Skip to main content

20 Years Young: The History and Maturing of COPPA in a Privacy-Conscious Age

Image
By CARU Staff

1998: A Concern for Children’s Privacy Was Born

From the moment home computers had the capacity to connect to the Internet, children had the ability to use these technologies to access online websites and services. In the 1990s, concerns about children’s privacy and safety online arose amid fears of marketing practices around selling children’s personal information and exposing children’s information to predators.

The Children’s Advertising Review Unit (CARU), founded in 1974, has always been on the forefront of safeguarding children’s privacy. CARU is the self-regulatory arm of the children’s advertising industry, tasked with promoting truth in children’s advertising by reviewing and evaluating child-directed ads in all media to ensure they are truthful, accurate and appropriate. CARU also monitors online privacy practices as they affect children.

Before there was any legislation on the matter, CARU monitored a burgeoning Internet and observed how children’s privacy and safety were being compromised. CARU’s mandate has always been to preserve the interests of children while ensuring that advertisers have clear ways to responsibly reach the child audience.
In 1996, two years before the passage of legislation, CARU formally updated its guidelines to include a section titled “Interactive Electronic Media” (now, “Guidelines for Online Privacy Protection”), governing the privacy and safety of children under age 13 on the Internet. At that point, it was clear that there was a growing need for oversight on the Internet. Several articles and studies were published that raised awareness of widespread data collection and advertising practices targeted at children online. In fact, these reports uncovered hundreds of sites ostensibly collecting personal information from children without obtaining parental permission[1].

In response, federal legislators passed the Children’s Online Privacy Protection Act (COPPA) in 1998, which became effective on April 21, 2000. When the FTC drafted COPPA, it based the law on CARU’s original "Interactive Electronic Media" guidelines. The law applies to online websites or service operators that (1) directly target children to collect, use or disclose personal information from children, or (2) have actual knowledge that that they are collecting, using or disclosing personal information from children. “Children,” as defined by COPPA, includes individuals under the age of 13.

COPPA authorized the Federal Trade Commission (FTC) to promulgate rules to further the law’s mandates, and gives it the power to obtain civil penalties for noncompliance. For a great primer on COPPA written to help businesses understand what they need to do to comply, click here.

The goal of the legislation was to protect personal information collected from children. The law requires online service operators to provide a transparent and accessible privacy policy; to obtain verifiable parental consent before collection, use or disclosure of personal information from children (with narrow exceptions, e.g., internal operational purposes, one-time responses and email plus verification for certain uses); to implement heightened security practices; and other requirements on how to specifically protect children’s personal information. COPPA also places limits on the use of children’s personal information for direct marketing purposes.

2013: COPPA Experiences Its First Growth Spurt

To understand COPPA better, let’s look at how it has evolved along with digital media. In 2013, the FTC revised the COPPA rules to broaden the definition of children’s personal information to include data types such as persistent identifiers, cookies, geolocation information, photos, videos and audio recordings. Before this update to the definition, an Internet Protocol address (an identifier that differentiates a device from other devices, including its general location) was considered nonpersonal information. This was done after extensive public comments and reflects relatively minor revisions to the regulations implementing the law.

When the COPPA revisions went into effect in July 2013, CARU updated its guidelines to lay the foundation to enforce the newly fortified law. In particular, with respect to the newly defined forms of personally identifiable information as well as COPPA’s new prohibition on behavioral targeting without parental consent.

2017: COPPA Matures and Adapts to Its Surroundings, and Considers the Future

In 2017, the FTC updated its COPPA compliance plan to clarify how COPPA applies to evolving technologies such as audio recordings, and to reiterate that COPPA applies to any type of device that connects to the Internet (including Internet of Things devices such as connected toys). The FTC also added new acceptable ways of obtaining verifiable parental consent (e.g., asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID). These changes reflect some of the cultural changes in the use of technology among children. As COPPA is interpreted now, it applies to any service, application or device that connects to the Internet and is targeted toward children. This includes video game consoles, educational or classroom connected devices, hospital medical connected devices, online websites, connected toys, and mobile applications. Third-party advertisers should note that if they are advertising on particular online services, COPPA also applies to third-party advertising plug-ins or other features.

