Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act of 1998 is a United States federal law. The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age, including children outside the U.S. if the website or service is U.S.-based. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online, including restrictions on the marketing of those under 13.
Although children under 13 can legally give out personal information with their parents' permission, many websites—particularly social media sites, but also other sites that collect most personal info—disallow children under 13 from using their services altogether due to the cost and work involved in complying with the law.
Background
In the 1990s, electronic commerce was on its rise of popularity, but various concerns were expressed about the data collection practices and the impact of Internet commerce on user privacy—especially for children under 13, because very few websites had their own privacy policies. The Center for Media Education petitioned the Federal Trade Commission to investigate the data collection and use practices of the KidsCom website, and take legal action since the data practices violated Section 5 of FTC Act concerning "unfair/deceptive practices." With the passing of the Drivers Privacy Protection Act in 1997, new precedents had been set in regard to the ability of congress to regulate information held by state agencies. After the FTC completed its investigation, it issued the "KidsCom Letter" the report stated that the data collection and use practices were indeed subject to legal action. This resulted in the need to inform parents about the risks of children's online privacy, as well as to parental consent necessity. This ultimately resulted in the drafting of COPPA.COPPA was passed in 1998 and took effect reportedly in April 2000. The rule was issued by the Federal Trade Commission, and it is updated quite frequently to stay up to date with new technological advancements. The Federal Trade Commission is a agency that works to protect people from illegal practices, scammers, create protection rules, and ensure they are helping people protect their data and information. COPPA was necessary because it has been reported that 89% of children websites were taking personal information, and many of those websites were not giving privacy notices. Parents were not very involved with their children's website uses or made aware of the dangers of their children's private information being taken without knowledge.
The new millennium ushered in an era of regulation that many were simply unaware of. The early years of the transition were fraught with confusion and a lot of animosity. One of the main concerns of the time was the eventual accessibility of child-based websites at the fear many were unwilling to change their business practices. Many were left with a series of loose guidelines that determined what was correct. The simplification of COPPA provided by the FTC was met with a follow-up of demands to law enforcement that the: "... Commission should continue law enforcement efforts by targeting significant violations and seeking increasingly larger civil penalties, when appropriate, to deter unlawful conduct". A mandatory review of the COPPA regulations were conducted in 2005, found that there were no adverse effects to the online landscape.
The Federal Trade Commission has the authority to issue regulations and enforce COPPA. Also, under the terms of COPPA, the FTC-designated "safe harbor" provisioning is designed to encourage increased industrial self-regulation. Under this provision, industry groups and others may request Commission approval of self-regulatory guidelines to govern participants' compliance, such that website operators in Commission-approved programs would first be subject to the disciplinary procedures of the safe harbor program in lieu of FTC enforcement. the FTC has approved seven safe harbor programs operated by TrustArc, ESRB, CARU, PRIVO, Aristotle, Inc., Samet Privacy, and the Internet Keep Safe Coalition. In August 2021, Aristotle, Inc. withdrew from the safe harbor program after FTC staff expressed serious concerns about its enforcement of its safe harbor provisions and communicated their intent to recommend the revocation of Aristotle's approval to run a safe harbor program. The FTC also announced its intention to more closely scrutinize the practices of the other six present safe harbors.
In September 2011, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the act since the issuance of the rules in 2000. The proposed rule changes expanded the definition of what it meant to "collect" data from children. The proposed rules presented a data retention and deletion requirement, which mandated that data obtained from children be retained only for the amount of time necessary to achieve the purpose that it was collected for. It also added the requirement that operators ensure that any third parties to whom a child's information is disclosed have reasonable procedures in place to protect the information.
In 2013, the COPPA rules were updated due to the increase in children's use of the internet and mobile devices. The 2013 revision expanded the types of online services and categories of personal information covered by the rules, and reinforced that verifiable parental consent was required for collecting personal information on child-directed platforms. The FTC reviews rules and regulations every ten years, but due to the constant evolution of technology, it opened for review again in 2019.
The act applies to websites and online services operated for commercial purposes that are either directed toward children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA. However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently COPPA as well. The type of "verifiable parental consent" that is required before collecting and using information provided by children under 13 is based upon a "sliding scale" set forth in a Federal Trade Commission regulation that takes into account the manner in which the information is being collected and the uses to which the information will be put.
