damages or other forms of relief against Web site operators who violate the act, and this trend may contribute to the high level of compliance. Moreover, at the federal level, COPPA violations are treated like unfair or deceptive trade practices under section 5 of the Federal Trade Commission Act, for which the FTC can impose civil penalties. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the regulations, as well as to obtain compensation and relief.

Critics of the act have argued that it is the responsibility of the parents to control their children's online activity, and that the act draws an arbitrary line between teenagers and younger children. Furthermore, critics claim the methods outlined by the FTC for verification are insufficient and impractical, and that they infringe on First Amendment free speech rights.

Bibliography

Colton, Campbell C., and John F. Stack, Jr., eds. Congress and the Politics of EmergingRights. Lanham, MD: Rowman & Littlefield, 2002.

Jennings, Charles, and Lori Fena. The Hundredth Window: Protecting Your Privacy and Security in the Age of the Internet. New York: Free Press, 2000.

Kutais, B. G., ed. Internet Policies and Issues. Commack, NY: Nova Science Publishers, 1999.

Peters, Thomas A. Computerized Monitoring and Online Privacy. London: McFarland, 1999.

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)