2A-4-Children's Online Privacy Protection Act of 1998 (COPPA)
Safe Harbor
To demonstrate compliance with COPPA, entities are allowed to participate in a seal program administered by various entities pursuant to the statute's safe harbor provisions. Specifically, the statute provides that "[a]n operator may satisfy the requirements of regulations issued under section 6502(b) of this title by following a set of self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, approved" by the FTC. If a company is in compliance with one of these seal programs it is "deemed" to be in compliance under COPPA. The entities participating in this seal program include: Aristotle International Inc., Children Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, PRIVO, and TrustArc (formerly TRUSTe, Inc.).
Internal Procedures
Operators must implement "reasonable" confidentiality, security, and integrity procedures governing the use of information collected pursuant to COPPA. This includes procedures governing the destruction of any personal information collected about children once its retention is no longer "reasonably necessary to fulfill the purpose for which the information was collected."
Parental Access
Parents have the right under COPPA to access information collected on his or her child and to withdraw consent to further collection of personal information. And a website operator cannot condition the participation in an online game or other activity on the disclosure of personal information not reasonably necessary for participation in that activity.
Key Points
Prohibits unfair or deceptive acts or practices in connection with the collection, use, or disclosure of personal information of children under 13 years old Applies to all "operators" of commercial websites that collect personal information about its visitors (non-profits exempt) Operators must provide notice of privacy practices, with link to privacy notice on landing page and any page where information is collected Operators must obtain "verifiable parental consent" before any personal information of the child is processed; can be obtained by any reasonable means Parental access rights Operators must implement "reasonable" confidentiality, security, and integrity procedures Operator may take part in a safe harbor program to be "deemed" in compliance Violations are prosecuted in the same way as Section 5 enforcement action; state attorneys general can also enforce State laws are preempted but stricter state laws are permitted (California and Delaware both regulate between ages 13-18) No private cause of action
"Verifiable Parental Consent"
Additionally, operators must obtain "verifiable parental consent" before any personal information of the child is collected, used, or disclosed by the operator. Operators must also provide a way for parents to consent to the collection of data, without also being forced to consent to the disclosure of such data to third parties. "Verifiable parental consent" can be obtained by any method "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent." The FTC has set forth five illustrative examples of methods that it approves of for obtaining "verifiable parental consent": (1) Providing a consent form to be signed by the parent and returned to the operator by postal mail or fax; (2) Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder; (3) Having a parent call a toll-free telephone number staffed by trained personnel; (4) Having a parent connect to trained personnel via video-conference; or (5) Verifying a parent's identity by checking a form of government-issued identification against databases of such information, where the parent's identification is deleted after such verification is complete. There are a number of exceptions to this provision, which are mostly focused on the collection of information for one-time use and where information is collected for the purpose of increasing security for the child.
Notice Requirements
Any operator under COPPA that operates a website directed towards children—or that the operator has actual knowledge collects personal information on children—must provide notice of what information is collected, how it uses that information, and whether that information is disclosed to third parties. This requires that operators maintain a link to their privacy policies on the landing page of the website, as well as on each page where personal information is collected from a child.
Children's Online Privacy Protection Act of 1998 (COPPA)
Beyond its Section 5 authority, the FTC is the lead federal agency responsible for protecting the privacy of children online pursuant to the Children's Online Privacy Protection Act of 1998 ("COPPA").1 COPPA was intended to protect children under the age of 13 by prohibiting unfair or deceptive acts or practices in connection with the collection, use, or disclosure of his or her personal information. Unlike its rulemaking authority related to Section 5—which is both permissive (i.e., not required) and subject to the requirements of Magnuson-Moss—FTC rulemaking authority under COPPA is mandatory and subject to the Administrative Procedures Act.
Scope of COPPA
COPPA applies to all "operators" of commercial websites that collect personal information about its visitors. Non-profit entities are statutorily exempt from the definition of "operator." As defined under COPPA, personal information includes either a first and last name, home address, email address, telephone number, social security number, or any other identifier that the FTC determines "permits the physical or online contacting of a specific individual." The FTC has used its authority under COPPA to define "personal information" to include certain geolocation data and persistent identifiers "used to recognize a user over time and across different Web sites or online services," such as an IP address or information stored in cookies.
Enforcement
Violations of COPPA are prosecuted in the same manner that the FTC prosecutes violations of Section 5 of the FTC Act. State laws that are in conflict with any provision of COPPA are expressly preempted by the statute, although states are permitted to regulate activity not covered by COPPA. Both California and Delaware have done so by adopting laws protecting children between the ages of 13 and 18. Despite this preemption, COPPA provides state attorneys general with the authority to prosecute any violation of COPPA by filing suit in federal court. Before filing suit, the state attorney general must notify the FTC of its intent to bring an action, and the FTC is permitted to intervene in the case.There is no private cause of action under COPPA.