With technological advancements children have become more accustomed to using online services in their everyday lives. Though COPPA tries to keep children's personal information and data safe, enforcement remains inconsistent. There are many apps and websites that are accessible by children that do not comply with COPPA rules. Furthermore, even if those apps do have terms and conditions that correlate with COPPA rules, many times the terms are vast and not legible by the young children. Many privacy policies do not disclose the extent of information they are sharing to a third-party. Many times developers are unaware of the target audience their app or website will reach making it more difficult to incorporate COPPA rules to protect children. This can expose children to privacy risk and lead to leaking sensitive information. Studies have shown that data taken from children has been provided to third party advertising, which leads to promoting content that leads to impulse spending or promoting unhealthy products.
COPPA 2.0 was introduced to expand the age range covered by COPPA to minors under 17. It was introduced in the Senate alongside the Kids Online Safety Act. Both KOSA and COPPA 2.0 passed the Senate on a 91–3 vote on July 30, 2024. COPPA 2.0 would have required youth aged 13, 14, 15 or 16 to consent to the processing of their own data, but would not have required the parents of 13-16 year olds to consent to the data processing. COPPA 2.0, as well as KOSA, had not passed the House when the 118th US Congress expired on January 3, 2025.
Violations
According to the FTC, courts may fine violators of COPPA up to $50,120 in civil penalties for each violation. The FTC has brought a number of actions against website operators for failing to comply with COPPA requirements, including actions against Google, TikTok, miHoYo, Girls' Life, American Pop Corn Company, Lisa Frank, Inc., Mrs. Fields Cookies, and The Hershey Company.In February 2004, UMG Recordings, Inc. was fined US$400,000 for COPPA violations in connection with a website that promoted the then 13-year-old rapper Lil' Romeo and hosted child-oriented games and activities, and Bonzi Software, which offered downloads of an animated figure "BonziBuddy" that provided shopping advice, jokes, and trivia was fined $75,000 for COPPA violations. Similarly, the owners of the Xanga website were fined US$1,000,000 in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent's consent.
In 2016, the mobile advertising network inMobi was fined US$950,000 for tracking the geo-location of all users without their knowledge. The advertising software continuously tracked user location despite privacy preferences on the mobile device. Other websites that were directed towards children and fined due to COPPA include Imbee, Kidswirl and Skid-e-Kids.
In February 2019, the FTC issued a fine of $5.7 million to ByteDance for failing to comply with COPPA with their TikTok app. ByteDance agreed to pay the largest COPPA fine since the bill's enactment and to add a kids-only mode to the TikTok app.
Three dating apps by Wildec were pulled by Apple and Google from their respective app stores, after the FTC determined that the dating apps allowed users under 13 to register, that Wildec knew there were significant numbers of minor users, and that this allowed inappropriate contact with minors.
On September 4, 2019, the FTC issued a fine of $170 million to YouTube for COPPA violations, including tracking the viewing history of minors in order to facilitate targeted advertising. Many notable social media platforms were subjected to scrutiny from the FTC, especially groups like Facebook where the platform had users ignoring COPPA guidelines since inception. As a result, YouTube announced that as part of the settlement, in 2020 it would require channel operators to mark videos that are "child-oriented" as such, and would use machine learning to automatically mark those as clearly "child-oriented" if not marked already. In the settlement terms, channel operators that failed to mark videos as "child-oriented" could be fined by the FTC for up to $42,530 per video, which has raised criticism towards the settlement terms. The decision came in terms that, despite good faith, created many issues among the content creators on the site. Users such as Ryan's World, Philip DeFranco and TheOdd1sOut with vastly different content found themselves in conflict for their appealing content for children. The following guidelines were implemented on the basis set by the following rules:
In 2022, Epic Games settled a Federal Trade Commission complaint in part by agreeing to pay a $275 million penalty for COPPA violations. The FTC complaint alleged that Epic illegally collected personal information from children under the age of 13 and made it difficult for parents to get such information deleted. The full agreement included an additional $245 million to refund users who were manipulated into making unintended purchases.
The DOJ and FTC jointly filed a lawsuit against TikTok and its owner ByteDance for violations of COPPA in August 2024, asserting that the app collecting private information from minor users as well as to allow them to interact with adults and adult content.