CARU: Self-Regulation Guides Child-Directed Online Services Toward Compliance

Since COPPA’s nuances can be difficult to interpret, especially for newcomers to the space, the law has a “safe harbor” provision designed to enable industry groups or others to assist companies with COPPA compliance. Members of the safe harbor are presumed to be in compliance with COPPA and essentially insulated from FTC action. CARU was the first FTC-approved safe harbor program back in 2001 and continues to be a leader in supporting COPPA through providing guidance to industry and acting as a leader in self-regulation.

In addition to COPPA, CARU also promulgates the Self-Regulatory Program for Children’s Advertising (the Guidelines). The Guidelines serve as a road map of policies and procedures for advertising industry self-regulation. Adherence to such principles is an effective framework that holds advertisers responsible for their practices and encourages consumer trust in the marketplace. With the proliferation of online advertising, and most notably the thousands of free apps supported by advertising, the intersection of COPPA and advertising compliance has proven challenging for content providers and advertisers to navigate.

Although the Guidelines and COPPA have many similarities, they have never been identical. In some instances, CARU’s Guidelines go beyond the requirements of COPPA, raising the bar for industry by recommending best practices it believes are in children’s best interests, including advertising practices, which are largely unaddressed by COPPA. For all safe harbors, the minimum standard is compliance with the law; however, safe harbors have the option to raise the bar, and some do.

CARU has been active in monitoring the industry for violations of its Guidelines as well as of COPPA. When CARU sees an instance of noncompliance with either its Guidelines or COPPA, it seeks change through voluntary cooperation of advertisers and online operators. In instances where companies fail to cooperate with CARU, under its procedures, CARU has the power to refer those companies to the FTC for government review. While the FTC often acts on CARU’s referrals and recommendations, the large majority of companies are happy to work with CARU and are grateful for the privacy tutorial to bring them into compliance. To date, CARU has closed more than 200 COPPA-related cases, making the space safer for children.

COPPA’s 20th Anniversary and Beyond

Oct. 21, 2018, marked the 20th anniversary of COPPA. Over the years, COPPA has evolved to adapt to the continuously changing technology landscape. From the beginning, CARU has been there to help enforce COPPA and give industry guidance on how to interpret it. COPPA remains as relevant today to the protection of young children as it was 20 years ago, and recent state and federal enforcement actions show that companies continue to encroach on children’s privacy. CARU remains vigilant and the FTC continues to extract significant financial penalties from companies that disregard COPPA.

The FTC’s most recent settlement in the TikTok case was for $5.7 million for a mobile app that knowingly allowed children to post videos and share personal information without parental consent. This record-breaking settlement was the result of a CARU referral to the FTC.

In addition to CARU and the FTC keeping an eye on children’s privacy and bringing enforcement actions for COPPA noncompliance, state attorneys general (AGs), who also have COPPA enforcement authority, have increased their focus on children’s personal information issues. For example, in September 2018, the New Mexico AG filed a lawsuit against a number of social media companies that is still ongoing. In February 2019, the New York AG settled with Oath (a Verizon subsidiary created from the merging of AOL and Yahoo) for $4.95 million with a company for violating COPPA by conducting billions of auctions for ad space on hundreds of websites the company knew were directed at children. The company allegedly collected, used and disclosed children’s personal information, enabling advertisers to track and serve targeted ads to children.

In March 2019, legislators including Sen. Ed Markey (D-Mass.), COPPA’s original author, introduced the Do Not Track Kids Act in Congress, a bill meant to expand COPPA’s reach to teenagers. To learn more, click here. The bill is in stride with global trends, such as the European Union’s General Data Protection Regulation, enacted in 2018, that requires verifiable parental consent before processing the personal information of children under the age of 16 (unless an EU Member State sets the age lower, with 13 being the youngest). Markey’s bill also accords with local state laws such as California’s Privacy Rights for California Minors in the Digital World law (enacted in 2015, allowing California residents under the age of 18 to delete publicly available personal information they have submitted) and the California Consumer Protection Act (passed in September 2018, requiring, among other things, opt-in consent to the selling of personal information of children under 16). As currently drafted, the bill seeks to expand COPPA to include children from under the age of 13 to under the age of 16, and includes additional data control rights such as providing parents and children the ability to delete publicly available personal information submitted by a child. While this bill is currently in its early stages and presents serious public policy questions about the age society should deem youth too developmentally immature to have free rein on the Internet, it demonstrates the continued focus legislators are placing on children’s privacy issues.

