The Children’s Online Privacy Protection Act is a federal law in the United States that came into effect in 2000 and protects personal information of children under 13.
by Usercentrics Nov 3, 2021 Table of contents Show more Show less Book a demo Learn how our consent management solution can improve privacy and user experience for your users. Get your free data privacy audit now! Oops, something is wrong with the URL. Please check again. 15 mins to readThe Children’s Online Protection Act (COPPA) (sometimes shown as the Children’s Online Privacy Protection Rule, still with the COPPA acronym) is a federal privacy law in the United States that was passed in 1998 and came into effect in 2000. It has since been revised a number of times by the Federal Trade Commission (FTC). It protects the personal information of children under 13 years of age and requires website and online service operators to obtain parental or guardian consent for the collection of that personal information. To date the US does not have a federal privacy law that encompasses both adult and child residents.
The Children’s Online Privacy Protection Act applies to organizations that knowingly collect the personal information of children under age 13 online. However, because websites and social platforms are ecosystems, not silos, the law goes into more detail and applies to organizations that:
Personal information within the scope of COPPA is fairly standard compared to other privacy laws, though is a little more detailed regarding online account identifiers and digital media. In Part 312.2 (Definitions) it includes:
COPPA became law in 1998 before many of today’s popular online social platforms were developed, and before the ubiquity of smartphones and apps. Sites like SixDegrees and Classmates existed in the late 1990s, but LinkedIn and MySpace didn’t launch until 2003. Facebook arrived in 2004, Twitter in 2006, and Instagram in 2010. TikTok existed in a previous form in 2015, but wasn’t available worldwide until 2018. The iPhone launched in 2007, kicking the smartphone revolution into high gear.
COPPA has been updated over the years to reflect digital advances, and its definition of a “website or online service” includes:
In Part 312.2 (Definitions), the Act states:
In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.
So, in short, the website or online service:
The personal information of children under 13 cannot be collected without verifiable parental consent if the data controller can reasonably know that the individual is a child and the personal information is identifiable.
In the United States, generally consent is only required prior to the collection of personal information where the data subject is a child or if the data is considered “sensitive”. (Learn more: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?) This is an “opt-out” model, and is used in California, Virginia and Colorado’s laws. The other common “opt-in” model is used in many other countries, including the European Union’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados Pessoais /General Data Protection Law (LGPD) and South Africa’s Protection of Personal Information (POPIA).
Before entities can collect, use, or disclose children’s personal information, they must obtain consent. Because children cannot legally consent themselves, it must be obtained from a parent or guardian. There is leeway in how parents/guardians are informed about the request to collect information, and the purposes for its use.
However, regardless of the technology or platform used, the method must clearly communicate what personal information from the child would be collected, and how, and how it would be used and potentially shared with any third parties.
The organization must also take reasonably robust steps to verify that the parent/guardian is the one providing the consent.
Acceptable methods of obtaining parental consent include:
Parents also have the option to provide consent to the collection and use of the child’s personal information by the requesting organization, but refuse consent for the disclosure of the information to third parties.
If a child’s personal information will be collected but only used internally by the organization collecting it, and not disclosed, “email plus” consent and verification is acceptable. By this method, the organization emails the parent, who responds with their consent. Confirmation of consent is then sent to the parent via email, letter, or phone call.
Parents/guardians must be informed that they can revoke consent at any time, and if changes are made to the collection, use, or disclosure practices consented to, new notification must be provided and new consent obtained.
There are some instances wherein consent is not required to collect or use children’s personal information, though it should be noted that there may be specific notification requirements even if one or more of these conditions are met.
The following conditions and purposes outline when the child’s, parent’s, or contact information of both can be collected without consent.
Since COPPA is meant to protect children, unsurprisingly companies’ obligations outlined in the Act are fairly detailed. As already noted, parental consent must be obtained under many circumstances before children’s personal data can be collected or used. Organizations must also have reasonable procedures to protect the confidentiality and security of the information they collect, which is standard in all privacy law.
Companies must also provide an easily accessible privacy policy listing the following:
COPPA violators may be fined up to US $43,280 per violation, with enforcement handled by the Federal Trade Commission. Google was fined US $170 million in 2019 for violations on YouTube, where children’s personal information was collected without consent and used to target them with advertising. Outside of the US, a class action lawsuit filed in the UK in 2020 seeks US $3.2 billion for similar violations of children’s data privacy on YouTube.
It should be noted that, while foreign companies are subject to COPPA if they collect or use the personal information of American children, the FTC rarely pursues enforcement actions against foreign companies, in good part due to a number of practical challenges. One significant recent exception is the US $5.7 million settlement against Chinese company ByteDance, owners of the TikTok app. TikTok has a significant user base in the United States, and legal action has been brought against it (and ByteDance) over privacy violations under the California Consumer Privacy Act (CCPA).
As the mobile industry continues to grow, more children have mobile devices and spend more time in front of screens, so privacy laws will need to continue to evolve regarding protecting children, and further enforcement and penalties for violations (globally) are to come.
Data retention and deletion requirements were introduced into COPPA in the 2011 revisions. Under Section 312.10, Children’s personal information could only be retained for as long as was necessary to achieve the purpose for which it was collected. This is fairly standard in other privacy laws as well. Additionally, reasonable measures must be taken in deleting the information to protect it from unauthorized access or use.
