The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law designed to limit the collection and use of personal information about children by the operators of Internet services and Web sites. Passed by the U.S. Congress in 1998, the law took effect in April 2000. It is administered and enforced by the Federal Trade Commission (FTC). COPPA is "the first U.S. privacy law written for the Internet," Melissa Campanelli wrote in Entrepreneur. "It was written specifically for Internet marketers that operate Web sites visited by children under the age of 13 and collect personal information from those kids. Its purpose is to regulate that collection."
The FTC conducted a survey of 212 Web sites in 1998 and found that 89 percent of them collected personal information from children. Of those that collected data from children, 46 percent did not disclose this fact or explain how the information was used. The law was intended to address this potential problem by requiring Web sites and other online services directed toward children under the age of 13—as well as general audience sites that collect personal information from children—to obtain verifiable consent from the children's parents. "Its stated purpose is to protect children from micro-targeting by advertisers and to minimize the potential for contact with dangerous individuals through chat rooms, e-mail, and bulletin boards by involving parents in kids' on-line activities," Monica Rogers explained in Crain's Chicago Business.
COPPA applies to a variety of Web sites and services with content that may appeal to children. "In determining whether a Web site is directed toward children, the FTC will consider, among other things, the site's content, language, advertising and intended audience, as well as the use of child-oriented graphics or features," Anthony Marks and Keith Klein noted in the Los Angeles Business Journal.
But the law also affects general interest sites that collect information from children, whether the site's operators intend to do so or not. "The arm of COPPA is very long because it also applies to general audience Web sites that have actual knowledge that they are collecting personal information from children," Robert Carson Godbey wrote in Hawaii Business. "You can easily, and inadvertently, fall into this category. If you invite browsers of your Web site to submit individually identifiable information—which can include name, address, e-mail address, hobbies, interests, information collected through cookies, basically anything that can be individually identified to the person responding, for a variety of reasons, and that information includes age—then you may have 'actual knowledge' that you have collected personal information from children if anyone under 13 responds to your invitation."
COPPA requires the operators of these types of Web sites to include a clearly written privacy notice on their home page and anywhere on their site where user data is collected. The privacy policy must reveal who is collecting and maintaining the information children supply to the Web site and provide information about how to contact them; explain how the children's personal information will be used; and state whether it will be made available to third parties. In addition, COPPA requires Web site operators to obtain "verifiable parental consent" in advance of collecting or using personal information from children. Even when parental consent has been granted once, the site operators must seek consent again any time they make changes in their privacy policies. Exceptions to COPPA's parental consent requirements are allowed for the collection of e-mail addresses in order to seek consent, protect the safety of a child, or respond to a child's one-time request (provided that the e-mail address is deleted immediately afterwards).
The FTC rules cite several acceptable methods for Web site operators to verify parental consent, including a signed form sent via fax or regular mail, a credit card number provided online, calls made on a toll-free telephone number staffed by trained personnel, and e-mail accompanied by a digital signature or password. The method used by a certain Web site depends on the type of information collected from children and the way it is used. For example, e-mail consent is acceptable for Web sites that collect personal information only for internal purposes, like marketing to a child based on his or her preferences. Stricter methods are required when the information is made available to third parties.
The FTC applies penalties for noncompliance ranging up to $11,000 per incident. Although the financial penalty is stiff, a business that failed to comply with the law would likely suffer even worse consequences as a result of negative publicity. After all, who would want their Web site to be known as one that put children at risk? Unfortunately, COPPA compliance can be complicated. "The goals of COPPA are no doubt admirable. The implementation, however, can be daunting," Godbey noted. "The difficulty comes from the requirement of 'verifiable consent' from a parent…. How do you obtain verifiableparental consent? How do you verify parental consent in an online environment where the children probably know more about the family computer than their parents do?"
Many online businesses have also complained that COPPA compliance is expensive. According to Campanelli, some of the major costs of compliance include employing staff to compose and maintain the online privacy policy statements, hiring attorneys to review the policies, and coordinating the collection and secure storage of parental consent forms. Experts estimate that these costs would amount to between fifty cents and three dollars per child interaction, or up to $100,000 per year, for a medium-sized Web site.
Faced with these potential costs, some sites were forced to limit access to children over the age of 13. Other sites—like the popular United Kingdom-based site for the "Thomas the Tank Engine" series of books and toys—decided to eliminate their e-mail and chat room features because they could not afford to comply with COPPA.
In response to complaints from Web site operators about the cost of compliance, the FTC noted that COPPA was not intended to block kids' access to information on the Internet. Instead, the goal of the law was to involve parents in the decision about whether to release children's personal information. Lawmakers argue that children under 13 are not sophisticated enough to make such decisions on their own.
Like all Internet laws, COPPA is somewhat difficult to enforce. For example, tech-savvy youngsters may find ways to forge parental consent. In addition, the law only applies to companies doing business in the United States, whereas the Internet is global in scope. Some entrepreneurs resent the restrictions imposed by COPPA, arguing that the government should not become involved in regulating the Internet. "One of the beauties of the Internet is that an entrepreneur can begin his or her business with minimal investment and regulatory scrutiny," Campanelli noted. They argue that regulation increases costs for small business owners. But other operators of small Web sites for children believe it is their responsibility to protect their users' privacy, even though it can be expensive. "If you're going to play in the kids' arena, you've got to offer safety, even if it costs," Alison Pohn, marketing director for a children's Web site, told Rogers. "If you operate a school or a camp, you invest in having the safest playground equipment and the best lifeguard at the pool. This is no different."
In any case, it is important for small business owners involved in online commerce to be aware of the provisions of COPPA. The full text of the Children's Online Privacy Protection Act is available on the FTC Web site. In addition, the Direct Marketing Association offers a guide to COPPA compliance and a "privacy policy generator" that walks users through the process of creating a compliant policy. Both are available on the DMA Web site.
Campanelli, Melissa. "The Wizard of Laws." Entrepreneur. February 2001.
Di Sabatino, Jennifer. "FTC Oks Self-Regulation to Protect Children's Privacy." Computerworld. February 12, 2001.
"Firms May Need to Examine Kid-Oriented Privacy." Financial Net News. July 31, 2000.
Godbey, Robert Carson. "The Law of the Line." Hawaii Business. November 2000.
Jarvis, Steve. "COPPA Minefield." Marketing News. December 4, 2000.
Marks, Antony, and Keith Klein. "Coping with COPPA." Los Angeles Business Journal. July 31, 2000.
Retsky, Maxine Lans. "Sites Find COPPA Compliance Mandatory." Marketing News. August 28, 2000.
Rogers, Monica. "Kids' Privacy Act Stings Web Sites; New Guidelines Limit Sharing of Data with Others." Crain's Chicago Business. May 15, 2000.
Rosencrance, Linda. "FTC Warns Sites to Comply with Children's Privacy Law." Computerworld. July 24, 2000.
Comment about this article, ask questions, or add new information about this topic: