COPPA: the Children's Online Privacy Protection Act — explained

A brief outline of the US Federal Trade Commission’s (FTC) rule that seeks to protect the data of young children

The Children’s Online Privacy Protection Act (which we will shorten to COPPA from now on) was put in place in 2000 to give parents and guardians more control over how the data of their children (under the age of 13) is collected and processed. If you want, you can read the whole thing — however we’ve very conveniently pulled out the key parts for you 😉.

Here’s how the FTC summarise the rule, with important bits in bold:

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

So let’s just clarify the parts that are in bold there. First of all…

What are ‘websites or online services’?

Okay so: the rule falls on those running a site or service — they are the ones who get in trouble if they break the rule. But, what does ‘website or online service’ include?

• Your traditional web page that you access via a browser (like this one)
• Apps: games, social media, streaming services, etc.
• Location services (basically anything that tracks your location)
• Plug-ins and extensions to your site or service
• Physical objects that are connected to the internet: toys, smart devices, anything within the IoT
• Ad networks: Facebook, Google, and any other service that collects data in order to serve personalised adverts.

So these things are quite literally anything that needs the internet to work, which is a lot of stuff in 2019.

But, as you can see from the summary, the FTC have identified two camps here:

CAMP ONE: Sites and services that are directed to children under 13 years of age

CAMP TWO: Other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

So, quite obviously, this rule applies to those making things specifically aimed at children. But this rule also applies to any other site or service — as long as they know they are collecting data from those under the age of 13. But how can you know that?

How Coors manage underage visitors of their site. I’m sure no one has ever lied on one of these…

The only way, ironically, would be to collect some data: i.e. date of birth. Just like Coors Light do.

Regardless of camp, the collection of personal information is most likely going to happen, so the next question is…

What do they mean by ‘personal information’?

In this case, the FTC mean the following:

(1) A first and last name;

(2) A home or other physical address including street name and name of a city or town;

(3) Online contact information as defined in this section;

(4) A screen or user name where it functions in the same manner as online contact information, as defined in this section;

(5) A telephone number;

(6) A Social Security number;

(7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;

(8) A photograph, video, or audio file where such file contains a child’s image or voice;

(9) Geolocation information sufficient to identify street name and name of a city or town; or

(10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

These ten things cover almost any kind of data that you might produce simply by interacting with anything on the internet.

Pay special attention to number 7: while we know that ‘persistent identifiers’ such as cookies have a lot of fairly well-established guidance around them already; you need to get consent for cookies that are not necessary for you to deliver your service to anyone, not just children.

But number 7 also says that your IP address counts as personal information — this is something that websites and your internet service provider collect almost automatically, all the time — you need an IP address to even make a request to load the page.

This definition is important, because it presents challenges for the following section…

What are the ‘certain requirements’ imposed on sites and services collecting this personal info?

There are five general requirements, which I shall put into plain English. The site or service must:

1. Be transparent about what data it collects about children under 13: this needs to be some kind of clearly written notice that is given directly to a parent/guardian, or it’s located in a very obvious place within the site or service (like a privacy policy)
2. Get verifiable consent from a parent or guardian before any data collection has taken place.
3. Allow the parent/guardian easy access to the data collected about their child: they should be able to see it, have it deleted, or restrict it’s usage.
4. Not put up walls to content: so asking for a child’s address so that they can unlock access to a game is not allowed; unless you somehow need that data for the game to work.
5. Have well established procedures which protect the child’s data: for instance, deleting the data you collected once you no longer have a need for it.

These guidelines are clear, but how do they work in practice? Requirement 2 has proven especially difficult: remember that the FTC consider IP address ‘personal information’. How do you let a website know that you’re okay with them collecting your IP address or device information before your child has even visited the site?

How does the FTC enforce the COPPA rule?

Why, with fines of course. If the FTC somehow find out that you don’t comply with COPPA, you would be fined up to $41,484 per violation.

Earlier this year, TikTok paid out $5.7 million for their COPPA violations. And which bits did they violate? Yes that’s right, the parts where they need to inform parents on how their children’s data is used, and to get consent for that usage.

It’s those parts of the rule that companies consistently break — that’s because it’s almost impossible to follow. There’s nothing stopping a child from going to a site with a DOB wall (like the Coors one) and lying about their age.

So the rule states that the requirements apply to sites and services that know they are collecting data from those under 13. Well, Facebook actually doesn’t allow anyone under 13 to sign up. So they’d be exempt from the rule anyway. But how do they know which users are lying about their age?

Dunno if this letter will get there in time, but worth a try…

The guidance on getting consent from parents says nothing about how and when a business might actually ask for the consent before the data has been collected. It only talks about the ways in which you can verify the parent or guardian. One way is to print, sign, and post a form to the website or service owner 🤦🏻‍♀️.

The COPPA rule is… super old

One of the biggest issues with the COPPA is that it was written more than twenty years ago, and ‘updated’ in 2013. The FTC originally said that it would review the rule every ten years — in 1998 they probably did not foresee how quickly technology would move. Which is fine; no one really knew what the internet was yet at that point.

A famous moment from the 90s; no one quite knew what the internet was yet, and that was okay

Earlier this year the FTC announced they’d be reviewing the rule much earlier than ten years, and have even reached out to the public with questions on how it can be improved, leading up to a public workshop this October.

In short, the COPPA is there to help parents and guardians better control the flow of their children’s data — but it doesn’t really do that yet. Watch this space for updates in October.

Georgia Iacovou

Content Writer