What's Going on With the Children's Online Privacy Protection Act (COPPA)?

The Children’s Online Privacy Protection Act was passed in 1998 and governs the way websites and services handle children’s data.

Data privacy as a whole is becoming an increasingly important issue for businesses, and there are few areas of data privacy taken more seriously than children’s data privacy. Currently, there are multiple regulatory efforts to increase protection and businesses’ obligations for children’s data. In this blog, we’ll talk about the major current legislation protecting children’s data (i.e., COPPA), as well as the potential new laws businesses will need to contend with.

What Is COPPA?

The Children’s Online Privacy Protection Act (COPPA) is the U.S. law that protects children’s online data governs the way websites and services handle children’s data. Passed in 1998, its corresponding rule, the COPPA rule, was enacted in 2000 and dictates how the Act must be followed. It requires website operators and online services directed at children under the age of 13 to get parental consent from users before they can collect, use or disclose that information. 

While COPPA is a well-established law, it’s still not one that’s well-understood. That’s according to Linnette Attai, who spent 12 years doing privacy at Nickelodeon before founding PlayWell, a consultancy on children and students’ privacy. Part of the problem is whether companies self-identify as a service geared toward children. 

“Especially given non-traditional children’s companies that may be working as service providers in the children's space,” she said. “I think, to a certain extent, there are some children’s start-ups that struggle a bit; not in understanding the intent of the law, but in putting the practices into place and implementing properly,” she said. 

Hogan Lovells attorney Tim Tobin represented SONY BMG when the FTC investigated it for COPPA violations in 2008. The case settled for $1 million, the largest settlement to date at that time. He agreed with Attai that establishing whether your service or site is covered by COPPA is key and most often the reason for non-compliance. 

The FTC outlines in its FAQs what kind of attributes qualify a website or service as child-geared. The checklist includes whether subject matter features “visual content,” “presence of child celebrities,” and “music or other audio content.” 

The thing is: A lot of sites do those kinds of things for adults. Is it on them if those adults’ children stumble upon their site? 

“There’s some room for interpretation,” Tobin said. “You could have animation, but that doesn’t make sure it’s child focused. It can be a little bit difficult at times to sort of know exactly where the line is drawn.”

Attai said sites or services not recognizing they’re “child-directed” is a pitfall she sees companies fall into often, and that they must conduct “totality-of-circumstances” test. 

“Your intention about whether or not you want to attract or are targeting kids under 13 is nice, but if you look and feel and smell and act as if you are intended for kids under 13, COPPA applies,” she said. 

Attai said companies also frequently run into legal trouble by not monitoring their third-party vendors closely enough, or, what she called their “third-party footprint.” Companies are responsible for their vendors’ compliance as well as their own.

“Under COPPA, you’re required to do privacy and security due diligence and make sure [your vendors] comply with COPPA,” said Attai. 

There’s a standard in COPPA called “actual knowledge.” You have “actual knowledge” of kids using your site either when you’re marketing directly to children or you know you’re collecting children’s data—whether they’re the intended audience or not. 

“When [the vendors] do not have actual knowledge, then you have strict liability for their behavior with respect to the children’s data. When they do have actual knowledge, you still have liability, it’s just shared,” Attai explained. “You are required under COPPA to have done the diligence and put the controls in place to make sure they can and do comply. And that gets very complicated, and we see it across industries.”

Recent Enforcement Actions

While penalties for non-compliance can be steep—companies can be fined $42,530 per violation per-child, per-day—the criticism over the law in recent years is that it hasn’t been enforced to its full extent.

If you fine the local bakery a million dollars, it's dead. If you fine Google a million dollars, does it deter them from misbehaving in the future? They can pay that fine over and over without having to restructure a thing. 

Perhaps the most newsworthy COPPA enforcement case came in September 2019, when the FTC settled with Google, which owns YouTube, for $170 million over allegations it profited from illegally collecting children’s personal data. $170 million is significant, but critics claim it isn’t significant enough for Google.

Broadly, however, COPPA and the FTC have been criticized for lacking teeth and not taking large enough steps to enforce the rule. While a recent policy statement from the FTC promised that the agency would be vigorously enforcing the rule, there have still been calls for new legislation and legislative updates to broaden COPPA’s coverage, increase enforcement, and introduce additional data privacy protections for children.

Will the FTC Update the Rule?

In September 2022, Senator Ed Markey (who first authored the 1988 bill) along with Senator Richard Blumenthal and Representatives Kathy Castor and Lori Trahan issued a letter urging the FTC to update the rule. While the letter applauded recent FTC efforts to update rules around digital advertising and children, it also highlighted the need to update COPPA specifically, including:

• Expanding COPPA’s definition of “personal information”
• Implementing rules to COPPA’s requirement that platforms protect the confidentiality, security, and integrity of children’s data
• Implementing new regulatory protections around the use of online platforms for educational purposes
• Implementing rules around COPPA’s prohibition on encouraging children to share more data than is reasonably necessary

Updates like these are long overdue—the last time that the FTC updated the COPPA rule was in 2013, when the internet was a very different place. The FTC did implement a rule review in 2019, but that review is still on-going today. To date, the review has received over 176,000 public comments that the FTC needs to consider, but there are more reasons than just the high volume of comments behind why the FTC hasn’t made a COPPA update.

