The world of online security is constantly evolving and updating, and the Children’s Online Privacy Protection Rule (COPPA) is no exception.
COPPA was established over two decades ago to protect the privacy of children under 13 when they are online, but it is now being revisited and evaluated by regulators due to changes in technology and attitudes towards privacy. In this article, we will discuss the current status of COPPA, potential additions to it, and how website operators can ensure their compliance in the meantime.
So, what is COPPA? The Children’s Online Privacy Protection Act (COPPA) is a U.S. law that governs the way websites collect and use minors’ data online. It was first passed when computers broke into the mainstream in the late 1990s and had its corresponding guidelines, the COPPA rule, enacted in 2000.
This set of regulations mandates that website operators and online services take special steps when processing children’s information – more than would be taken if they were adults. Applying to websites catered to children under the age of 13, COPPA requires the verifiable consent of a parent or legal guardian for any data collection, use, and/or disclosure. This includes data gathered through cookies, plugins, and other tracking technologies.
COPPA applies to all websites that are operated in the U.S., which have actual knowledge that they are collecting, using, or disclosing personal information from children under the age of 13. In addition to websites and online services, this also includes mobile apps, connected toys, and other technologies.
The Federal Trade Commission (FTC) is responsible for enforcing COPPA. It also provides a compliance guide and FAQ section to help website operators comply with the regulations. The FTC can bring civil suits against organizations that violate COPPA, which could result in hefty fines or other penalties.
The Problem With COPPA
Although COPPA is a prominent law that has been around for over two decades, it remains very difficult to comply with. The guidelines are complex and can be hard to understand, especially for small-scale websites that don’t have the resources for a legal team. Additionally, the law does not provide a single standard for obtaining consent from parents or guardians, leaving website operators to develop their own methods.
The outdated nature of COPPA is also an issue, as it does not take into account more modern forms of data collection, like facial recognition technology and voice recording. This lack of clarity has led to many organizations being unclear on how to properly comply with the law.
Furthermore, the enforcement of COPPA is often lax and inconsistent. Even if companies are compliant with all of the guidelines, it can be hard to prove that they have taken the necessary steps. This can lead to issues with enforcement or audits, which could result in hefty fines – $42,530 per violation, per child – if companies are found to be non-compliant.
Potential Updates to COPPA
In lieu of the obvious holes existent in the current framework, government regulators are exploring new updates to the law that could make it more effective.
In September 2022, Senator Ed Markey, who helped first institute the bill, Senator Richard Blumenthal, Representative Kathy Castor and Representative Lori Trahan issued a letter to the Federal Trade Commission formally requesting that privacy legislation be updated. It touched upon several laws, but specifically mentioned COPPA and the changes needed to make it more effective.
These changes include:
- Expanding the law’s definition of ‘personal information’
- Introducing rules to the law’s requirement of protecting the security, confidentiality, and integrity of minors’ data
- Implementing new protections for online platforms used for educational purposes
- Outlining rules regarding COPPA’s prohibition against encouraging children to share more information than is reasonably necessary
The COPPA rule was last updated back in 2013, which we probably don’t have to tell you was nearly a decade ago. The internet has changed greatly since then, and proponents of the letter believe it’s about time new changes were implemented.
But this isn’t the only initiative in the works; the FTC has been conducting a rule review since 2019 and has been taking public comments over the past few years. The Commission says its review has received over 176,000 comments from a variety of stakeholders and is currently evaluating them.
Potential Additions to COPPA
Aside from direct changes, lawmakers are also mulling over the possibility of introducing entirely new bills aimed at addressing the protection of minors’ data.
One such bill, known as COPPA 2.0, would prohibit companies from collecting the personal information of users between the ages of 13 and 16 years without direct consent. It would also ban marketing specifically targeted to children, institute an ‘eraser button’ that allows users to eliminate their data from a website and mandate and establish a Youth Privacy and Marketing Division at the FTC.
KOSA, the Kids Online Safety Act, is also worth mentioning. This legislation is aimed at regulating website design as it relates to children and proposes regulations around preventing minors’ exposure to harmful content, providing children and parents with adequate privacy controls and limiting features that extend the use of a service.
KOSA would also mandate that websites default to the strictest privacy settings and would require companies to provide comprehensive privacy policies that are easy to understand and follow.
These bills have yet to pass, but it’s clear that lawmakers are taking steps to better protect the information of minors.
COPPA is an important law that provides protection for minors online, but it also remains outdated and difficult to comply with. In order to ensure everyone’s safety, government regulators are exploring updates and additions to the law that could make it easier for website operators to understand and comply with.
As these new measures are being discussed and debated, website operators should continue to stay informed about the changes and make sure their websites remain compliant with the current version of COPPA. Until then, there is still plenty they can do to protect minors’ data, such as using encryption and anonymization techniques, providing clear and transparent privacy policies, and implementing parental consent mechanisms.
In the end, protecting the security, confidentiality and integrity of minors’ data online is paramount. Whether through legislative updates or independent measures, everyone must do their part to ensure that our children are safe online.