COPPA is a U.S. law enacted by Congress in 1998 to address concerns regarding the online collection and disclosure of children’s personal information. Children (defined by COPPA as individuals under the age of 13) may not appreciate the significance of sharing their personal information online. Therefore, the goal of COPPA is to put the power of children’s online personal information into the hands of their parents.
COPPA tasked the FTC with promulgating rules to define what an unfair or deceptive trade practice is under the law. The current Children’s Online Privacy Protection Rule applies to operators of commercial websites or online services (including mobile applications) that are directed to children and to operators who have actual knowledge that they are collecting or maintaining children’s personal information. Under the Rule, such an operator:
(a) Must provide notice on its website of what information it collects from children, how it uses that information, and how it might disclose such information;
(b) Must obtain verifiable parental consent prior to collecting, using, or disclosing a child’s personal information;
(c) Must provide a reasonable means for a parent to review the personal information the operator has collected from a child and to refuse to permit further use of that information;
(d) Must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children; and
(e) Cannot condition a child’s participation in a game, prize offering, or other activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.
As a general matter, verifiable parental consent includes any method reasonably calculated, in light of available technologies, to ensure that the person providing consent is the child’s parent. The Rule lays out a list of methods that the FTC has determined to meet that requirement, such as providing a consent form for the parent to sign and return via mail, fax, or email. Violations of the Rule carry civil penalties of up to $41,484 per violation.
A number of states have passed legislation to fill the gap left by COPPA regarding teenagers. For example, the Delaware Online Privacy and Protection Act extends COPPA-like provisions to all Delaware residents who are under 18. Therefore, website operators and online service providers should be aware of potentially applicable state laws even if they do not believe that COPPA applies.