Business Blog
Happy 20th birthday, COPPA
October 20, 2018, marked 20 years since Congress passed the Children’s Online Privacy Protection Act. Many of the kids the law was originally designed to protect are now parents themselves. Looking back on two decades of COPPA, here are our five key takeaways.
The FTC continues to be committed to rigorous COPPA enforcement. At the direction of Congress, the FTC issued the COPPA Rule in 2000. Since then, we’ve brought 28 cases to enforce the Rule. Those cases have yielded more than $10 million in civil penalties and have put strong provisions in place to require those companies to change how they collect and protect kids’ personal information. Two recent examples: law enforcement actions against a seller of internet-connected toys and a web-based talent search firm charged with violating COPPA.
COPPA has responded to developments in technology. The only thing that moves as fast as kids is technology. The FTC has worked to keep COPPA current by amending the Rule to address innovations that affect children’s privacy – social networking, online access via smartphone, and the availability of geolocation information, to name just a few. After hosting a national workshop and considering public comments, we announced changes to the Rule in 2013 that expanded the types of COPPA-covered information to include photos, video, or audio files that contain a child’s image or voice. Even before widespread access to facial recognition software, voice-activated digital personal assistants, and internet-connected toys, we were taking steps to keep pace with the marketplace.
The FTC seeks new ways to ensure verifiable parental consent. Before collecting personal information from kids under 13, covered entities must get “verifiable parental consent.” That’s the centerpiece of COPPA, but right now there may not be a one-size-fits-all approach. What the law requires is a method “reasonably calculated, in light of available technology, to ensure the person providing consent is the child’s parent.” The Rule lays out a non-exhaustive list of approved methods, but also encourages the development of new ways of getting verifiable parental consent. In a creative form of crowdsourcing, the 2013 amendments added a procedure for seeking approval for innovative consent methods. Since then, the FTC has OKed two new methods: 1) a system that uses challenge questions; and 2) a way that combines photo verification with facial recognition through web or mobile devices.
COPPA recognizes the importance of self-regulation. By “incentivizing” companies’ self-regulatory efforts, the FTC’s Safe Harbor Program demonstrates our commitment to working with industry to help streamline COPPA compliance. So far, the FTC has approved seven Safe Harbor Programs that companies can work with to ensure their practices are up to scratch.
The FTC reaches out to companies to help them stay within the law. Looking for quick guidance on COPPA? Read our Six-Step Compliance Plan. If you’re ready for a deeper dive, your question may be answered in our COPPA FAQs. In the past few years, we’ve also issued an enforcement policy statement on COPPA’s applicability to collecting voice recording, held a public workshop on how COPPA applies to student privacy and Ed Tech, and fielded questions sent to COPPAHotLine@ftc.gov.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.