Privacy
Data Privacy Alert: What is COPPA and Why Does It Matter So Much Today?
February 17, 2023
The Children's Online Privacy Protection Act (COPPA) is a federal law that was enacted in 1998 to protect the personal information of children under the age of 13. The law applies to websites, mobile apps, and other online services that collect, use, or disclose personal information from children, as well as general audience websites that know they are collecting PII from children.
Overview
From the 1970s through 2000, the United States federal government passed several privacy regulations, first governing how federal agencies could collect and use personally identifiable information (PII) and later focusing on health and medical privacy (the Health Insurance Portability and Accountability Act or HIPPA) and then children’s safety online in the form of COPPA.
Enforced by the Federal Trade Commission, COPPA requires companies to:
- Obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
- Provide notice to parents about their information collection practices, including what information is collected, how it will be used, and with whom it will be shared.
- Allow parents to review the personal information that has been collected from their children and to request that it be deleted.
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
Recent court decisions and FTC enforcement actions are indicating that organizations must take their privacy compliance—especially with COPPA—very seriously indeed.
Enforcement
The Federal Trade Commission (FTC) is responsible for enforcing COPPA. This means that it can take legal action against companies that violate the law, including fines and penalties up to $43,280 per violation—a fine that can add up quickly given the number of users many popular websites have.
Companies should take pains to ensure they comply with COPPA, because it appears that the FTC is adopting a more aggressive posture towards privacy regulations. Social media companies, media companies, major internet companies, and gaming companies have all been fined recently, including two nine-figure fines, one the largest in FTC history ($170 million and $275 million), pursuant to alleged COPPA violations.
Expert Analysis from Jeffrey M. Dennis, Shareholder, Buchalter
Expect COPPA to evolve dramatically in the next few years, particularly in the enforcement space. A recent uptick in FTC enforcement actions, as well a focus in Europe on children’s rights, demonstrate that the protection of children will continue to be a global priority.
Additionally, lawmakers are focused on strengthening COPPA – at both the federal and state level. Congress is grappling with updating the 25+ year law to keep pace with current technology, and will likely raise the age of children falling within COPPA from 13 to 15 or 16. California recently went further in enacting the Age-Appropriate Design Code Act, which defines children as anyone under the age of 18.
All companies must revisit their data collection and consent practices to determine if they comply with COPPA. Even businesses which traditionally are not children-focused may still be unintentionally collecting personal information which falls under the protection of COPPA, thereby subjecting them to risk.
Data Privacy Tip
Organizations must recognize that cookie banners and older forms of acquiring and managing consumer consent will no longer suffice, especially for complicated requirements like those put forth under COPPA. They must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic.
