Children's Online Privacy Protection Act of 1998

Citation: Children’s Online Privacy Protection Act, Title XIII of Division C of the FY1999 Omnibus Consolidated and Emergency Supplemental Appropriations Act, Pub. L. No. 105-277.

Overview
With the growth of the Internet in its early years, Congress, the Clinton Administration, and the Federal Trade Commission (FTC) became concerned about protecting the privacy of children under 13 as they visit commercial websites. Not only were there concerns about information children might divulge about themselves, but also about their parents.

The result was the Children’s Online Privacy Protection Act (COPPA). The FTC’s Final Rule implementing the law became effective April 21, 2000.

Key Provisions
The Act specifies that operators of websites or online services directed to children or an operator who knowingly collect personal information from children:


 * 1) provide parents notice of their information practices;
 * 2) obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children (with certain limited exceptions for the collection of online information, e.g., email address);
 * 3) provide a parent, upon request, with the ability to review personal information collected from his/her child;
 * 4) provide a parent with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child;
 * 5) limit collection of personal information for a child’s online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity; and
 * 6) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected.

The FTC adopted a “sliding scale” for complying with the verifiable parental consent requirement depending on how the data would be used. That is, if the information was for internal use only, the verifiable consent could be obtained from the parent by e-mail, plus an additional step to ensure the person giving consent is, in fact, the parent. If the website operator planned to disclose the information publicly or to third parties, a higher standard was set. This sliding scale was set to expire in 2002 with the expectation that better verification technologies would become available. However, in 2002, the FTC determined that such technologies still were not available, and the sliding scale was extended to April 12, 2005. In 2005, the Commission extended it again.

The law also provides for industry groups or others to develop self-regulatory “safe harbor” guidelines that, if approved by the FTC, can be used by websites to comply with the law. The FTC approved self-regulatory guidelines proposed by the Better Business Bureau on January 26, 2001. On June 11, 2003, then-FTC Chairman Timothy Muris stated in testimony to the Senate Commerce Committee that the FTC had brought eight COPPA cases, and obtained agreements requiring payment of civil penalties totaling more than $350,000.

As required by COPPA, on April 21, 2005, the Commission issued a request for public comment on its Final Rule, five years after the rule’s effective date. Comments were requested on the costs and benefits of the rule; whether it should be retained, eliminated, or modified; and its effect on practices relating to the collection of information relating to children, children’s ability to access information of their choice online, and the availability of websites directed to children.