What the United States’ children’s privacy law does and doesn’t do For two decades children’s digital privacy in the United States has been regulated by a national law: the Children’s Online Privacy Protection Act. The law limits how companies can collect data on children under 13 years old. If website operators don’t properly adhere to the rules outlined in the act, they could face massive fines. In September, the Federal Trade Commission announced against YouTube, in which the Google-owned service agreed to pay $170 million to settle alleged COPPA violations. a record-breaking penalty But the law has also faced criticism, with some lawmakers and advocates arguing that it doesn’t go far enough. Here’s what it does and does not do. What COPPA Does COPPA, which went into effect in 2000, requires websites and services that want to collect personal information about children under 13 — including real names, screen names, or contact information — to post privacy policies and get before obtaining the data. parental consent In 2013, the FTC expanded the rules to require sites or services to get parental permission before collecting geolocation information, photos, video, and any “persistent identifiers,” like cookies. To meet the requirement, some services may have a parent or call a phone number, but many simply ask for age at sign-up and stop users who say they are under 13 from joining. sign a consent form The law includes fines for companies that fail to comply. In one notable early case, from 2003, Mrs. Fields Cookies and Hershey’s Foods paid civil penalties of $100,000 and $85,000, respectively, to that portions of their websites improperly collected data on children. settle allegations A few years later, the fines were already escalating: The social networking service Xanga that it had created more than 1.7 million Xanga accounts for users who provided information indicating they were under 13 years old. paid $1 million in 2006 to settle FTC charges Last year, in another record for the time, Musical.ly — which has since become TikTok — agreed to pay $5.7 million violations of COPPA. That record was shortly eclipsed by the $170 million YouTube penalty.  (YouTube has since concerning children’s content, disabling some features and limiting data collection for videos aimed at kids.) to settle alleged changed its rules What COPPA Doesn’t Do The law applies to websites that are aimed at children under 13, but that standard : If a service uses animated characters in ads, for example, or the service’s subject matter is something clearly appealing to kids, like toys, it might fall under COPPA. is somewhat vague General-interest sites are also responsible for complying with COPPA if they have “actual knowledge” that they’re collecting data on kids under 13. The standard, critics argue, is far from onerous: A website may ask for age at sign-up but isn’t required to verify it. Popular services like YouTube and Facebook ask for age at sign-up, but there’s little stopping users from lying. Instead, services say they if moderators determine the user is under age. terminate users’ accounts One 2006 comment to the FTC, cited in on COPPA, noted a report “there is no conceivable way, short of locking a child in a closet and not letting him out until adulthood, to absolutely prevent a child from viewing age inappropriate websites.” The FTC itself has also been criticized for the perception that it’s overly lax in enforcing the law — that even massive penalties, like the 2019 YouTube fine, don’t go far enough to deter companies from violating COPPA. The Electronic Privacy Information Center, for example, has said “the FTC has not adequately enforced COPPA in recent years, failing to act on complaints in a timely way.” The agency has also been as being under-resourced. advocacy groups have argued broadly criticized While press releases might trumpet the size of fines, those penalties are still only a traffic ticket for some major companies. YouTube’s $170 million fine, for example, amounted to just a tiny fraction of , which in turn was only about 10 percent of overall Google revenue. the company’s 2019 revenue of $15 billion “We think there should be stronger enforcement of COPPA,” Ariel Fox Johnson, senior counsel for policy and privacy at Common Sense Media, said. She said the “actual knowledge” standard could be lowered to “constructive knowledge.” Under that standard, website operators wouldn’t have to be directly informed that kids are on their service — the FTC would have to prove only that, had companies done their due diligence, they would have known they were collecting data on children. Where Will COPPA Go Next? As countries like the United Kingdom youth privacy laws, officials have taken a closer look at COPPA. Last year, the FTC announced that it was seeking comment on potential changes to its COPPA enforcement practices. “In light of rapid technological changes that impact the online children’s marketplace, we must ensure COPPA remains effective,” FTC chairman Joe Simons said in . The review that the agency will cave to pressure from the tech industry to weaken the law. pass their own a July statement has raised concerns Congress has also considered changes. from Rep. Kathy Castor (D-FL) would create new protections for teenagers between the ages of 13 and 17 and expand COPPA to explicitly include protections for data like biometric, health, and educational information. The bill would also give the FTC power to pursue higher financial penalties. A bill A different plan, by Sen. Edward J. Markey (D-MA) and Sen. Josh Hawley (R-MO), would create what they’ve pitched as a “COPPA 2.0” — an update to the law that would expand the ages covered by the law, requiring services to get user consent before tracking teens between 13 and 15 years old. Under the bill, the FTC would also create a division dedicated to examining youth privacy issues. introduced last year “Right now you turn 13, and you’re treated like a 35-year-old online,” Johnson said. The bill would also set a blanket ban on targeted advertising toward children under 13. “If we can agree on anything,” Markey said in a statement announcing his and Hawley’s legislation at the time, “it should be that children deserve strong and effective protections online.” Credits Originally published as " Who’s Allowed to Track My Kids Online? " with the Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) license.

Facebook

Google

Hershey

Timely

YouTube

Every dollar you donate helps support The Markup’s work.

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Who Can Spy on My Kids Online?

Too Long; Didn't Read

Companies Mentioned

The Markup

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Who Can Spy on My Kids Online?

Too Long; Didn't Read

Companies Mentioned

The Markup

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES