Coping With COPPA

While the Children's Online Privacy Protection Act of 1998 (COPPA) was designed to rein in commercial Web sites that target children as buyers of goods, it has caused legal difficulties for those who provide services such as camps, schools, after-school activities and sports clubs.

COPPA, the only law specifically to target online information privacy, applies only to Web sites that collect information from children. The providers of such services must regularly wrestle with the ways they collect prospects from their sites.

COPPA requires commercial Internet sites to refrain from collecting personal data from children under the age of 13 without parental consent. Internet-site operators have taken three mutually exclusive legal approaches to coping with COPPA:

• Securing verified parental consent;
• Preparing to manage a complaint; and
• Implementing substantial compliance procedures. While users of provider sites are usually parents looking for schools, camps and other such businesses or activities, children also use these sites and report their choices to their parents.

Many providers incorrectly assume they are in substantial compliance with the spirit of COPPA because they subsequently contact parents or guardians of children from whom they have collected data. The rationale is that it would be prohibitively expensive to determine the age of a site user beforehand, so they make sure they follow up with a parent or guardian.

If such behavior is representative of a significant sector of a particular industry (such as summer-camp operators) and presented to the Federal Trade Commission (FTC), a formal exemption from COPPA may be granted. However, without such a grant, the aforementioned activity is clearly unlawful.

Background

COPPA is a recent development in the area of privacy law concerning personal information. While privacy in one's private facts was part of Warren and Brandeis' original conception of privacy ' see Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,” 4 Harv. L. Rev. 193 (1890) ' courts subsequently found that a privacy right existed in a person's “personal information” separable from the subject of the information. See Whalen v. Roe, 429 U.S. 589 (1977). This right has gained importance as computers and the Internet have enabled governments, banks, schools and other third parties to rapidly collect, store and dispense personal information.

An individual's right in his or her personal information is narrow. The right to privacy is protected in the common law and the Constitution, but neither gives a person significant rights in his or her personal information. In particular, the Constitution protects personal information against government intrusion, but this interest in “avoiding disclosure of personal matters” is narrow.

Consider Whalen, where the Supreme Court declined to find that the government's recording of personal drug-prescription data desecrated the constitutional right to privacy because the information was satisfactorily protected.

The privacy torts typically do not apply to misuse of personal information of a person unless the information was taken from that person directly or from a private source with whom that person confided such personal information, such as a bank. Even under such circumstances, courts are unlikely to find misuse of “nonprivate” personal information to be “highly offensive to a reasonable person” ' which is the general standard for privacy torts.

Federal and state statutes have filled the void left by the common law and the Constitution. For example, Arizona, California, Florida, Hawaii, Illinois, Louisiana, South Carolina and Washington are among the states that have privacy provisions in their constitutions that have been applied to information privacy. Among the most comprehensive federal laws concerning the misuse of information is the Privacy Act of 1974 (5 U.S.C. 552a (2000)). This statute primarily applies to state-issued or state-collected information such as welfare-benefit data and Social Security numbers.

Four other federal laws give rise to an individual's right to information privacy. First, the Fair Credit Reporting Act (15 U.S.C. 1601) limits use of certain personally identifiable financial information in the credit and financial industries. It also requires credit agencies to make personal credit histories and ratings available to their owners. Second, the Computer Fraud and Abuse Act (18 U.S.C. 1030) has criminal and civil penalties for certain computer-related intrusions into personal property. Third, the Electronic Communications Privacy Act (18 U.S.C. 2510) protects private communications, such as e-mail, from unwarranted government and private intrusion. COPPA is the fourth. Unlike the others, COPPA is the only law to specifically target online information privacy.

The Basics

COPPA was enacted to:

• Augment parental participation in a child's behavior online;
• Look after the security of adolescents while they participate in Internet activities such as chat rooms;
• Secure a child's personally identifiable information collected online; and
• Limit the collection of information from a child absent parental consent.

COPPA is concerned with all information collected from people under the age of 13 via Web sites targeted toward that group, or via general Internet sites where the operator knows that users under the age of 13 may visit.

To protect children's privacy, the Act incorporates notice, parental consent and limits on the use of games and prizes. COPPA addresses information-privacy matters by placing restrictions on the practice of soliciting personal information from individuals under the age of 13 via the Internet. Generally, COPPA prohibits e-communication between commercial enterprises and people under the age of 13 unless parental consent is secured through any reasonable effort.

