Children’s Online Privacy Protection Act (COPPA), P.L. 105-277

Congress, the Clinton Administration, and the Federal Trade Commission (FTC) initially focused their attention on protecting the privacy of children under 13 as they visit commercial websites. Not only are there concerns about information children might divulge about themselves, but also about their parents. The result was the Children’s Online Privacy Protection Act (COPPA), Title XIII of Division C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act, P.L. 105-277.1 The FTC’s final rule implementing the law became effective April 21, 2000 [http://www.ftc.gov/os/1999/10/64fr59888.htm]. Commercial websites and online services directed to children under 13, or that knowingly collect information from them, must inform parents of their information practices and obtain verifiable parental consent before collecting, using, or disclosing personal information from children. The Commission adopted a “sliding scale” for complying with the verifiable consent requirement depending on how the data would be used. That is, if the information was for internal use only, the verifiable consent could be obtained from the parent by e-mail, plus an additional step to ensure the person giving consent is, in fact, the parent. If the website operator planned to disclose the information publicly or to third parties, a higher standard was set. This sliding scale was set to expire in 2002 with the expectation that better verification technologies would become available. However, in 2002, the FTC determined that such technologies still were not available, and the sliding scale was extended to April 12, 2005. In 2005, the Commission extended it again, and is seeking public comment on how to proceed, as part of its overall review of the COPPA rule.2

The law also provides for industry groups or others to develop self-regulatory “safe harbor” guidelines that, if approved by the FTC, can be used by websites to comply with the law. The FTC approved self-regulatory guidelines proposed by the Better Business Bureau on January 26, 2001. On June 11, 2003, then-FTC Chairman Timothy Muris stated in testimony to the Senate Commerce Committee that the FTC had brought eight COPPA cases, and obtained agreements requiring payment of civil penalties totaling more than $350,000.3

As required by COPPA, on April 21, 2005, the Commission issued a request for public comment on its final rule, five years after the rule’s effective date.4 Comments were requested on the costs and benefits of the rule; whether it should be retained, eliminated, or modified; and its effect on practices relating to the collection of information relating to children, children’s ability to access information of their choice online, and the availability of websites directed to children.

Endnotes

1 COPPA should not be confused with COPA — the Child Online Protection Act — which addresses protecting children from unsuitable material, such as pornography, on the Internet. COPA is discussed in CRS Report RS21328, Internet: Status of Legislative Attempts to Protect Children from Unsuitable Material on the Web, by Marcia S. Smith.
2 “FTC Seeks Public Comment on Children’s Online Privacy Rule.” FTC press release, April 21, 2005. See [http://www.ftc.gov/opa/2005/04/coppacomments.htm]. (Hereafter cited as FTC Seeks Public Comment on Children’s Online Privacy Rule.)
3 Prepared statement of Timothy Muris, Chairman, Federal Trade Commission, p. 10, available at [http://commerce.senate.gov/hearings/witnesslist.cfm?id=807].
4 FTC Seeks Public Comment on Children’s Online Privacy Rule.