Congress may have called for the FTC to update the COPPA rule, but the FTC’s Commissioner Bedoya has, in turn, called for Congress to pass new legislation. 

A quick note on the timeline here—Bedoya made his request to Congress before Markey and colleagues drafted their letter to the FTC. In essence, the FTC believes the underlying law needs to be strengthened, and in response, Congressional leaders are saying updates cannot wait for the slow pace of the legislative process.

There are indeed several legislative updates in the works as of this writing, but they face their own challenges.

The Bills Waiting in the Wings: COPPA 2.0, KOSA, and the ADPPA

Three laws could serve as a major update to COPPA and children’s data privacy in the U.S. should they be enacted into law, but all three face major hurdles to overcome.

COPPA 2.0

Most notably, there is the COPPA 2.0, which would:

• Prohibit internet companies from collecting personal information from 13- to 16-year-olds without the user’s consent
• Ban targeted marketing to children
• Create an online “eraser button” that would enable users to eliminate personal information from a child or teen
• Implement a digital marketing bill of rights for minors that would limit the collection of children’s data
• Establish a Youth Privacy and Marketing Division at the FTC, which would be responsible for addressing marketing directed at and the privacy of children and minors

KOSA

Then, there’s KOSA, or the Kids Online Safety Act. This bill would be more directed at platforms’ design and operations for children, and features requirements around:

• Social media platforms preventing and mitigating harmful content for minors, such as addressing content around substance abuse, self-harm, and the like
• Defaulting to the strictest privacy settings for minors
• Providing minors and parents privacy controls, such as the ability to opt-out of recommendation systems that use a minor’s personal data, to limit “features that increase, sustain, or extend use” of an online service, and to limit time minors spend on a service
• And more

Both bills have successfully made it out of committee and are, as of this writing, awaiting a vote on the Senate floor. For the most part, supporters of one bill also support the other. Some committee members, however, voted against these bills or voted for them but called for another bill to take priority: The ADPPA.

ADPPA

The ADPPA, or the American Data Privacy and Protection Act, would be an omnibus data privacy bill like the GDPR, and would institute privacy protections for a wide swathe of Americans, including children. To a certain extent, the legislative future of the ADPPA is at odds with COPPA 2.0 and KOSA; there’s a lack of consensus around whether smaller bills targeted at children’s data privacy (COPPA 2.0 and KOSA) should be prioritized for a vote on the Senate floor, or whether a long-overdue federal data privacy bill like the ADPPA is a better candidate for being enacted into law. Unlike COPPA and KOSA, the ADPPA is awaiting a House floor vote.

That’s par for the course in Washington: competing legislative priorities, politicking, and the practicality of predicting a bill’s actual odds of success have things tied up for the moment. Meanwhile, individual states haven’t been waiting on Washington.

California Pushes Ahead With Children’s Data Privacy

While Congress debates federal-level children’s data privacy bills, California recently passed the California Age-Appropriate Design Code Act into law. Under this law, any business that is also subject to the California Consumer Privacy Act (the CCPA) and that provides an online service, product or feature “likely to be accessed by children” under the age of 18 would be subject to regulation.

In comparison to COPPA, California’s law features a much broader standard for services that are “likely to be accessed by children.” These services are those that are either directed to children or have actual knowledge they are collecting the personal information of children online. A “child” is also defined more broadly under the California law—COPPA considers anyone under 13 to be a child, while California’s act considers anyone under the age of 18 to be a child.

The California Age-Appropriate Design Code Act also imposes requirements on businesses that go above and beyond COPPA, including:

• Defaulting privacy settings to the highest level
• Providing concise and clear privacy information suitable for a child’s comprehension
• Conducting a data protection impact assessment before launching any new product or service likely to be accessed by children
• Clearly denote when a child is being monitored or tracked by a parent or guardian
• And more

California swings a lot of weight around in the legislature, and the passage of this bill could interfere with the passage of federal children’s privacy laws. We’ve already seen California representatives raise concerns that the ADPPA would preempt the stricter California data privacy law (the CCPA/CPRA). If COPPA 2.0 and/or KOSA are seen as being less strict than the California Age-Appropriate Design Code Act, the same concerns could be at play.

Slow But Steady Progress Toward Stronger Regulation

The trend is clear: Although legislation and rule updates take time, there is significant motivation and momentum to implement stronger regulations around children’s data. The big trap that businesses may fall into is believing that they have plenty of time to act before these various regulatory changes take place.

Compliance as a whole takes time to get right, and enforcement agencies treat businesses that can demonstrate they’ve been taking action to become compliant more favorably. If your business collects or processes children’s data in some capacity, now is a great time to turn your attention to becoming compliant.

Here are some important first steps to take:

• Review and update your privacy policy
• Learn more about the potential new laws you may be subject to, like the ADPPA
• Learn more about what constitutes personal data in general and what constitutes children’s data

After all, compliance is impossible if you’re not sure what you need to comply with.