COPPA works, in part, by prohibiting children-focused Internet sites from requiring the disclosure of more personal information than necessary to participate on the site. The Act also requires operators of these sites to establish procedures that will best protect the information collected.

Certain exceptions to COPPA's rules, known as safe-harbor provisions, protect Web sites that work to protect themselves. Parental consent, for example, isn't necessary when the operator collects personal information for the sole purpose of responding directly on a one-time basis to a specific request from a child, and the information is not used to contact the child again.

Most important, the provisions require all Internet-site operators to submit plans to the FTC for approval, which would presumably estop the FTC from proceeding against an approved Internet-site operator. Each violation of COPPA may result in a fine of $11,000. COPPA also empowers courts to grant injunctive or other equitable relief.

In sum, COPPA prohibits unfair or deceptive acts or practices with respect to the collection, use or disclosure ' or all these aspects ' of personal information from and about children on the Internet. With limited exceptions, Web site operators must:

• Provide parents notice of information practices;
• Obtain “verifiable parental consent” before collecting, using or disclosing personal information;
• Allow parents to review any personal information and prevent the further use of that information;
• Limit collection of personal information through online games or prizes; and
• Establish and maintain reasonable procedures to protect the confidentiality, security and integrity of the personal information collected.

Application

In Sable Communications, Inc. v. FCC, 492 U.S. 115 (1989), the Supreme Court held that parents and the government have a legal basis for protecting children. More specifically, in Meyer v. Nebraska, 262 U.S. 390 (1923), the Court held that the liberty guaranteed by the Fourteenth Amendment includes the liberty to bring up children. In addition, the economic burden on Internet providers associated with COPPA is easily outweighed by the government's compelling interest in the protection of children. Thus, COPPA has a constitutional basis.

The Act simply renders it unlawful to collect personal information from a child without parental consent. The COPPA-enabling statute empowers the FTC to enforce COPPA. FTC regulations expressly apply to any Web site operator; defined as any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users or visitors to such Web site or online service. The regulations also cover those on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes ' including any person offering products or services for sale through that Web site or online service ' involving commerce:

• Among the several states or with one or more foreign nations;
• In any territory of the United States or in the District of Columbia; or
• Between any such territory and any state, or foreign nation.

Thus, COPPA contains no limitation on jurisdictional applicability. Based on the implementation of the European Union's application of Data Protection Law to Personal Data to non-E.U.-based Web sites, it is likely that COPPA will be respected by E.U. countries.

Compliance Approaches

Securing verified parental consent as demanded by COPPA is generally unsuccessful because COPPA's verification measures are complicated, difficult to implement and costly to execute. Existing measures are too slow to be effective; even if verification is being performed through the most rapidly approved method ' faxing in a credit-card number ' the process is too slow for Internet transactions. And this method exposes parents to new privacy risks.

The second approach to compliance is to use verification techniques not authorized by COPPA. For example, an Internet operator may attempt to be in substantial compliance by trying to verify the age of a user and barring those under the age of 13 from the site if the age isn't verified. In such an instance, an Internet-site operator merely asks a user to check a box indicating whether he or she is over the age of 13, and bars those who do not check the box.

This approach, if used, should be supplemented with a clause in the terms-of-use agreement barring those under 13 from the site. Also, companies using this approach should implement a random audit of users to ferret out those who violate its terms of use, and to confirm that they are in substantial compliance.

Children's camp providers commonly use a modification of this approach by putting a notice on their sites quoting COPPA that must be viewed prior to the collection of data.

A third approach to compliance is to knowingly not comply with COPPA. In such a case, an Internet-site operator must be prepared to argue that it is unclear whether the government has the power to protect children from people who solicit their personal information. It might be successfully argued that no court has actually held that a right exists that protects a child from disclosure of his or her personal information. For a court to make such a finding, it would have to deal with the lack of laws prohibiting a child from talking to strangers on the street and giving such a person private information. It would be argued that such a law would not withstand judicial scrutiny.

The FTC's slack enforcement of COPPA ' the FTC cannot possibly police the whole Internet ' and the high cost of compliance as compared to the cost of noncompliance, has resulted in many Web site operators simply deciding not to comply.