As noted above, prior to deletion, if the purpose for collection changed, either by the organization that collected it or an approved third party processor, the parent/guardian had to be notified and new consent obtained for the new use. Also added in 2011 was the requirement that third parties to which children’s personal information was disclosed have reasonable security measures in place to protect data.
Australia
Australia’s Privacy Act has been in place since 1988, with significant amendments in 2000. It does not make any specific reference to children or protection of their personal information. However, government representatives have said that such stipulations and related penalties would be added, however, that would be contingent upon their party’s re-election.
Brazil
The LGPD, enacted in 2020, follows the model of requiring enhanced protections for children’s personal information. Like in COPPA, companies must clearly state what data they plan to collect, and for what purposes. Reasonable efforts must also be made to obtain parental/guardian consent for data collection, and verify that consent has actually come from the parent/guardian.
Brazil’s data protection authority will also introduce further regulation and enforcement regarding protection of children’s personal information online.
China
China has had Provisions on the Cyber Protection of Children’s Personal Information in place since 2019, and now in addition the Personal Information Protection Law (PIPL) comes into effect November 1st, 2021. Under Article 15 of the PIPL, children’s age of consent is 14, and for children who are younger, consent for data collection and use must be obtained from the child’s parent or guardian.
PIPL is also extra territorial, applying also to organizations outside of China where the purpose is to provide products or services to “domestic natural persons”, to analyze and evaluate activities of domestic natural persons and/or other circumstances covered by law or administrative regulation. Article 39 of the PIPL includes stipulations about cross-border transfer of personal information, which requires a separate consent, and children’s personal information is included under that.
A number of international privacy laws include children’s personal information under their definitions of “sensitive”, however, the PIPL has specific stipulations regarding children’s sensitive personal information in Article 29, defining it as “the personal information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts and personal whereabouts.”
While parental/guardian consent is already required to collect or use children’s information, additional, explicit consent must be obtained for children’s sensitive personal information under the PIPL.
European Union & UK
The GDPR has had enhanced protections for children since 2018, but still lacks explicit detail regarding what higher standards for protecting children’s personal information should be. As a result, some EU countries have begun to implement their own laws and enforcement regarding data rights and protections of children.
An inconsistent patchwork of regulation presents its own difficulties, however, since, for example, under the GDPR, member states can set their own age at which children can provide their own consent. The youngest allowable age is 13, but in Ireland and the Netherlands, for example, it’s 16. Robust age verification online does remain a consistent issue across the EU in terms of regulation, however, especially as the types and volume of online services continues to grow.
India
India does not yet have a privacy law in effect, but legislation does have child-specific data protection provisions, and defines children as under age 18. The legislation would ban directly targeting ads to children, as well as profiling, tracking or monitoring their behavior online.
Children’s privacy and protection has become a notable issue on other fronts as well. For example, TikTok was banned by the high court, though that was overturned. It was still ordered removed from the Apple and Android app stores, however. TikTok has 119 million users in India, many of whom are assumed to be children under 18.
South Africa
South Africa has had a privacy law in place since 2013, and under Section 1 of the POPIA children are defined as under age 18, and “not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself”.
Under POPIA verification from the “competent person” is not required, so it is not explicitly required that this person be a parent or guardian. However, Section 35 outlines further stipulations regarding children’s personal information, including circumstances under which it can be processed, when consent of the aforementioned competent person does or does not need to be obtained, and other conditions.
South Korea
Korean privacy law was updated for 2020. Under it, explicit consent has to be obtained from a parent or guardian for the collection or use of children’s personal information if they are age 14 or under.
Interestingly, Korean lawmakers clearly understand the broad societal influence of mobile technology, and viable parental consent methods include text message, smartphone authentication, or payment information, with companies then sending agreements back to the parent or guardian.
Stronger provisions for consent verification were introduced in addition to broader consent requirements for data processing, with the goal of improving enforcement, as it was found that some online service providers were not rigorous in their duty to obtain and verify consent before collecting children’s personal information.
Organizations are also required to use “clear and easily understandable language” in communication of privacy policies to children.
United States
Protecting children’s privacy seems to be a rare bipartisan issue in the US, and in addition to COPPA, children’s privacy and consent for usage of their data has been addressed in state-level laws passed to date. California, Virginia and Colorado all specify the “sensitive” nature of children’s personal information, and have stipulations regarding consent for its collection and use. It is very likely all future state-level laws will follow suit, as would any federal-level law that is eventually passed, unless it explicitly defers to COPPA. COPPA has also undergone revisions in the two decades since it was passed, and it is likely that it will continue to be revised as technologies change.
To date, provisions for children’s data privacy are not ubiquitous globally, but then, neither are privacy laws in general. However, with ever-evolving technology and more and more children spending more and more time with smartphones, protecting and securing their privacy and data is an ongoing and growing concern for many governments.
The importance of the issue in an increasingly digital world is illustrated in the United States, where the Children’s Online Privacy Protection Act has been in place for over 20 years, and continues to be updated as the media and technology landscapes change.
Such privacy laws must continue to address the types of data that can be collected and used. For example, biometric data is becoming increasingly available. How data is used also continues to evolve, with AI being increasingly used for processing and decision-making. Ideally, advances in technology will also be used to improve verification methods for consent.
If you have questions about consent management for websites and apps, we’re happy to help. Contact one of our experts!
