What You Need to Know About COPPA and Whether Websites are Using It
COPPA is supposed to protect our children. Some 21 years after it was first implemented, does it? Here’s a look at the act and whether an update is needed.
Back in 1998, the U.S. introduced the COPPA Act, which took effect in 2000. The Children’s Online Privacy Protection Act (COPPA) requires operators of websites or online services targeted at children under 13 years of age to follow certain rules. It also imposes requirements on the operators of other online entities that have actual knowledge that they are collecting personal information from children under 13.
After 21 years, it’s important to take a closer look at COPPA and decide whether it has proven successful. Unfortunately, the answer is largely a mixed bag — perhaps solely because of one single entity, YouTube.
More About COPPA
At the time of COPPA’s passage, very few websites had implemented privacy policies. At the same time, many of these same websites were beginning to collect personal information from their visitors. Unfortunately, many of these folks turned out to be children. COPPA requires that companies get parental consent before collecting information about underage site visitors.
According to the Federal Trade Commission (FTC), COPPA covers various stakeholders, including website or web service owners, those targeting children or not, and those who own an ad network and collect personal information about visitors.
What Sites Must Do
To remain in compliance, the various stakeholders must post a clear privacy policy on its website, including a notice that parental consent is a legal requirement to collect personal data for those under 13. Additionally, these companies must obtain verifiable consent from parents before collecting any data about the visitor. Finally, websites must also establish methods where parents can revoke their consent.
Finally, when personal data is legally collected from children, the websites must implement procedures to prevent data stealing. The site holders must also promise not to keep the data for “only as long as is necessary.”
Online Services
It’s relatively simple to describe something as a website. However, some might be wondering about the broader term, online services. In addressing this, the FTC explains:
COPPA applies to personal information collected online by operators of both websites and online services. The term “online service” broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network. Examples of online services include services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements, or interact with other online content or services. Mobile applications that connect to the Internet, Internet-enabled gaming platforms, connected toys, smart speakers, voice assistants, voice-over-Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA.
Voluntary Collection
Websites that voluntarily seek to collect personal information from visitors, including those under 13, must still comply with COPPA.
FTC: “The Rule governs the online collection of personal information from children by a covered operator, even if children volunteer the information or are not required by the operator to input the information to participate on the website or service. The Rule also covers operators that allow children publicly to post personal information.”
Porn
Perhaps interestingly, COPPA has nothing to do with keeping underage children away from porn. Rather, its focus is to give parents control over the online collection, use, or disclosure of personal information from children. Furthermore, protecting children from certain types of questionable content was never one of its goals.
Penalties
A U.S. court has the power to fine violators up to $43,792 per violation. Different factors determine the amount of the civil penalties, including:
- The egregiousness of the violations
- Whether the operator has previously violated the Rule
- The number of children involved
- The amount and type of personal information collected
- How the information gets used
- Whether it was shared with third parties
- The size of the company.
COPPA Privacy Policy: Key Points
To be compliant, a website’s privacy policy must identify categories of information:
- The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
- A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
- The parent can review or delete the child’s personal information and refuse to permit its further collection or use. You must also state the procedures for doing so.
Are Websites Complying?
The FTC, using COPPA, has gone after numerous companies for violating the age and issued fines among the bigger cases involved Musical.ly, Yelp, Path, Inc., TikTok, and many more. The biggest site brought before the FTC over COPPA was Google/YouTube in 2019.
In the largest fine ever collected under the Act, the FTC ordered the company to pay a fine of $170 million after accusing it of deliberately collecting user information for those under 13 without parental consent. As part of the settlement with the government, Google agreed to make important changes to the YouTube platform.
YouTube Changes
Beginning in 2020, YouTube began promoting new rules that required content providers to tell whether or not videos were “made for kids.”
According to Google, child-directed sites are those where:
- Children are the primary audience of the video.
- Children are not the primary audience, but the video is still directed at children because it features actors, characters, activities, games, songs, stories, or other subject matter that reflect an intent to target children.
Content not appropriate for children is:
- Content that contains sexual themes, violence, obscene, or other mature themes not suitable for young audiences.
- Age-restricted videos that aren’t appropriate for viewers under 18.
To comply with its agreement with the FTC, YouTube’s “Made for Kids” content includes important restrictions, such as eliminating comments and notifications. Those providers will also see the removal of channel members, posts, and stories. Other restrictions include removing autoplay on home, cards, or end screens, personalized advertising, merchandising and ticketing, live chats, and more.
Is COPPA Working?
The YouTube agreement showed the FTC was (finally) serious about eliminating the illegal online collection of personal data from minors. Before this happened, I questioned whether the government would ever go after the big sites. Perhaps the time has come for the U.S. government to put similar restrictions on big tech when collecting data from adult users.
Companies like Google and Facebook continue to offer many valuable products for free. But, unfortunately, we all know that we’re allowing these companies to collect our personal data in exchange. The time has come for an opt-out option to pay for the services we want instead of allowing them to collect our data. The government also needs to address the biggest hole of all: COPPA doesn’t cover underage adolescents, those 14-to-17 years old. Shouldn’t they be?