While the Children's Online Privacy Protection Act of 1998 (COPPA) was designed to rein in commercial Web sites that target children as buyers of goods, it has caused legal difficulties for those who provide services such as camps, schools, after-school activities and sports clubs.

COPPA, the only law specifically to target online information privacy, applies only to Web sites that collect information from children. The providers of such services must regularly wrestle with the ways they collect prospects from their sites.

COPPA requires commercial Internet sites to refrain from collecting personal data from children under the age of 13 without parental consent. Internet-site operators have taken three mutually exclusive legal approaches to coping with COPPA:

• Securing verified parental consent;
• Preparing to manage a complaint; and
• Implementing substantial compliance procedures. While users of provider sites are usually parents looking for schools, camps and other such businesses or activities, children also use these sites and report their choices to their parents.

Many providers incorrectly assume they are in substantial compliance with the spirit of COPPA because they subsequently contact parents or guardians of children from whom they have collected data. The rationale is that it would be prohibitively expensive to determine the age of a site user beforehand, so they make sure they follow up with a parent or guardian.

If such behavior is representative of a significant sector of a particular industry (such as summer-camp operators) and presented to the Federal Trade Commission (FTC), a formal exemption from COPPA may be granted. However, without such a grant, the aforementioned activity is clearly unlawful.

Background

COPPA is a recent development in the area of privacy law concerning personal information. While privacy in one's private facts was part of Warren and Brandeis' original conception of privacy ' see Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,” 4 Harv. L. Rev. 193 (1890) ' courts subsequently found that a privacy right existed in a person's “personal information” separable from the subject of the information. See Whalen v. Roe , 429 U.S. 589 (1977). This right has gained importance as computers and the Internet have enabled governments, banks, schools and other third parties to rapidly collect, store and dispense personal information.

An individual's right in his or her personal information is narrow. The right to privacy is protected in the common law and the Constitution, but neither gives a person significant rights in his or her personal information. In particular, the Constitution protects personal information against government intrusion, but this interest in “avoiding disclosure of personal matters” is narrow.

Consider Whalen, where the Supreme Court declined to find that the government's recording of personal drug-prescription data desecrated the constitutional right to privacy because the information was satisfactorily protected.

The privacy torts typically do not apply to misuse of personal information of a person unless the information was taken from that person directly or from a private source with whom that person confided such personal information, such as a bank. Even under such circumstances, courts are unlikely to find misuse of “nonprivate” personal information to be “highly offensive to a reasonable person” ' which is the general standard for privacy torts.

Federal and state statutes have filled the void left by the common law and the Constitution. For example, Arizona, California, Florida, Hawaii, Illinois, Louisiana, South Carolina and Washington are among the states that have privacy provisions in their constitutions that have been applied to information privacy. Among the most comprehensive federal laws concerning the misuse of information is the Privacy Act of 1974 (5 U.S.C. 552a (2000)). This statute primarily applies to state-issued or state-collected information such as welfare-benefit data and Social Security numbers.

Four other federal laws give rise to an individual's right to information privacy. First, the Fair Credit Reporting Act (15 U.S.C. 1601) limits use of certain personally identifiable financial information in the credit and financial industries. It also requires credit agencies to make personal credit histories and ratings available to their owners. Second, the Computer Fraud and Abuse Act (18 U.S.C. 1030) has criminal and civil penalties for certain computer-related intrusions into personal property. Third, the Electronic Communications Privacy Act (18 U.S.C. 2510) protects private communications, such as e-mail, from unwarranted government and private intrusion. COPPA is the fourth. Unlike the others, COPPA is the only law to specifically target online information privacy.

The Basics

COPPA was enacted to:

• Augment parental participation in a child's behavior online;
• Look after the security of adolescents while they participate in Internet activities such as chat rooms;
• Secure a child's personally identifiable information collected online; and
• Limit the collection of information from a child absent parental consent.

COPPA is concerned with all information collected from people under the age of 13 via Web sites targeted toward that group, or via general Internet sites where the operator knows that users under the age of 13 may visit.

To protect children's privacy, the Act incorporates notice, parental consent and limits on the use of games and prizes. COPPA addresses information-privacy matters by placing restrictions on the practice of soliciting personal information from individuals under the age of 13 via the Internet. Generally, COPPA prohibits e-communication between commercial enterprises and people under the age of 13 unless parental consent is secured through any reasonable effort.

