Citation[]
Children’s Online Privacy Protection Act of 1998, Tit. XIII, Div. C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act, Pub. L. No. 105-277, codified at 15 U.S.C. § 6501 et seq. (full-text); see also Children's Online Protection Rule. 16 C.F.R. part 312 (full-text).
Overview[]
With the growth of the Internet in its early years, Congress, the Clinton Administration, and the Federal Trade Commission (FTC) became concerned about protecting the privacy of children under 13 as they visit commercial websites. Not only were there concerns about information children might divulge about themselves, but also about their parents.
The result was COPPA.[1] The Act prohibits unfair and deceptive acts or practices in connection with the collection and use of personally identifiable information from and about children on the Internet.
Congress enacted COPPA following an extensive FTC effort to identify and educate the industry and the public about issues concerning the online collection of personal information from children and adults. In both June 1996 and June 1997, the Commission held public workshops to learn how the rapidly developing online marketplace was affecting consumers’ privacy.[2]
Key provisions[]
The Act specifies that operators of websites or online services directed to children or an operator who knowingly collect personal information from children:
- provide parents notice of their information practices;
- obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children (with certain limited exceptions for the collection of online information, e.g., email address);
- provide a parent, upon request, with the ability to review personal information collected from his/her child;
- provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;
- limit collection of personal information for a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and
- establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.
FTC activities[]
Section 1303 of the Act directed the Federal Trade Commission (FTC) to adopt regulations prohibiting unfair and deceptive acts and practices in connection with the collection and use of personal information from and about children on the Internet. The FTC's Final Rule implementing the law became effective April 21, 2000.
The FTC adopted a "sliding scale" for complying with the verifiable parental consent requirement depending on how the data would be used. That is, if the information was for internal use only, the verifiable parental consent could be obtained from the parent by e-mail, plus an additional step to ensure the person giving consent is, in fact, the parent. If the website operator planned to disclose the information publicly or to third parties, a higher standard was set. This sliding scale was set to expire in 2002 with the expectation that better verification technologies would become available. However, in 2002, the FTC determined that such technologies still were not available, and the sliding scale was extended to April 12, 2005. In 2005, the Commission extended it again.[3]
The Act authorizes the FTC to bring enforcement actions for violations of the Final Rule in the same manner as for other rules defining unfair and deceptive acts or practices under Section 5 of the FTC Act. In addition, Section 1305 authorizes state attorneys general to enforce compliance with the Final Rule by filing actions in federal court after serving prior written notice upon the FTC when feasible.[4]
The law also provides for industry groups or others to develop self-regulatory “safe harbor” guidelines that, if approved by the FTC, can be used by websites to comply with the law. The FTC approved self-regulatory guidelines proposed by the Better Business Bureau on January 26, 2001. On June 11, 2003, then-FTC Chairman Timothy Muris stated in testimony to the Senate Commerce Committee that the FTC had brought eight COPPA cases, and obtained agreements requiring payment of civil penalties totaling more than $350,000.[5]
As required by COPPA, on April 21, 2005, the Commission issued a request for public comment on its Final Rule, five years after the rule's effective date. [6] Comments were requested on the costs and benefits of the rule; whether it should be retained, eliminated, or modified; and its effect on practices relating to the collection of information relating to children, children’s ability to access information of their choice online, and the availability of websites directed to children.
FTC Final Rule[]
To implement COPPA's provisions, the Act mandated that the FTC issue rules prohibiting unfair and deceptive acts or practices in connection with the collection, use, and disclosure of personal information from and about children online. The Commission published its proposed Rule for public comment in April 1999.[7] The Commission received 147 comments on a broad range of issues, many of which contained suggestions that the Commission incorporated into its final Rule.[8] The Commission published the final Rule on November 3, 1999[9] and it became effective on April 21, 2000.[10]
The Rule imposes requirements on operators of websites or online services directed to children under 13 years of age or that have actual knowledge that they are collecting personal information online from such children (collectively, “operators”).[11] The Rule requires certain website operators to post privacy policies, provide notice, and obtain parental consent prior to collecting, using, or disclosing personal information from children. The Rule's key provisions require operators to provide notice of their information practices to parents and to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children under 13. As set forth in the Rule, "verifiable parental consent" means that the consent method is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.[12] The Rule also sets forth a sliding scale approach to obtaining verifiable parental consent based upon the risks posed by the intended uses of the child’s information.[13]
The Rule contains a "safe harbor" provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule's protections.[14]
COPPA authorizes the FTC to enforce the COPPA Rule in the same manner as rules prohibiting unfair and deceptive acts or practices promulgated by the Commission under Section 18(a)(1)(B) of the Federal Trade Commission Act (the "FTC Act").[15] This permits the FTC to obtain civil penalties against those who violate the COPPA Rule. COPPA further authorizes state attorneys general to enforce compliance with the Rule by filing actions in federal court with written notice to the Commission.[16]
To implement the Act and the Rule, the Commission has engaged in rulemaking, law enforcement, and consumer and business education. Since the COPPA Rule became effective in 2000, the Commission has brought twelve law enforcement actions, including eleven civil penalty actions, against those who were alleged to have violated the Rule.[17] The FTC and its staff also continually engage in extensive outreach to businesses and consumers to foster knowledge of and compliance with the Rule and to help parents protect their children in the online environment.[18]
References[]
- ↑ COPPA should not be confused with COPA — the Child Online Protection Act — which addresses protecting children from unsuitable material, such as pornography, on the Internet.
- ↑ More information about the 1996 and 1997 privacy workshops are available here.
- ↑ See “FTC Seeks Public Comment on Children’s Online Privacy Rule," FTC press release, April 21, 2005.
- ↑ 15 U.S.C. §6504. To date, only Texas has filed law enforcement actions under COPPA. See “Attorney General Abbott Takes Action Against Web Sites That Illegally Collect Personal Information from Minors” (Dec. 5, 2007).[1]
- ↑ See Prepared statement of Timothy Muris, Chairman, Federal Trade Commission, at 10.
- ↑ See “FTC Seeks Public Comment on Children’s Online Privacy Rule," FTC press release, April 21, 2005.
- ↑ 64 Fed. Reg. 22750 (Apr. 27, 1999).
- ↑ The comments are available here.
- ↑ 64 Fed. Reg. 59888.
- ↑ 16 C.F.R. Part 312.
- ↑ See id. §312.3.
- ↑ See id. §312.5(b)(1).
- ↑ See id. §312.5(b)(2).
- ↑ See id. §312.10; 64 Fed. Reg. at 59906-08, 59915.
- ↑ 15 U.S.C. §§6503(c), 6506(a), 6506(d); 15 U.S.C. §41 et seq. § 57a(a)(1)(B).
- ↑ 15 U.S.C. §6505.
- ↑ Press releases about the cases and copies of the pleadings are available here
- ↑ See, e.g., the Commission’s COPPA education and guidance materials, available here, and information about the staff’s 2000 compliance workshops for website operators, available here, here, and here.