The future of COPPA seems to reflect its past – regulators and legislators seek to continue to adapt its interpretation and application to evolving technologies and cultural changes in the use of such technologies among children. CARU’s role also remains as relevant as it was 20 years ago. The FTC relied then on CARU’s expertise when drafting the law and continues to rely on CARU’s monitoring to ensure a safer online space.

Companies that market to or provide content to children, or that are reasonably attractive to them, need to be aware of COPPA and how to comply with its mandates. CARU remains vigilant, monitoring the Internet and opening privacy-related inquiries where appropriate. To remain insulated from CARU and FTC enforcement, the solution is simple; CARU recommends that to avoid issues like those above, companies should join its robust safe harbor program.

For more information about CARU's COPPA Safe Harbor, visit us online or contact CARU's director, Dona Fraser 

Follow us on Twitter or LinkedIn to keep up with what CARU is doing as well as industry-related news.


 By, Katie Goldstein

[1] “Web of Deception” by Kathryn Montgomery.

Labels:

Popular posts from this blog

CARU Speaks at Community Board in Manhattan

By
CARU staff attorney Andra Dallas gave a presentation to Community Board 1, serving lower Manhattan on Monday, December 7 th .  Andra spoke to the Board’s Youth Committee about the importance of teaching children about understanding advertising and safe online practices.  District Manager Noah Pfefferblit remarked, “thank you for your informative presentation to our Youth Committee members,” and offered the Board’s assistance if they “can be helpful to the important efforts at the Children's Advertising Review Unit.” Are you interested in having a CARU staff member visit your community board? Contact adallas@caru.bbb.org.
Read more

i-Dressup Shuts Down in Wake of Privacy Breach and COPPA Violation

By CARU Staff
I-Dressup, a fashion-themed social website for teens, has completely shut down as part of a settlement with the New Jersey Department of Consumer Affairs, following a massive privacy breach and violations of the federal Children's Online Privacy Protection Act (COPPA) and New Jersey state law. In September 2016, a hacker sent 2.2 million i-Dressup account credentials to technology blog Arstechnica as well as to haveibeenpwned.com, a searchable online database of data breaches. Responding to the news, New Jersey investigators discovered that 2,519 of the compromised accounts belonged to New Jersey children below age 13. I-Dressup, allegedly aware that it had child users, had violated COPPA by failing to obtain verifiable parental consent prior to collecting and processing personal information from the children, including first and last names and email addresses. In a consent decree with the New Jersey Attorney General Gurbir Gerwal, parent company Unixiz has closed i-Dressup,
Read more

Kids Internet Design and Safety Act Seeks to Protect Children from Harmful Online Content

By CARU Staff
United States Senators, Mr. Richard Blumenthal from Connecticut and Mr. Edward Markey from Massachusetts, introduced a new bill referred to as the Kids Internet Design and Safety Act (the “KIDS Act”). One of the Senator’s introducing the KIDS Act, Mr. Edward Markey, was the co-author of the Children’s Online Privacy Protection Act (“COPPA”). The KIDS Act seeks to include noteworthy advertising rules and create new protections for children online, specifically for online users under the age of 16. The proposed advertising rules within the KIDS Act are to ban websites from: (1) exposing young online users to advertisements “with embedded interactive elements”; (2) recommending any content involving alcohol, nicotine, or tobacco to young online users; and (3) recommending content that includes influencer marketing, like unboxing videos, or host-selling to young online users. Additionally, the KIDS Act seeks to prohibit certain online features to protect children, like prohibiting
Read more