Children's Online Privacy Protection Act of 1998 (COPPA)

In 1998 Congress passed the Children’s Online Privacy Protection Act, 15 U.S.C. §§6501-6505 (COPPA), in response to a 1998 Federal Trade Commission (FTC) report that described the widespread collection and use of personally identifiable information of children without their parents’ knowledge or consent. The FTC was charged with enforcing the act and issuing COPPA rules. The final COPPA Rule was issued in 1999 and became effective in April 2000.
COPPA aims to protect the personal information of children (persons under the age of 13) online. The final COPPA rule requires parental consent before a commercial website or an online service directed at children (or a website or online service that has knowledge that it collects personal information from children) collects, uses, or discloses personal information about a child. The COPPA rule also requires that websites and online services “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” In addition, entities subject to this act must allow parents to access any personal information on their child and delete it or opt out of future collection, and such entities must limit their collection of children’s personal information to that which is reasonably necessary to participate in the activity. Furthermore, site operators cannot condition participation in an online activity upon the disclosure of more personal information than is necessary to participate in that activity. COPPA also requires that websites subject to the act must post a privacy policy informing parents of their privacy practices and the contact information for each operator of the website. The required privacy policy must be linked to a conspicuous place on the website’s homepage and on any page on which a child is asked to provide personal information.
COPPA does not apply to Internet service providers or nonprofit entities, but it does apply to domestic websites and foreign websites directed at children in the United States. The types of personal information that are regulated by COPPA include a child’s full name, physical address, electronic mail address, Social Security number, telephone number, and a persistent identifier—such as a cookie— that is combined with personal information. COPPA includes a “safe harbor” provision that allows entities and industry groups to request FTC approval of self-regulatory guidelines.
Violators of the act may be subject to an injunction and civil penalties of up to $11,000 per violation. Although the FTC has enforcement authority for COPPA, the commission has brought few cases under the act. However, the FTC has issued warning letters to dozens of website operators. In addition to FTC enforcement, COPPA empowers states and select federal agencies to enforce the act within their jurisdictions.
Many criticisms have been leveled at COPPA. Some critics argue that the various parental consent mechanisms outlined by the FTC are too cumbersome, too slow, and too expensive. Furthermore, these critics argue, the parental consent mechanisms are inadequate to protect children’s privacy because children can simply fabricate information to access sites, and sites can evade COPPA regulation by stating that they do not sell products to children. Other critics have argued that defining a child as a person under the age of 13 is arbitrary and unjustified, inasmuch as children over the age of 13 may also need online privacy protection. Finally, some commentators have argued that COPPA may not pass constitutional muster because requiring children to divulge personal information or verify that they are entitled to access information as a condition to accessing the information results in the chilling of speech and, thus, a violation of the First Amendment. Similarly, critics argue that the forced relinquishment of the right to anonymous communication may run afoul of the First Amendment.