After 21 years, it’s important to take a closer look at COPPA and decide whether it has proven successful. Unfortunately, the answer is largely a mixed bag — perhaps solely because of one single entity, YouTube.
More About COPPA
At the time of COPPA’s passage, very few websites had implemented privacy policies. At the same time, many of these same websites were beginning to collect personal information from their visitors. Unfortunately, many of these folks turned out to be children. COPPA requires that companies get parental consent before collecting information about underage site visitors. According to the Federal Trade Commission (FTC), COPPA covers various stakeholders, including website or web service owners, those targeting children or not, and those who own an ad network and collect personal information about visitors.
What Sites Must Do
To remain in compliance, the various stakeholders must post a clear privacy policy on its website, including a notice that parental consent is a legal requirement to collect personal data for those under 13. Additionally, these companies must obtain verifiable consent from parents before collecting any data about the visitor. Finally, websites must also establish methods where parents can revoke their consent. Finally, when personal data is legally collected from children, the websites must implement procedures to prevent data stealing. The site holders must also promise not to keep the data for “only as long as is necessary.”
Online Services
It’s relatively simple to describe something as a website. However, some might be wondering about the broader term, online services. In addressing this, the FTC explains:
Voluntary Collection
Websites that voluntarily seek to collect personal information from visitors, including those under 13, must still comply with COPPA. FTC: “The Rule governs the online collection of personal information from children by a covered operator, even if children volunteer the information or are not required by the operator to input the information to participate on the website or service. The Rule also covers operators that allow children publicly to post personal information.”
Porn
Perhaps interestingly, COPPA has nothing to do with keeping underage children away from porn. Rather, its focus is to give parents control over the online collection, use, or disclosure of personal information from children. Furthermore, protecting children from certain types of questionable content was never one of its goals.
Penalties
A U.S. court has the power to fine violators up to $43,792 per violation. Different factors determine the amount of the civil penalties, including:
The egregiousness of the violationsWhether the operator has previously violated the RuleThe number of children involvedThe amount and type of personal information collectedHow the information gets usedWhether it was shared with third partiesThe size of the company.
COPPA Privacy Policy: Key Points
To be compliant, a website’s privacy policy must identify categories of information:
The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; andThe parent can review or have deleted the child’s personal information and refuse to permit its further collection or use. You must also state the procedures for doing so.
Are Websites Complying?
The FTC using COPPA has gone after numerous companies for violating the age and issued fines. Among the bigger cases involved Musical.ly, Yelp, Path, Inc., TikTok, and many more. The biggest site brought before the FTC over COPPA was Google/YouTube in 2019. In the largest fine ever collected under the Act, the FTC ordered the company to pay a fine of $170 million after accusing it of deliberately collecting user information for those under 13 without parental consent. As part of the settlement with the government, Google agreed to make important changes to the YouTube platform.
YouTube Changes
Beginning in 2020, YouTube began promoting new rules that required content providers to tell whether or not videos were “made for kids.” According to Google, child-directed sites are those where:
Children are the primary audience of the video.Children are not the primary audience, but the video is still directed at children because it features actors, characters, activities, games, songs, stories, or other subject matter that reflect an intent to target children.
Content not appropriate for children are:
Content that contains sexual themes, violence, obscene, or other mature themes not suitable for young audiences.Age-restricted videos that aren’t appropriate for viewers under 18.
To comply with its agreement with the FTC, YouTube “Made for kids” content includes important restrictions, such as eliminating comments and notifications. Those providers will also see the removal of channel members, posts, and stories. Other restrictions include removing autoplay on home, cards, or end screens, personalized advertising, merchandising and ticketing, live chats, and more.
Is COPPA Working?
The YouTube agreement showed the FTC was (finally) serious about eliminating the illegal online collection of personal data from minors. Before this happened, I questioned whether the government would ever go after the big sites. Perhaps the time has come for the U.S. government to put similar restrictions on big tech when collecting data from adult users. Companies like Google and Facebook continue to offer many valuable products for free. But, unfortunately, we all know that we’re allowing these companies to collect our personal data in exchange. The time has come for an opt-out option to pay for the services we want instead of allowing them to collect our data. The government also needs to address the biggest hole of all: COPPA doesn’t cover underage adolescents, those 14-to-17-years old. Shouldn’t they be? Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.