On the Internet, Nobody Knows You’re a Kid: COPPA Compliance for Beginners

Sean Doolittle

BC EIC Law Student

October 20, 2023

Privacy seems to be on every tech industry analyst's mind nowadays: Law enforcement agencies are partnering with genetic testing services to conduct “DNA drives,” opening up relatives’ genetic markers for commercial exploitation without their consent. Italy banned the popular new generative AI ChatGPT over privacy concerns. Elon Musk found himself under investigation earlier this year for X’s (née Twitter’s) alleged failure to comply with cybersecurity and privacy orders from the Federal Trade Commission.

We live in the era of big data, where tech companies collect and then exchange consumer data with countless third parties — often derived from mobile app usage, website cookies, and other “smart” technologies — in order to learn what makes us consumers tick. Perhaps surprisingly, the United States lacks a singular, comprehensive federal privacy law like the European Union’s General Data Protection Regulation (GDPR); what we do have is a regulatory patchwork that leans heavily on the individual states to fill in the gaps. Efforts to pass such a law, like the American Data Privacy and Protection Act (ADPPA), have stalled in Congress, although they continue to enjoy largely bipartisan support.

One of the few federal privacy laws on the books is the Children’s Online Privacy Protection Act of 1998, also known as COPPA. In the 1990s, when the dot-com bubble was close to bursting, lawmakers began to recognize that the nascent but rapidly growing internet was a lawless “wild west.” No population was at greater risk of exploitation than digitally-native children that often surpassed their parents in computer usage and technical understanding. COPPA imposes a number of regulatory requirements on the “operators” of websites and other online services that collect personal information from users younger than the age of thirteen.

What sort of data is protected? COPPA takes an expansive definition of protected data, including all sorts of “personally identifiable information,” or PII. PII includes first and last name, physical and electronic addresses, telephone and social security numbers, photographs, and geolocation data. Courts have been asked to interpret PII in relation to COPPA and other privacy laws; the Ninth and Third Circuits have both adopted a liberal definition of PII to include any data that permits an “ordinary person” (that is, someone lacking expert technical skills) to identify a particular individual. Even novice internet users can recall sharing something that would personally identify themselves on the internet; in fact, sharing information about oneself is often a prerequisite for accessing online services.

Regulatory compliance is one of the most important considerations for entrepreneurs and their new startup businesses. Any business operating an “online service” within the United States must understand their duties when engaging in data collection vis-a-vis children, lest they face terrible legal and economic consequences. Just this last year, the popular social media app TikTok was fined €345m for failure to comply with the EU’s privacy regulations, and Epic Games — the studio behind the video game phenomenon Fortniterecently settled a lawsuit with the Federal Trade Commission over COPPA violations for a sum of over $500m.

How can a startup avoid these privacy pitfalls? Compliance begins with understanding the types of businesses to which the law applies. COPPA quite simply makes it illegal for organizations that run websites or other online services (like apps and games) directed at children to collect information on children outside of the strict bounds of the law. The FTC looks at a number of subjective factors to determine whether a website is “directed at children,” including the use of animated characters and presence of “child-oriented” activities.

But COPPA is not limited in its application to websites directed at children; if an online services operator has “actual knowledge” that it has collected the personal information of someone under the age of thirteen, they fall under the purview of the law. While relatively few websites are categorized as explicitly “directed to children,” the actual knowledge clause broadens the net cast by COPPA to capture many — if not most — websites.

First and foremost, entrepreneurs must ensure that their online service provides clear and prominent notice of its data collection practices and discloses how the information is subsequently used (including sale or exchange with third parties). This notice is intended for the parents of children attempting to access the internet, because “verifiable parental consent” is the sine qua non of COPPA. That being said, the FTC is not overly prescriptive about the manner in which verifiable parental consent is gathered; so long as the operator chooses a “reasonable” method of ensuring that it is indeed the parent of a child giving the consent, they will fall in compliance with the law.

Importantly, this verifiable parental consent is freely revocable at any time. A website must make available the information they have collected on a child upon request, and must delete said information if a parent deems it necessary to protect their child’s digital privacy. It is imperative for internet-based businesses and startups in particular to realize that their obligation to protect children’s data on the web does not end with the receipt of parental consent; the obligation is ongoing, and requires constant vigilance to ensure that the integrity and security of the online service is maintained for as long as they are in possession of personal information.

Of course, a prudent new business venture would be foolish to limit themselves to bare regulatory compliance given the fast-moving nature of the tech industry. Recent attempts at passing privacy legislation indicate a growing appetite for stricter data protections for consumers (and especially children), including a desire to increase the minimum age for COPPA from thirteen to fifteen years. As a result, entrepreneurs would be wise to err on the side of caution when it comes to handling personal information online.