1998: A Concern for Children’s Privacy Was Born
From the moment home computers had the
capacity to connect to the Internet, children had the ability to use these
technologies to access online websites and services. In the 1990s, concerns
about children’s privacy and safety online arose amid fears of marketing
practices around selling children’s personal information and exposing
children’s information to predators.
The
Children’s Advertising Review Unit (CARU), founded in 1974, has always been on
the forefront of safeguarding children’s privacy. CARU is the self-regulatory arm of the children’s
advertising industry, tasked with promoting truth in children’s advertising by
reviewing and evaluating child-directed ads in all media to ensure they are
truthful, accurate and appropriate. CARU also monitors online privacy practices
as they affect children.
Before there was any legislation on the matter, CARU monitored a burgeoning Internet and observed how children’s privacy and safety were being compromised. CARU’s mandate has always been to preserve the interests of children while ensuring that advertisers have clear ways to responsibly reach the child audience.
In 1996, two years before the passage of legislation, CARU formally updated its guidelines to include a section titled “Interactive Electronic Media” (now, “Guidelines for Online Privacy Protection”), governing the privacy and safety of children under age 13 on the Internet. At that point, it was clear that there was a growing need for oversight on the Internet. Several articles and studies were published that raised awareness of widespread data collection and advertising practices targeted at children online. In fact, these reports uncovered hundreds of sites ostensibly collecting personal information from children without obtaining parental permission[1].
In response, federal legislators passed the Children’s Online Privacy Protection Act (COPPA) in 1998, which became effective on April 21, 2000. When the FTC drafted COPPA, it based the law on CARU’s original "Interactive Electronic Media" guidelines. The law applies to online websites or service operators that (1) directly target children to collect, use or disclose personal information from children, or (2) have actual knowledge that that they are collecting, using or disclosing personal information from children. “Children,” as defined by COPPA, includes individuals under the age of 13.
In 1996, two years before the passage of legislation, CARU formally updated its guidelines to include a section titled “Interactive Electronic Media” (now, “Guidelines for Online Privacy Protection”), governing the privacy and safety of children under age 13 on the Internet. At that point, it was clear that there was a growing need for oversight on the Internet. Several articles and studies were published that raised awareness of widespread data collection and advertising practices targeted at children online. In fact, these reports uncovered hundreds of sites ostensibly collecting personal information from children without obtaining parental permission[1].
In response, federal legislators passed the Children’s Online Privacy Protection Act (COPPA) in 1998, which became effective on April 21, 2000. When the FTC drafted COPPA, it based the law on CARU’s original "Interactive Electronic Media" guidelines. The law applies to online websites or service operators that (1) directly target children to collect, use or disclose personal information from children, or (2) have actual knowledge that that they are collecting, using or disclosing personal information from children. “Children,” as defined by COPPA, includes individuals under the age of 13.
COPPA authorized the Federal Trade
Commission (FTC) to promulgate rules to further the law’s
mandates, and gives it the power to obtain civil penalties for noncompliance.
For a great primer on COPPA written to help businesses understand what they
need to do to comply, click here.
The goal of the legislation was to
protect personal information collected from children. The law requires online
service operators to provide a transparent and accessible privacy policy; to
obtain verifiable parental consent before collection, use or disclosure of
personal information from children (with narrow exceptions, e.g., internal
operational purposes, one-time responses and email plus verification for
certain uses); to implement heightened security practices; and other
requirements on how to specifically protect children’s personal information.
COPPA also places limits on the use of children’s personal information for
direct marketing purposes.
2013: COPPA Experiences Its First Growth Spurt
To understand COPPA better, let’s look at how it has evolved along with digital media. In 2013, the FTC revised the COPPA rules to broaden the definition of children’s personal information to include data types such as persistent identifiers, cookies, geolocation information, photos, videos and audio recordings. Before this update to the definition, an Internet Protocol address (an identifier that differentiates a device from other devices, including its general location) was considered nonpersonal information. This was done after extensive public comments and reflects relatively minor revisions to the regulations implementing the law.When the COPPA revisions went into effect in July 2013, CARU updated its guidelines to lay the foundation to enforce the newly fortified law. In particular, with respect to the newly defined forms of personally identifiable information as well as COPPA’s new prohibition on behavioral targeting without parental consent.
2017: COPPA Matures and Adapts to Its Surroundings, and Considers the Future
In 2017, the FTC updated its COPPA
compliance plan to clarify how COPPA applies to evolving technologies such as
audio recordings, and to reiterate that COPPA applies to any type of device
that connects to the Internet (including Internet of Things devices such as
connected toys). The FTC also added new acceptable ways of obtaining verifiable
parental consent (e.g., asking knowledge-based authentication questions and
using facial recognition to get a match with a verified photo ID). These
changes reflect some of the cultural changes in the use of technology among
children. As COPPA is interpreted now, it applies to any service, application
or device that connects to the Internet and is targeted toward children. This
includes video game consoles, educational or classroom connected devices,
hospital medical connected devices, online websites, connected toys, and mobile
applications. Third-party advertisers should note that if they are advertising
on particular online services, COPPA also applies to third-party advertising
plug-ins or other features.
