Coping with COPPA
Children's Privacy in an Online Jungle
By Robert Cannon
By and large, when it comes to protecting consumer
privacy, the mantra in Washington has been
self-regulation. Privacy gaffes by online companies
are characterized as merely the normal growing pains
of the new online economy. In addressing them,
government has generally opted to negotiate
resolutions with industry and consumer groups, rather
than apply new regulations.
As with many issues, however, when it comes to
children, industry blunders have swiftly been greeted
by the sound of the gavel coming down. This April
marked the first anniversary of the Children's Online
Privacy Protection Act (COPPA), the first online
privacy law to come out of Washington. Since its
inception, COPPA has accounted for $100,000 in civil
penalties levied against Web businesses. Compliance
with new Federal regulations, in which the details are
still fuzzy, can be a challenge. As always, if you
find that your business plan includes areas under
COPPA's jurisdiction, investment in good legal advice
might be a sound decision. A working understanding of
the law can also help you identify potential trouble
areas, and set your site along the path to COPPA
The story of COPPA began in the mid-1990s. A 1996
report by the Center for Media Education (CME), which
documented how online services handled children's
information, gave the first indication that
self-regulation alone wasn't enough when it came to
kids' privacy. The behavior it described was
atrocious. The report found that numerous Web sites
targeting children either had no privacy policies
posted at all, or else failed to adhere to their own
policies. Worse, deceptive data-gathering tactics
targeting children were commonplace. For example, an
online service might set up games in which children
could earn points toward winning prizes. Play a few
games and win a few points. Provide your parents'
salaries, along with information about their
employers, and win lots of points.
CME's report persuaded the Federal Trade Commission to
conduct its own study. The results, published in
"Privacy Online: A Report to Congress",
revealed that while 89 percent of sites
surveyed collected information from children, only 24
percent had posted privacy policies, and only 1
percent required prior parental consent.
The FTC report led to an unusual break by Congress
from the mantra of self-regulation, and the swift
passage of COPPA in 1998. By April 21, 2000, FTC
regulations implementing the bill had been
promulgated, and compliance with COPPA was mandatory.
COPPA in a Nutshell
COPPA is the first online privacy law to come out of
Washington. (For clarification, see "
The COPPA vs. COPA Confusion"). You must comply with COPPA's regulations if you are the operator of an online
service that either (a) specifically targets children
under the age of 13, or (b) has "actual knowledge"
that it is collecting information from children under
the age of 13more on this later. Nonprofits are
exempt from COPPA. Otherwise,
if you meet either of these criteria, then your site
is subject. To comply, you must:
How much will it hurt if you're caught violating
COPPA? You can be fined up to $11,000 per child per
incident; and the grace period for enforcement is over.
data you collect,
and what you do with it.
- Obtain verifiable consent from the child's parent
before you collect
any data. Importantly, once a parent agrees to your
those terms are as good as set in stone. If you make
from all of the
parents all over again.
- Give parents the option to consent to your
yet still forbid disclosure of the data to third
- Provide parents the opportunity to review the data
- Give parents the option to revoke their consent. If
they do so, they
are in effect telling you that you may no longer use,
delete, information about their kids.
- Institute a program to ensure the security and
integrity of the data
Is My Site Subject?
The FTC has indicated that it will determine whether a
Web site targets children based on: "visual or audio
content; the age of models on the site; language;
whether advertising on the Web site is directed at
children; information regarding the age of the actual
or intended audience; and whether a site uses animated
characters or other child-
Even if your service doesn't explicitly target
children, you may yet be subject to COPPA. You still
fall under its provisions if you have what is called
"actual knowledge" that some of your visitors are
Some Web sites gather statistical information on
visitors without any thought that some may be
children, and without the specific intention to market
or serve underage visitors. However, as soon as you
ask your visitors' ages and they tell you that they
are under 13, you have actual knowledge. And once you
have actual knowledge, you're stuck with it. If you
ask and you know, COPPA applies.
But what happens when kids lie about their
agesdoesn't this mean that any data gathering could
potentially put your company at risk? No. According to
COPPA, this is not your problem. If nothing about a
visitor's presence informs you that the visitor is a
child, then you lack actual knowledge.
What Is Personal Information?
