Let's Start with the Basics: Are Children Protected Online?

Parent and Teacher Privacy Resources

Let's Start with the Basics: Are Children Protected Online?

• What privacy protections do children have online? 
• How can I help protect kids' privacy?

A national law sets the stage

Back in 1998, in the "Privacy Online: A Report to Congress," the Federal Trade Commission (FTC) urged Congress to develop legislation that would put parents in control of how their children's personal information is collected online and used. Four months later, Congress enacted the Children's Online Privacy Protection Act (COPPA), a law intended to help parents protect children's privacy.

So, who is covered as a "child"?

For the purposes of COPPA, a "child" refers to a person younger than age 13. Teens are not included. Really? So a 13-year-old is considered an adult? That would be a "yes." COPPA prohibits operators of commercial websites or online services to collect personal information from children younger than 13 unless the operators undertake certain safeguards. First, there must be a notice posted online describing the operator's practices related to the collection, use, and disclosure of children's personal information. Second, the operators must obtain "verifiable parental consent" (VPC) to be able to collect, use, or disclose children's personal information.

What counts as "personal information" under COPPA? 

The current COPPA Rule, which went into effect on July 1, 2013, defines "personal information" as "individually identifiable information about an individual collected online," including:

1. A first and last name.
2. A home or other physical address, including street name and city or town.
3. Online contact information, which means an email address or any other substantially similar identifier that permits direct contact with a person online, including but not limited to, an instant-messaging user identifier, an identifier for voice over internet protocol (VOIP), or a video-chat user identifier.
4. A screen name or username where it functions in the same manner as online contact information, as defined in this section.
5. A telephone number.
6. A Social Security number.
7. A persistent identifier that can be used to recognize a user over time and across different websites or online services. Persistent identifiers may include a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.
8. A photograph, video, or audio file containing a child's image or voice.
9. Geolocation information sufficient to identify a street name and the name of a city or town.
10. Information concerning the child or the child's parents that the operator collects online from the child and combines with an identifier described in this definition.

Attachment A tracks how COPPA's definition of "personal information" has changed since 1998. As the FTC has been conducting its regulatory review of the COPPA Rule since 2019, more changes may be forthcoming.

How can we provide consent? (Or not!)

COPPA uses broad strokes to define verifiable parental consent. It defines VPC as any reasonable effort (considering available technology) to ensure that a parent receives notice of the operator's practices related to the collection, use, and disclosure of personal information and then authorizes the collection, use, and disclosure of personal information before that information is collected from the child. For the purposes of COPPA, a parent includes a legal guardian.

Unless the collection fits into one of the COPPA Rule's exceptions, the Rule generally requires a person operating a commercial website or an online service to obtain VPC before collecting any personal information from a child.

Although COPPA does not define or prescribe specific methods for obtaining parental consent, it provides several examples of which parental consent methods satisfy COPPA's requirement for VPC. The COPPA Rule further clarifies that any method to obtain VPC must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. These methods include:

1. Providing a consent form to be signed by the parent and returned to the operator by postal mail, fax, or electronic scan.
2. Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder.
3. Having a parent call a toll-free telephone number staffed by trained personnel.
4. Having a parent connect to trained personnel through video conference.
5. Verifying a parent's identity by checking a form of government-issued identification against databases of such information, where the parent's identification is deleted by the operator from its records promptly after such verification is complete.
6. A company that does not "disclose" (as defined by COPPA Rule § 312.2) children's personal information may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. A company that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email.

Attachment B tracks how methods for VPC have changed since 1998. 

The most significant change was the introduction of the safe harbor program, an FTC program that allows industry groups or other organizations to submit for the FTC's approval self-regulatory guidelines that implement the COPPA Rule protections. Companies that comply with the approved guidelines receive a seal to display on their websites, making it easy for parents to identify products that are compliant with the COPPA Rule. Currently, the FTC has approved seven safe harbor organizations, including TRUSTe and kidSAFE. 

As the FTC is currently reviewing COPPA, more changes related to the methods of obtaining VPC may be forthcoming.

What happens if companies break the law?

Congress empowered the FTC with the authority to create rules implementing COPPA. On April 21, 2000, the FTC's COPPA Rule went into effect. In the preceding press release, the FTC alerted the operators of the commercial websites that they would be breaking federal law if they collected personal information from children younger than 13 without the consent of their parents.

Congress also empowered the FTC with the authority to enforce COPPA and bring actions against companies that failed to comply with the provisions of the law. Since enacting its COPPA Rule, the FTC has brought 33 enforcement actions. 

Well, the internet has changed a bit since 1998, so …

Another responsibility of the FTC is to make sure that the COPPA Rule keeps pace with changes in technology, the development of new business models involving data collection, and the evolving ways that children interact with online services. This obligation triggered amendments to the COPPA Rule in 2013. Other contributing factors included: 

• The rise in social media platforms allowing children to upload photos and videos.
• The explosive use of smartphone technology permitting the collection of precise geolocation information.
• The use of behavioral advertising for children. 

The FTC typically reviews its Rules every 10 years to ensure that they have kept up with changes in the marketplace, technology, and business models. Yet the FTC initiated the COPPA Rule review process in 2019, ahead of the regular schedule. Aware that the online environment for children continues to evolve at a rapid pace, and faithful to its goal to stay alert to the technological innovation, the FTC sought public comments on how the COPPA Rule should apply, given the growth of education technologies, the use of voice-activated connected devices, and the prevalence of platforms that host third-party content. There were 118,985 public comments submitted. Common Sense Media was among the participants to submit comments.

What can we do to protect kids?

1. Check out our privacy evaluations, then choose and use products with better privacy ratings.
2. Education, education, and yes, more education. The Digital Citizenship Curriculum has sections on privacy education for kids and their parents. 
3. Stay up to date on tech with our quick guide.
4. School districts can join our privacy work at the District Consortium.