CARU: Self-Regulation Guides Child-Directed Online Services Toward Compliance
Since COPPA’s nuances can be difficult
to interpret, especially for newcomers to the space, the law has a “safe harbor”
provision designed to enable industry groups or others to assist companies with
COPPA compliance. Members of the safe harbor are presumed to be in compliance
with COPPA and essentially insulated from FTC action. CARU was the first
FTC-approved safe harbor program back in 2001 and continues to be a leader in
supporting COPPA through providing guidance to industry and acting as a leader
in self-regulation.
In addition to COPPA, CARU also
promulgates the Self-Regulatory Program for Children’s Advertising (the
Guidelines). The Guidelines serve as a road map of policies and procedures for
advertising industry self-regulation. Adherence to such principles is an
effective framework that holds advertisers responsible for their practices and
encourages consumer trust in the marketplace. With the proliferation of online
advertising, and most notably the thousands of free apps supported by
advertising, the intersection of COPPA and advertising compliance has proven
challenging for content providers and advertisers to navigate.
Although the Guidelines and COPPA have many similarities, they have never been identical. In some instances, CARU’s Guidelines go beyond the requirements of COPPA, raising the bar for industry by recommending best practices it believes are in children’s best interests, including advertising practices, which are largely unaddressed by COPPA. For all safe harbors, the minimum standard is compliance with the law; however, safe harbors have the option to raise the bar, and some do.
CARU has been active in monitoring the
industry for violations of its Guidelines as well as of COPPA. When CARU sees
an instance of noncompliance with either its Guidelines or COPPA, it seeks
change through voluntary cooperation of advertisers and online operators. In
instances where companies fail to cooperate with CARU, under its procedures,
CARU has the power to refer those companies to the FTC for government review.
While the FTC often acts on CARU’s referrals and recommendations, the large
majority of companies are happy to work with CARU and are grateful for the
privacy tutorial to bring them into compliance. To date, CARU has closed more
than 200 COPPA-related cases, making the space safer for children.
COPPA’s 20th Anniversary and Beyond
Oct. 21, 2018, marked the 20th
anniversary of COPPA. Over the years, COPPA has evolved to adapt to the
continuously changing technology landscape. From the beginning, CARU has been
there to help enforce COPPA and give industry guidance on how to interpret it.
COPPA remains as relevant today to the protection of young children as it was
20 years ago, and recent state and federal enforcement actions show that
companies continue to encroach on children’s privacy. CARU remains vigilant and
the FTC continues to extract significant financial penalties from companies
that disregard COPPA.
The FTC’s most recent settlement in the TikTok case was
for $5.7 million for a mobile app that knowingly allowed children to post
videos and share personal information without parental consent. This
record-breaking settlement was the result of a CARU referral to the FTC.
In addition to CARU and the FTC keeping
an eye on children’s privacy and bringing enforcement actions for COPPA
noncompliance, state attorneys general (AGs), who also have COPPA enforcement
authority, have increased their focus on children’s personal information
issues. For example, in September 2018, the New Mexico AG filed a lawsuit against a number of social
media companies that is still ongoing. In February 2019, the New York AG settled with Oath (a Verizon subsidiary created from the merging of AOL and Yahoo) for
$4.95 million with a company for violating COPPA by conducting billions of
auctions for ad space on hundreds of websites the company knew were directed at
children. The company allegedly collected, used and disclosed children’s
personal information, enabling advertisers to track and serve targeted ads to
children.
In March 2019, legislators including
Sen. Ed Markey (D-Mass.), COPPA’s original author, introduced the Do Not Track
Kids Act in Congress, a bill meant to expand COPPA’s reach to teenagers. To
learn more, click here. The bill is in stride
with global trends, such as the European Union’s General Data Protection
Regulation, enacted in 2018, that requires verifiable parental consent before
processing the personal information of children under the age of 16 (unless an
EU Member State sets the age lower, with 13 being the youngest). Markey’s bill
also accords with local state laws such as California’s Privacy Rights for
California Minors in the Digital World law (enacted in 2015, allowing
California residents under the age of 18 to delete publicly available personal
information they have submitted) and the California Consumer Protection Act (passed
in September 2018, requiring, among other things,
opt-in consent to the selling of personal information of children under 16). As
currently drafted, the bill seeks to expand COPPA to include children from
under the age of 13 to under the age of 16, and includes additional data
control rights such as providing parents and children the ability to delete
publicly available personal information submitted by a child. While this bill
is currently in its early stages and presents serious public policy questions
about the age society should deem youth too developmentally immature to have
free rein on the Internet, it demonstrates the continued focus legislators are
placing on children’s privacy issues.
The future of COPPA seems to reflect
its past – regulators and legislators seek to continue to adapt its
interpretation and application to evolving technologies and cultural changes in
the use of such technologies among children. CARU’s role also remains as
relevant as it was 20 years ago. The FTC relied then on CARU’s expertise when
drafting the law and continues to rely on CARU’s monitoring to ensure a safer
online space.
Companies that market to or provide
content to children, or that are reasonably attractive to them, need to be
aware of COPPA and how to comply with its mandates. CARU remains vigilant, monitoring the Internet and opening privacy-related inquiries where appropriate. To remain insulated from CARU and FTC enforcement, the solution is simple; CARU recommends that to avoid issues like those above, companies should join its robust safe harbor program.
For more information about CARU's COPPA Safe Harbor, visit us online or contact CARU's director,
Dona Fraser.
Follow us on Twitter or LinkedIn to keep up with what CARU is doing as well as industry-related news.
By, Katie Goldstein