COPPA works, in part, by prohibiting children-focused Internet sites from requiring the disclosure of more personal information than necessary to participate on the site. The Act also requires operators of these sites to establish procedures that will best protect the information collected.

Certain exceptions to COPPA's rules, known as safe-harbor provisions, protect Web sites that work to protect themselves. Parental consent, for example, isn't necessary when the operator collects personal information for the sole purpose of responding directly on a one-time basis to a specific request from a child, and the information is not used to contact the child again.

Most important, the provisions require all Internet-site operators to submit plans to the FTC for approval, which would presumably estop the FTC from proceeding against an approved Internet-site operator. Each violation of COPPA may result in a fine of $11,000. COPPA also empowers courts to grant injunctive or other equitable relief.

In sum, COPPA prohibits unfair or deceptive acts or practices with respect to the collection, use or disclosure ' or all these aspects ' of personal information from and about children on the Internet. With limited exceptions, Web site operators must:

• Provide parents notice of information practices;
• Obtain “verifiable parental consent” before collecting, using or disclosing personal information;
• Allow parents to review any personal information and prevent the further use of that information;
• Limit collection of personal information through online games or prizes; and
• Establish and maintain reasonable procedures to protect the confidentiality, security and integrity of the personal information collected.

Application

In Sable Communications, Inc. v. FCC , 492 U.S. 115 (1989), the Supreme Court held that parents and the government have a legal basis for protecting children. More specifically, in Meyer v. Nebraska , 262 U.S. 390 (1923), the Court held that the liberty guaranteed by the Fourteenth Amendment includes the liberty to bring up children. In addition, the economic burden on Internet providers associated with COPPA is easily outweighed by the government's compelling interest in the protection of children. Thus, COPPA has a constitutional basis.

The Act simply renders it unlawful to collect personal information from a child without parental consent. The COPPA-enabling statute empowers the FTC to enforce COPPA. FTC regulations expressly apply to any Web site operator; defined as any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users or visitors to such Web site or online service. The regulations also cover those on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes ' including any person offering products or services for sale through that Web site or online service ' involving commerce:

• Among the several states or with one or more foreign nations;
• In any territory of the United States or in the District of Columbia; or
• Between any such territory and any state, or foreign nation.

Thus, COPPA contains no limitation on jurisdictional applicability. Based on the implementation of the European Union's application of Data Protection Law to Personal Data to non-E.U.-based Web sites, it is likely that COPPA will be respected by E.U. countries.

Compliance Approaches

Securing verified parental consent as demanded by COPPA is generally unsuccessful because COPPA's verification measures are complicated, difficult to implement and costly to execute. Existing measures are too slow to be effective; even if verification is being performed through the most rapidly approved method ' faxing in a credit-card number ' the process is too slow for Internet transactions. And this method exposes parents to new privacy risks.

The second approach to compliance is to use verification techniques not authorized by COPPA. For example, an Internet operator may attempt to be in substantial compliance by trying to verify the age of a user and barring those under the age of 13 from the site if the age isn't verified. In such an instance, an Internet-site operator merely asks a user to check a box indicating whether he or she is over the age of 13, and bars those who do not check the box.

This approach, if used, should be supplemented with a clause in the terms-of-use agreement barring those under 13 from the site. Also, companies using this approach should implement a random audit of users to ferret out those who violate its terms of use, and to confirm that they are in substantial compliance.

Children's camp providers commonly use a modification of this approach by putting a notice on their sites quoting COPPA that must be viewed prior to the collection of data.

A third approach to compliance is to knowingly not comply with COPPA. In such a case, an Internet-site operator must be prepared to argue that it is unclear whether the government has the power to protect children from people who solicit their personal information. It might be successfully argued that no court has actually held that a right exists that protects a child from disclosure of his or her personal information. For a court to make such a finding, it would have to deal with the lack of laws prohibiting a child from talking to strangers on the street and giving such a person private information. It would be argued that such a law would not withstand judicial scrutiny.

The FTC's slack enforcement of COPPA ' the FTC cannot possibly police the whole Internet ' and the high cost of compliance as compared to the cost of noncompliance, has resulted in many Web site operators simply deciding not to comply.