Personal information, where COPPA is concerned, means
individually identifiable information. Examples
It also means any additional information collected
from the child in combination with any of the above
items. So once you've collected personal information
from a child, all additional information collected is
a first and last name,
a physical address,
an email address, screen name, or other online
a telephone number,
a social security number,
a cookie or other persistent identifier.
Note that if the information you want to collect is
not on the above list (and your Web site does not
target children), then you can collect it without
falling under the restrictions of COPPA. It is, for
example, possible for you to conduct surveys of
visitors to your site and not fall under COPPA, so
long as no part of your survey asks for personally
identifiable information. You can even ask a visitor's
age, so long as you do not, for example, ask for the
visitor's name or set a cookie.
This is because age is not itself defined by COPPA as
personally identifiable information. Thus, you can ask
the age of the visitor without having to comply with
COPPA further. If the visitor is under the age of 13,
a viable option is to refuse to collect any personally
identifiable information. If such information is
necessary to provide your online service, you may opt
not to offer your services to that visitor at all.
Finally, note that to fall under COPPA, information
must be collected online. Suppose, for example, the
visitor prints out a form and then mails in the
information. Even though that form may have been
printed from a Web page, the information gathering
does not fall under COPPA.
Getting the Go-Ahead
FTC rules set forth specific requirements for
compliance with COPPA, including what constitutes
parental consent. You can obtain parental consent
through several methods, including digital signatures,
a signed form that's returned by mail or fax, the use
of a credit card,
or by having a parent telephone in to a properly
trained staff member.
To make things a bit more complicated, the FTC is
phasing in its requirements. Until April 2002, you can
also seek consent from the parent via email, so long
as you take steps to ensure that the consent was
authentic (such as a delayed letter or phone call to
the parent for confirmation).
This is only allowable in situations in which the
information is gathered exclusively for internal use,
howeversuch as marketing to the child based on his or
her preferences. If you plan to disclose the
information to third parties, you must use the most
reliable means of gaining consent, such as those
listed previously. Consent via email in these cases is
One further area of caution applies to monitored
online communities, such as message groups or chat
rooms. If a given community targets children, or if a
visitor reveals that he or she is a child, then the
operators of the community must comply with COPPA.
The community monitor could strip all personal
information from the messages prior to posting them.
In such cases, the community wouldn't need to obtain
further parental consent. The only other option is for
you to gain parental consent before children
This is likely to pose a significant challenge to
monitored communities that don't target children and
aren't accustomed to COPPA. If such a community is
suddenly confronted with a message that states, "Hi,
my name is Tommy, I'm in the 6th grade, and I'm doing
a research project," community monitors must be
trained to take immediate action to comply with COPPA.
Note, however, that these rules do not apply to
Exceptions to the Rule
COPPA permits online businesses to interact with
visitors without parental consent in a few distinct
situations. Web sites may:
Also, COPPA provides for what are called Safe Harbors.
These are industry self-regulation programs that are
submitted to the FTC for approval. If a program is
approved, then sites that are certified as complying
with that program are deemed to be in compliance with
COPPA. Of course, entities seeking FTC approval of
such self-regulation programs must provide assurances
that the integrity of their programs will be
maintained. So far, only three applications for Safe
Harbor status have been approved: those of the
Children's Advertising Review Unit, the Entertainment
Software Rating Board, and of TRUSTe.
gather personal information for the purpose of contacting the
child?s parents to gain consent.
respond on a one-time basis to a child's inquiry if they don't use that personal information for any further purposes and delete it from their databases.
collect personal information for the purpose of protecting the child's
safety if that information isn't used for any other purpose including
contacting the child, and that information is not disclosed anywhere on the online service.
collect information solely for the purpose of maintaining the security or integrity of the system, or as required by law or judicial process.
In the area of online contests, there is actually a
more specific rule, as this was one of the areas of
greatest abuse. Specifically, an operator of an online
contest targeted at children is permitted to gather
from the visitor only such information as is
reasonably necessary for the visitor to participate in
the activity. In other words, no asking for mommy and
daddy's salary to win a free T-shirt.
CME, authors of the original study that highlighted
the problem of children's privacy, conducted a
follow-up survey one year following the enactment of
COPPA. CME surveyed 153 commercial Web sites directed
at children under the age of 13, including current
children's Web sites and those used in the FTC study.
