Term: COPPA (Children’s Online Privacy Protection Act)
COPPA is a US federal law designed to protect children’s privacy online by imposing specific requirements on operators of websites and online services.
What is COPPA?
The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their children.
The COPPA was passed in the 1990s to address the growth of online marketing techniques targeting children. Various websites were collecting personal information without parents’ knowledge or consent.
What is required under COPPA?
According to the FTC, COPPA applies to operators of commercial websites and online services (including mobile apps and IoT devices, such as smart toys) directed at children under 13 that collect, use, or disclose personal information from children, or those who collect, use, or disclose such information on their behalf (such as ad networks that utilize personal information to deliver targeted advertisements).
Covered operators must:
- Publish a clear and comprehensive online privacy policy describing how children’s personal information is handled;
- Children’s personal information should be collected only with their parents’ consent, with limited exceptions;
- The operator should be permitted to collect and use a child’s information internally, but cannot disclose that information to third parties (unless the disclosure is integral to the service or site, which must be clearly explained to parents);
- Allow parents to review and/or delete their child’s personal information;
- Allow parents to prevent further use or online collection of their children’s information;
- Protect the confidentiality, security, and integrity of information they collect from children, including by releasing it only to parties that can maintain its confidentiality and security;
- Data collected online about children should be kept only as long as is necessary to fulfill their purpose, then deleted using reasonable measures to prevent unauthorized access or use;
- Do not require a child to provide more information than is reasonably necessary to participate in an online activity.
Understanding Fines and Penalties Under COPPA
The Children’s Online Privacy Protection Act (COPPA) imposes significant penalties for violations, with fines potentially reaching $50,120 per violation, as stipulated by the Federal Trade Commission (FTC).
Financial Implications
- Individual Violation Costs: Collecting personal data from children without adhering to COPPA’s requirements can be costly. For instance, data obtained from just ten children could result in fines up to $501,200.
- Historical Increases: The penalty maximum has risen over time, from $16,000 initially, to $40,654 in 2016, reflecting the increasing emphasis on safeguarding children’s privacy online.
Determining Penalty Amounts
The total financial penalty a business can face hinges on factors like the severity of the violation and how much financial benefit the company gained from improperly collected data.
Noteworthy COPPA Penalties
Several major companies have been fined for COPPA violations, underscoring the law’s reach and impact:
- YouTube (2019): Received a monumental fine of $170 million related to COPPA breaches, highlighting the substantial risks even for large-scale enterprises.
- Sony BMG (2008): Penalized with a $1 million fine for infringing on children’s privacy rights.
- Path, Inc. (2013): Faced an $800,000 penalty, reflecting the serious consequences of failing to comply with COPPA regulations.
Contextual Implications
While such fines might be absorbable by big corporations, they pose a significant existential risk to smaller firms. An episode from the TV show “Silicon Valley” illustrates a realistic scenario: a company without a privacy policy inadvertently collects data, leading to potential liabilities reaching $25 billion.
How Is COPPA Enforced?
The enforcement of the Children’s Online Privacy Protection Act (COPPA) is primarily the responsibility of the Federal Trade Commission (FTC) and state Attorney General offices. These entities work together to ensure compliance and impose substantial penalties on companies found in violation.
In practice, this means rigorous monitoring for potential breaches. For example, if a company uses cookies or other tracking methods to collect personal data from users under 13 without consent, they may face heavy fines. Past cases have shown that both large corporations and smaller enterprises are subject to scrutiny.
To aid in identifying violators, the FTC encourages the public to report websites and services they suspect are not adhering to COPPA guidelines. This grassroots approach helps regulators target non-compliant operators more effectively.
The Role of “Actual Knowledge”
One critical aspect of COPPA enforcement is determining if a company has “actual knowledge” that it is collecting information from children under 13. This means the company is aware that it is directing its services towards a child audience or has specific knowledge that it is handling data from minors.
If evidence shows that an operator knowingly gathers such data without adhering to COPPA requirements, stricter penalties are imposed. This ensures companies take the legislation seriously and make necessary adjustments to their data collection practices.