Think of the Children! Complying with COPPA in a Changing World

Noah Cothern, Contributing Member 2023-2024

Intellectual Property and Computer Law Journal

I. Introduction

Almost all children growing up in the United States today can access the internet.[1] With this unprecedented ability for American children to enter the cyberspace comes several unique challenges. It is widely known that children’s developing brains are far more impressionable than adult brains.[2] This leaves children on the internet more vulnerable to predatory practices and which put them at greater risk of having their personal information [“PI”] taken.[3] In recognition of this problem, Congress passed the Children’s Online Privacy Protection Act of 1998 [“COPPA”] which, as implemented by the Federal Trade Commission [“FTC”], aims to regulate the collection and use of personal information from and about children by websites that are targeted to children.[4] Despite its age, COPPA remains a key law for the online world.[5] In fact, prominent social media company Meta recently had a federal complaint filed against it by attorneys general from 33 states for alleged violations of COPPA.[6]

This article examines how COPPA regulates online operators. Part II of this article gives background information on the main operative provisions of COPPA. Part III gives suggestions on how online operators can comply with COPPA by avoiding certain oversights that could lead to costly liability.  

II. Background

The overarching mandate of COPPA states that it shall be illegal for operators of commercial websites or online services that target children to collect PI from those children without verifiable parental consent.[7] This mandate includes hosts of commercial websites and online services that do not specifically target children, but have actual knowledge that children are visiting.[8] PI includes any information collected online which allows someone to be individually identified.[9] COPPA breaks down into several key provisions regarding the definition of PI, notice, consent, review, and retention of PI.

Online operators covered by COPPA must make reasonable efforts to ensure that a parent of a child receives notice of the website’s intended practices regarding the collection and use of PI.[10] This notice requires two steps: direct notice and online notice. Online notice must be a prominent and clearly labeled link on the operator’s home page that directs visitors to a page which clearly outlines the operator’s practices for collection and use of PI.[11] Direct notice must reach the parent directly and state the operator’s intention to collect personal information.[12] The notice must inform the parent that the collection of PI will not occur if the parent chooses not to consent.[13] Direct notice must also include a hyperlink to the operator’s online notice page.[14]

Online operators must obtain verifiable parental consent before they proceed with any collection of PI from children.[15] The method to obtain consent is left for operators to decide, but it must be reasonably calculated, in light of the available technology, to ensure that the consent is actually coming the child’s parent.[16] This process typically requires receiving consent via a method not possible for children to perform such as providing credit card information or calling a toll-free telephone number.[17]

Parents who have previously given consent must have their subsequent requests to review the PI collected from their children honored.[18] This includes the right of parents to revoke their consent and refuse future collection of PI from their children.[19] Additionally, online operators must delete all PI which had previously been collected from a child if that child’s parent requests.[20]

Lastly, online operators must take reasonable precautions to ensure that PI collected from children remains safe, confidential, and protected from unauthorized access by outside parties.[21] This can be accomplished by collecting no more information than is necessary and retaining such information for no longer than necessary.[22]

III. Discussion

Many online operators risk running afoul of COPPA by inadvertently violating certain nuanced aspects of the core provisions.[23] These risks can relate to underestimating what constitutes PI, employing inadequate notice procedures, failing to establish verifiable parental consent, and failing to adequately protect collected PI.

What Constitutes PI

It is a risk to underestimate the scope of information that falls within the definition of PI. PI is any information collected online which allows someone to be individually identified.[24] While this includes common identifiers such as names, addresses, phone numbers and email addresses, other less intuitive types of information are included. For example, a cookie number, an IP address, or the serial number of a computer processor are included within the definition of PI despite not directly identifying a child.[25] Information which appears at first blush to be impersonal may nevertheless be traceable to an individual.[26] Online operators seeking compliance with COPPA must therefore take caution when collecting any information from children under thirteen.

Inadequate Notice

Certain aspects of the notice requirement are unintuitive, and risk being overlooked. The most prominent examples of this relate to third party access and the wording of the notice requirement.

Notice must include not only the practices of the website host, but also the practices of any third parties with access to the website.[27] For example, many websites contain third party plug-ins or advertisement networks that collect user data to tailor services.[28] Because these third parties are working through the host’s website, the host must include those third parties’ collection practices with the website host’s own notice regime.[29]

The wording of the notice “must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.”[30] Online operators must avoid using industry jargon or technical language in the wording of their notice.[31] While such language may be used during the in-house drafting of a privacy policy, operators must take the extra step of translating their finished privacy policy into plain language before submitting it to the public.[32]

Verifiable Parental Consent

The reasonability standard of obtaining parental consent must be proportional to the use of the PI. Online operators must obtain verifiable parental consent before collecting PI from children.[33] However, children can imitate their parent’s consent online.[34] The method of obtaining consent must therefore be “reasonably calculated” to ensure the person providing consent is the child’s parent.[35] The text of the law lists several possible options to avoid this issue, ranging from signing a simple consent form to scrubbing a scan of the parent’s government issued ID against a formal database.[36] While not explicitly stated by the text, it is apparent from the differing intensities of the options listed that certain uses of PI would call for certain forms of obtaining consent. It is therefore recommended practice that if an online operator plans to use a child’s PI in a more active way, such as sending direct mail or advertisement, a more secure method of obtaining consent should be employed. In contrast, if an online operator only plans to use a child’s PI in a passive way, such as tracking website statistics, a less secure method of obtaining consent would suffice. [37]

