The Children’s Online Privacy Protection Act of 1998 (COPPA) is a federal statute that establishes a standard for the online privacy of children. COPPA governs the collection and use of personal information by commercial websites and internet services that are directed towards children. The legislation is intended to place parents between websites and their children. It is necessary to engage parents in the decisions related to collection and use of their child’s personal information because they are better able to evaluate the privacy risks.
COPPA applies to operators. The term includes any individual, corporation, association, or other entity, but it does not apply to much of the public sector including state government agencies, local government units, or nonprofits because there must be a commercial purpose. To be considered an operator the entity must operate a website or an online service and collect or maintain personal information about the users. And even if an entity merely sells its products or services on such a website or internet service, it will still be within the definition as well. Entities that don’t necessarily operate their own website or internet service, but rather employ a third party to do so on its behalf, will also be considered an operator for purposes of COPPA.
Operators are prohibited from making disclosures. Under COPPA, a “disclosure” can be made two ways: (1) a release made by an operator to a third party (“Type 1”) or (2) making the personal information publicly available by any means, including a public posting (“Type 2”). Personal information may be made public through the internet, a home page of a website, a pen pal service, an electronic mail service, a message board, or a chat room.
Either way, applicable disclosures are limited to those that involve the personal information of a child, which is an individual under the age of (13) thirteen years old. Type 2 disclosures must be made by an operator that knows that the data subject is a child, or an operator that doesn’t necessarily know that fact, but their website is directed towards children. There is a single exception for Type 1 disclosures to third parties that maintain the website and don’t disclose or use the personal information for any other purpose.
COPPA requires operators to do the following:
- Provide notice of privacy practices
- Obtain verifiable parental consent
- Provide a description of the specific types of personal information collected from the child
- The opportunity to opt-out of future processing
- Provide access to personal information
- Prohibit conditioning a child’s participation on the child disclosing more personal information than is reasonably necessary to participate in such activity
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information
Enforcement & Liability
A violation of COPPA constitutes an unfair, deceptive, or abusive act under the Federal Trade Commission Act (FTCA) and is enforced by the Fair Trade Commission (FTC). Enforcement of COPPA will be in the same manner, by the same means, and with the same jurisdiction, powers, and duties of enforcement of the FTCA. COPPA authorizes the FTC to promulgate regulations implementing the statute and any violation of the regulations constitutes a violation of the statute.
The Attorney General of a state may bring a civil action on behalf of the residents of the state in a federal court to obtain an injunction, recover damages, restitution, other compensation, or other relief on behalf of the residents of the state.
Any entity that violates COPPA may be subject to the penalties provided under the FTCA.
COPPA provides that operators can satisfy the requirements of the COPPA regulations by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries.