What is COPPA (Children's Online Privacy Protection Act)?

The advent of online data collection from “cookies” and digital footprints is a windfall for advertisers and data brokers who sell access to such personal information.

In the United States, where there are few laws limiting what information can be collected on individuals, everyone who uses the internet is at risk. That risk only rises with the hours each of us spends online. Most of us spend 22 hours a week online, and those ages 8-12 spend as many as six hours a day online. The information collected is not limited to a person’s browsing habits but can include personally identifying information such as name, address, age, physical location, and sometimes profile photos, potentially opening unsophisticated children to abusers.

Protecting Children Online

That group is afforded some protection from such wide-ranging data collection under the Children’s Online Privacy Protection Act (COPPA) which stipulates that a website or data collector must have a parent or guardian’s consent for data about their online browsing to be collected. The Act was passed by Congress in 1998 and took effect in 2000. It was significantly updated in 2011 to reflect the ever-changing nature of children using the internet. Criteria for triggering COPPA are:

  • websites that are directed at youth under age 13;
  • connected toys;
  • internet-enabled gaming platforms;
  • use of data-gathering pop-ups that indicate a significant website audience ages 13 or younger, and
  • if your website allows other (data miners) to collect personally identifying information from youthful visitors.

Some of the requirements of COPPA include:

  • a privacy policy must be made visible to users and its provisions followed, including an option to opt-out and ways of hiding identifying personal information of young visitors;
  • a parental consent process that is verifiable and straightforward, including ways for identification to be processed, and
  • allowing parents to review and delete, if desired, the personal information supplied by their child.

Limits to Data Collection

While Europe has developed a comprehensive way to limit data collection, called the General Data Protection Regulation (GDPR), the average American’s data is a free-for-all, with everyone collecting and selling our personal information, from the apps we opt into on our phones to our Internet Service Providers at home and work. Critics say that the 5-member Federal Trade Commission is not strong enough to effect compliance and that companies making millions from selling personal data of adults and children are not curtailed sufficiently by fines. A Washington Post article pointed out that many online companies are bypassing COPPA and providing inappropriate content to children simply by not asking the age of users.

California has passed a statewide privacy act similar to the GDPR, and other states could follow. Another similar provision, called the Do Not Track Kids Act, which is moving slowly within Congress, seeks to block access to children’s data up to age 16.

Although the 2011 amendments to the law were supposed to stay in force for a decade, legislators are already seeking input for the next iteration of COPPA due to rapid changes in technology. Some of the considerations are interactive television, whether educational technology should be excepted from parental consent laws, whether the law is broad enough to capture the majority of child-oriented websites and even those that attract children without being specifically directed at them.

Teeth in The Law

Among the significant applications of COPPA were censure of the app Musical.ly, which allows people to record themselves singing along with music. Users created profiles that included their photos, ages, and schools. The company behind the interactive app set the profiles to “public” by default for several years and users could find others within a 50 mile radius while the app clearly attracted a largely youthful audience of users. Furthermore, the company received hundreds of complaints from parents in one week of 2014 alone. The company was fined $5.7 million because much of their content was directed at children. The app is now known as Tik Tok.

In 2019 YouTube, which is owned by Google, agreed to a $136 million fine for illegally collecting personal information from children, including from videos that were uploaded by third parties. The data collected on child-directed YouTube channels was capable of tracking users across the internet and directing targeted ads at them. The company allegedly had channels directed at children that featured toys and told potential advertisers that their channels were more popular among youth under age 13 than television channels, yet did not have a COPPA-compliant parental consent page.