The Children’s Online Privacy Protection Act is the U.S. law that protects children’s online data. Passed in 1998, its corresponding rule, the COPPA rule, was enacted in 2000 and dictates how the Act must be followed. It requires website operators and online services directed at children under the age of 13 to get parental consent from users before they can collect, use or disclose that information.
That phrase, “directed at children,” is an important one.
COPPA might be a couple decades old, but it's relevant now more than ever if you ask Sen. Ed Markey, a Democrat from Massachusetts, who's introduced new bills aiming to create more stringent rules around children's privacy. He has also led a bipartisan call for the on the U.S. Federal Trade Commission (FTC) to investigate COPPA violations given the uptick in children's use of technology during the COVID-19 pandemic.
While penalties for non-compliance can be steep — companies can be fined $42,530 per violation per-child, per-day — the criticism over the law in recent years is that it hasn’t been enforced to its full extent. The FTC oversees COPPA compliance, and some say the agency should be tougher on giant technology companies that violate the law.
If you fine the local bakery a million dollars, it's dead. If you fine Google a million dollars, does it deter them from misbehaving in the future? They can pay that fine over and over without having to restructure a thing.
Perhaps the most newsworthy COPPA enforcement case came in September 2019, when the FTC settled with Google, which owns YouTube, for $170 million over allegations it profited from illegally collecting children’s personal data.
After the FTC announced the settlement, the largest in COPPA history to date, critics said it was weaksauce.
“The FTC pulled the curtain back on this practice, but it did not go far enough to put in place critical new rules for accountability,” said Senator Markey, who authored COPPA in 1998. “The FTC let Google off the hook with a drop-in-the-bucket fine and a set of new requirements that fall well short of what is needed to turn YouTube into a safe and healthy place for kids.”
In the 22 years since COPPA became law, the FTC has invited comments on the rule three times, once in 2005 and once in 2010 and, most recently, in 2019. After several rounds of public comments in 2010, the FTC revised the rule to give children and parents more control over their information by expanding the information that couldn’t be collected without consent and extending those covered by COPPA to include third parties, among other changes.
While COPPA is a well-established law, it’s still not one that’s well understood. That’s according to Linnette Attai, who spent 12 years doing privacy at NIckelodeon before founding PlayWell, a consultancy on children and student’s privacy. Part of the problem is whether companies self-identify as a service geared toward children.
“Especially given non-traditional children’s companies that may be working as service providers in the children's space,” she said. “ I think, to a certain extent, there are some children’s start-ups that struggle a bit; not in understanding the intent of the law, but in putting the practices into place and implementing properly,” she said.
Hogan Lovells attorney Tim Tobin represented SONY BMG when the FTC investigated it for COPPA violations in 2008. The case settled for $1 million, the largest settlement to date at that time. He agreed with Attai that establishing whether your service or site is covered by COPPA is key and most often the reason for non-compliance.
The FTC outlines in its FAQs what kind of attributes qualify a website or service as child-geared. The checklist includes whether subject matter features “visual content,” “presence of child celebrities” and “music or other audio content.”
The thing is: A lot of sites do those kinds of things for adults. Is it on them if those adults’ children stumble upon their site?
“There’s some room for interpretation,” Tobin said. “You could have animation, but that doesn’t make sure it’s child focused. It can be a little bit difficult at times to sort of know exactly where the line is drawn.”
Attai said sites or services not recognizing they’re “child-directed” is a pitfall she sees companies fall into often, and that they must conduct “totality-of-circumstances” test.
“Your intention about whether or not you want to attract or are targeting kids under 13 is nice, but if you look and feel and smell and act as if you are intended for kids under 13, COPPA applies,” she said.
Perhaps indicative of such confusion, the FTC released its latest iteration of FAQs in July 2020.
Attai said companies also frequently run into legal trouble by not closely enough monitoring their third-party vendors, or, what she called their “third-party footprint.” Companies are responsible for their vendors’ compliance as well as their own.
“Under COPPA, you’re required to do privacy and security due diligence and make sure [your vendors] comply with COPPA,” said Attai.
There’s a standard in COPPA called “actual knowledge.” You have “actual knowledge” of kids using your site either when you’re marketing directly to children or you know you’re collecting children’s data -- whether they’re the intended audience or not.
“When [the vendors] do not have actual knowledge, then you have strict liability for their behavior with respect to the children’s data. When they do have actual knowledge, you still have liability, it’s just shared.,” Attai explained. “You are required under COPPA to have done the diligence and put the controls in place to make sure they can and do comply. And that gets very complicated, and we see it across industries.”
Looking ahead to whether COPPA will be amended again, it’s tough to say. The FTC solicited its most recent round of public comments in December 2019, before the world stopped. There are currently calls to change the age of children covered under COPPA from 13 to 16. The EU’s sweeping privacy law, the General Data Protection Regulation of 2018, treats anyone under the age of 16 as a child. Some say that would be the best approach in the U.S., as well, and it would help inch the U.S. closer to what’s largely seen as the global standard or gold seal of privacy law.
Having said all that, Tobin doesn’t think we’ll see big changes on COPPA in the near-term.
“I think from an FTC rulemaking perspective, I think we would see more changes at the margins and not anything massively substantive,” he said. “ I think it would take federal legislation to broaden the age.”
Tobin refers to pushes in the U.S. for a federal privacy law. While advocates, lawmakers and even industry has been calling for clear rules on privacy for years, it seems more and more likely as the EU takes punitive measures against the U.S. for its failure to establish one. Most notably, the EU recently invalided the Privacy Shield, a data-transfer mechanism for companies moving data from the EU to the U.S. It’s the second such agreement the EU has invalidated in less than a decade.
“Whether that will happen is very difficult to say,” he said. “With the Democrats taking control of the House and Senate and Presidency, I suspect the chances have increased of federal legislation. But it’s still a big undertaking to get everyone aligned.”
The most important and quite simple take-away from any primer on COPPA is this, according to Attai.
“If you have knowledge that you are collecting personal information from children under the age of 13, even if you did not intend to or not designed to market to people under 13., you need to create protections around that data,” she said.