Children are the most vulnerable group of internet users. It comes as no surprise that we are witnessing the rise of privacy laws aiming to protect children from businesses that process their personal data and target them with content or products.
The youngest members of society become internet users at a very young age nowadays, so there is no shortage of online services directed at children. These services often collect children's data, and that's inherently a threat to children's privacy and safety online.
Data protection laws such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and a few other data privacy laws of the US states prescribe stricter requirements for the processing of personal information from a child.
However, there is an often overlooked law that prescribes a set of rules that every business processing data on US children must conform to. That's the Children's Online Privacy Protection Act of 1998.
What is the Children's Online Privacy Protection Act of 1998 (COPPA)?
The Children's Online Privacy Protection Act (COPPA) is a US federal law that has been designed to protect the online privacy of children under the age of 13. It aims to regulate the collection and use of personal information from children on the internet and provide parents with controls on how their children's personal information is being processed.
The Act was passed in 1998 and came into force in 2000. Having in mind the global reputation of the US data privacy landscape, the mere existence of the COPPA surprises many businesses.
The COPPA was created to give parents more control over the online collection of personal information from their children. That includes a requirement for operators of child-oriented websites and services to obtain verifiable parental consent before collecting any personal information from children, to implement adequate security safeguards, to include a privacy policy on the websites, and other obligations that we'll dive deeper into further in this article.
Unlike the state privacy laws, the COPPA applies to all businesses that are directed at children under 13 years old or knowingly collect information from them. This includes websites, apps, and online platforms. There are no exclusions based on revenue thresholds or the number of users.
Amendments and Updates: COPPA has seen updates over the years to adapt to changes in technology and the online landscape. These updates have expanded its scope to include newer forms of online tracking and data collection.
The Federal Trade Commission can take legal action in the case of non-compliance and issue penalties for COPPA violations. The Children's Online Privacy Protection Rule helps them enforce COPPA compliance.
What is the Children's Online Privacy Protection Rule?
The Children's Online Privacy Protection Rule (COPPA Rule) is a set of regulations developed by the Federal Trade Commission (FTC) to implement and enforce the provisions of the Children's Online Privacy Protection Act (COPPA). The COPPA Rule provides specific guidelines and requirements for operators of websites, online services, and mobile apps that collect personal information from children under the age of 13.
The COPPA sets out the legal framework for processing the personal information of children. The COPPA Rule specifies the specific standards that businesses must meet in order to comply with the law and avoid trouble with the FTC.
What does COPPA require from businesses?
When we combine the COPPA requirements and the COPPA Rule standards developed by the FTC, we get the following COPPA requirements from any website or online service that knowingly processes kids' data:
- Privacy policy. Every website or app must publish an up-to-date privacy policy on their website. The policy should describe what information is collected, how it's used, and how parents can review and delete their child's information.
- Not condition the child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity, which means that only the minimum amount of data can be collected and processed.
- Limit the data retention periods. Children's data shall not be kept for longer than necessary for processing purposes.
- Obtain verifiable parental consent for the data processing. Acceptable methods include sending an email or calling the parent over the phone, making micropayments to the parent's payment card, or checking the parent's government-issued identification document.
- Implementing data security measures The COPPA Rule mandates that operators maintain the security of children's personal information. They must take reasonable steps to protect this data from unauthorized access, disclosure, or misuse.
- Parental rights. Parents have the right to know about the processing of their child's data, object to the processing, prohibit further data collection, and have it deleted upon request.
If you already comply with US state privacy laws, such as the CCPA, you may already comply with COPPA.
What are the COPPA Safe Harbor Programs, and how do they work?
The COPPA Safe Harbor programs are mechanisms that allow certain organizations to seek "safe harbor" from some of the specific requirements and liabilities under COPPA while still demonstrating their commitment to protecting children's privacy online.
The FTC maintains a list of Safe Harbor programs. If you apply it to your operations, you are eligible for it.
Your chosen program comes with a set of data protection guidelines that you must implement when handling information from children under 13. You can choose one that is suitable for your industry. Compliance with the guidelines leads to certification, which further builds trust among your users.
The FTC will oversee your compliance with your chosen Safe Harbor program.
Future updates on the laws protecting the privacy of children
As of now, COPPA is the only US federal law requiring websites and online services to protect personal information collected from children.
The consumer privacy laws of the US states include provisions on children's data, but that's often in line with the COPPA requirements, so there is nothing new there.
However, the COPPA may soon be updated. The Protecting Kids on Social Media Act, also known as COPPA 2.0, has been introduced in the legislative bodies recently and, in this version or another, may be passed into law soon.
The Protecting Kids on Social Media Act is a federal privacy proposal aimed at regulating the relationship between young people and social media. It aims to:
- Set a minimum age of 13 for social media use, which means children under the age of 13 will be prohibited from using social media,
- Require parental consent for teens,
- Require the implementation of a strict age-verification program through which the federal government would verify users' ages by checking their identity and issuing secure digital identification credentials, and
- Ban content recommendation algorithms for users under eighteen.
The Federal Trade Commission and state attorneys general would carry out enforcement, with civil penalties for violations.
While some of the proposed provisions of this act seem like a long shot, several US states also prepare their own regulations regarding children's online activities.