Adequate Data Protection

Online operators in the modern world face cybersecurity threats that can jeopardize user data. COPPA mandates that an operator who has acquired a child’s PI must take reasonable procedures to prevent unauthorized access to that PI.[38] Operators who fail to take reasonable precautions regarding user data and subsequently have a data breach can be subject to strict penalties from the FTC.[39] For example, in 2022, online alcohol marketplace Drizly was the subject of an  FTC complaint after a hack led to the loss of the personal data of 2.5 million customers.[40] Unreasonable data protection practices include storing database information on an unsecured platform, failing to monitor one’s network for security threats, and not employing two-factor authentication for employees.[41]

IV. Conclusion

Fines for failure to comply with COPPA can be severe.[42] As an extraordinary example, in 2022, Epic Games agreed to pay out 520 million dollars in relief for COPPA violations related to their popular video game Fortnite.[43] It is therefore in the best interest of online operators to take the necessary steps to ensure their own compliance. This means that online operators: (1) must not underestimate whether data they are collecting is subject to and protected by COPPA; (2) must ensure that their notice regimes address any third parties and are worded in plain language; (3) must employ appropriate procedures to obtain verifiable parental consent; and (4) must establish a security system that adequately protects user data from cyberthreats.

---

[1] Access to the Internet, National Center for Education Statistics, https://nces.ed.gov/fastfacts/display.asp?id=46 (last visited Jan. 7, 2024).

[2] Zara Abrams, Why Young Brains are Especially Vulnerable to Social Media, American Psychological Association, https://www.apa.org/news/apa/2022/social-media-children-teens (last updated Aug. 3, 2023).

[3] Internet Use in Children, American Academy of Child and Adolescent Psychiatry, https://www.aacap.org/AACAP/Families_and_Youth/Facts_for_Families/FFF-Guide/Children-Online-059.aspx (last updated Oct. 2015).  

[4] 16 C.F.R. § 312.1 (2013).

[5] Anthony Alexander, Why COPPA Rules Are So Important, Playwire, https://www.playwire.com/blog/why-coppa-rules-are-so-important (last visited Jan. 26, 2024).

[6] Eva Rothernberg, Meta Collected Children’s Data, Refused to Close Under 13 Instagram Accounts, Court Document Alleges, ABC Chicago, (Nov. 27, 2023) https://abc7chicago.com/childrens-online-privacy-protection-rule-coppa-meta-instagram/14107785/.

[7] 16 C.F.R. § 312.3 (2013).

[8] Id.

[9] 16 C.F.R. § 312.2 (2013).

[10] 16 C.F.R. §312.4(b) (2013).

[11] 16 C.F.R. §312.4(d) (2013).

[12] 16 C.F.R. §312.4(c)(1)(ii) (2013).

[13] Id.

[14] 16 C.F.R. §312.4(c)(1)(iv) (2013).

[15] 16 C.F.R. §312.5(a)(1) (2013).

[16] 16 C.F.R. §312.5(b)(1) (2013).

[17] 16 C.F.R. §312.5(b)(2)(ii) (2013); 16 C.F.R. §312.5(b)(2)(iii) (2013).

[18] 16 C.F.R. §312.6 (2013).

[19] 16 C.F.R. §312.6(a)(2) (2013).

[20] Id.

[21] 16 C.F.R. §312.8 (2013).

[22] 16 C.F.R. §312.10 (2013).

[23] Anthony Alexander, supra, note 5.

[24] 16 C.F.R. § 312.2 (2013).

[25] Id.

[26] Dennis Anon, How Cookies Track You Around the Web and How to Stop Them, Privacy.net, (Feb. 24, 2018) https://privacy.net/stop-cookies-tracking/.

[27] Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, Federal Trade Commission, https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business (last visited Jan. 10, 2024).

[28] Third-Party Cookies: What Are They And How Do They Work?, CookieYes, (June 30, 2023) https://www.cookieyes.com/blog/third-party-cookies/.

[29] Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, supra, note 27.

[30] 16 C.F.R. § 312.4(a) (2013).

[31] Id.

[32] Id.

[33] 16 C.F.R. § 312.5(a)(1) (2013).

[34] See W. Benjamin Barkley, Complying with the Children’s Online Privacy Protection Rule; FTC’s Proposed Updates, Lexology, (Jan. 19, 2024) https://www.lexology.com/library/detail.aspx?g=af6c15ed-07eb-42a6-8e84-4386bf16b473.  

[35] 16 C.F.R. § 312.5(b)(1) (2013).

[36] 16 C.F.R. § 312.5(b)(2)(i) (2013); 16 C.F.R. § 312.5(b)(2)(v) (2013).

[37] W. Benjamin Barkley, supra, note 34.

[38] 16 C.F.R. §312.8 (2013).

[39] FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers, Federal Trade Commission, (Oct. 24, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million.

[40] Id.

[41] Id.

[42] See Kirk J. Nahra, FTC Announces Enforcement Action Against Microsoft Over COPPA Violations, WilmerHale, (June 20, 2023) https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230620-ftc-announces-enforcement-action-against-microsoft-over-coppa-violations (Microsoft amassing over $20 million in fines).

[43] Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges, Federal Trade Commission, (Dec. 12, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.