CME's survey found that COPPA has had a significant
impact on Web site operator behavior.
First, and importantly, the percentage of Web sites
with posted privacy policies increased dramatically.
In 1998, the FTC found that 24 percent of children's
Web sites surveyed had posted privacy policies. In
2001, 76.3 percent had posted privacy policies.
Children's Web sites continue to collect personal
information, but the information collected has
changed: 85.6 percent of children's Web sites
collected personal information in 2001, as compared to
89 percent in 1998essentially the same number.
However, only 19.8 percent of sites collected postal
addresses in 2001, down dramatically from 49 percent
in 1998. Likewise, the number of sites collecting
phone numbers from children declined from 24 percent
to 10.7 percent.
Room for Improvement
Of those Web sites surveyed, 72 percent had a link to
collection took place. A continuing problem, however,
is that only 34 percent of sites have a link that is
"clear and prominent," as required by law. Privacy policies hidden in fine print at the bottom of the
page aren't enough. "Clear and prominent" links must
stand out and yell, "Here I am!"
Further, while it's one thing to have a policy, it's
another to follow it. While the number of Web sites
with posted policies was impressive, CME's survey
found 50 sites that collected data from children in a
way that required prior parental consent. Only 19 of
those sites in fact made an effort to obtain the
required permission. Of those that did seek to obtain
consent, the most popular methods were through the use
of a credit card (52.6 percent of the time) and by
providing a consent form to be printed out, signed,
and sent back (47.4 percent of the time).
One major area of abuse involved Web sites that
encouraged children to lie about their age. For
example, such sites might have registration forms
requesting personal information before visitors could
take advantage of the site. On the form would be a
request for age information along with a statement, in
big bold red letters, that services were unavailable
to children under the age of 13. Other sites might
have pop-up windows that appear when someone enters an
age younger than 13. The window would state, again,
that services were unavailable to children under the
age of 13.
The key is that when the pop-up window closes, the
child can return to the form and change the entered
age. All of this creates the incentive and the ability
for children to lie about their age to gain access to
Biting the Bullet
This April, on the first anniversary of COPPA, the FTC
announced that it would issue its first fines,
charging three Web sites with "illegally collecting
personally identifying information from children under
13 years of age without parental consent, in violation
of the COPPA rules." These enforcement actions were
settled by having the site operators agree to pay
$100,000 in civil penalties, to comply with COPPA in
the future, and to delete the data in question.
Overall, the first year of COPPA saw marked overall
improvement in the handling of children's data by
online services. But it also saw several children's
Web sites cease operations. These sites concluded that
compliance with the new regulations would be too
onerous and opted instead to either shut their doors
completely, or else to close the doors specifically to
children under the age of 13.
While some online ventures insist that COPPA
compliance is too difficult for their sites to remain
in business, the FTC takes these reactions with a
grain of salt. FTC staff members warn that some
ventures with flawed business plans have looked for
regulatory scapegoats to justify their failures. (For
more on this topic, see "
Recent Privacy Research is Misrepresented").
COPPA supporters also argue that compliance is hardly
onerous, particularly in light of the statute's focus:
children under the age of 13. Any online service
working with young children ought to be handling those
relationships with care. These are, after all, young
children. Online ventures that find the proper care of
young children's data too burdensome probably
shouldn't be in that line of business anyway.
Finally, it's worth noting that COPPA doesn't prohibit
these Web sites from operating. It only forbids them
to collect personal information. If compliance with
the regulations governing data collection is too
difficult, these online businesses are free to
continue operationsminus data collection.
Protection for and care of young children is important
to our culture. Those who profit off them, but find it
too difficult to protect them, shouldn't expect to
receive much public sympathy or support. Fortunately,
the FTC has set forth clear guidelines as to what does
and doesn't constitute acceptable behavior by
children's Web sites. By understanding COPPA, your
business can market its products or services to this
important demographic, while remaining in full
compliance with the law.
More information can be found online at the FTC's Children's Privacy Web site.
Robert is senior counsel for Internet issues in the
FCC's Office of Plans and Policy. He is also director
Washington Internet Project, a pro-bono project dedicated
to promoting awareness of and participation in federal
regulatory developments that affect the Internet.
Views expressed are not necessarily those of his
employer. Robert can be reached at email@example.com.