Children’s Online Privacy Protection
Updated: Feb 9, 2021
Coronavirus makes understanding the rules protecting children's privacy in the virtual world much more critical, especially since children are now using the Internet in new ways.
The primary law on children’s privacy protection online is the 1998 Children’s Online Privacy Protection Act (COPPA). COPPA imposes certain requirements on operators of websites or online services directed at children under the age of 13 and operators of other websites or online services that have actual knowledge they are collecting personal information from children under the age of 13. The Federal Trade Commission (FTC) requires that such operators and sites take the following steps:
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
Provide parents access to their child’s personal information to review and have the information deleted;
Give parents the opportunity to prevent further use or online collection of a child’s personal information;
Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security;
Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use; and
Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
A central part of COPPA compliance is understanding what is included in “personal information.” It includes:
first and last name;
a home or other physical address, including street name and name of a city or town;
online contact information;
a screen name or username that functions as online contact information;
a telephone number;
A Social Security number;
a persistent identifier that can be used to recognize a user over time and across
different websites or online services;
a photograph, video, or audio file, where such file contains a child’s image or voice;
geolocation information sufficient to identify street name and name of a city or town; or
information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
The definition of personal information has changed. It has expanded to include geolocation information and persistent identifiers from the basic types of information
COPPA applies to operators of commercial websites and online services. In April 2020 the FTC issued guidance clarifying the boundaries of COPPA for educational technology companies and schools, and what commercial entities must do to protect children’s privacy online. The key consideration is whether the information being collected is being used for commercial purposes not related to providing online educational services. If so, the educational technology provider must abide by COPPA and provide notice of its data collection practices and policies to the school and parents, and get verifiable parental consent.
In some instances, the school can consent on behalf of its students, but only when the information is being used solely for school-authorized educational purposes and no other commercial purpose.
In addition, in the educational context, other privacy laws may apply, like the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records, or state laws like California’s Student Online Personal Information Protection Act, which restricts use of information from kids from kindergarten through 12th grade for targeted advertising, profiling, or onward disclosure.
Among the biggest challenges in COPPA compliance is how to obtain verifiable parental consent. The FTC lists a variety of methods for obtaining it, but, in the same way that advances in technology have led to the expansion of the definition of personal information, these advances made it tougher for companies to be sure that the consent is indeed coming from a parent. The FTC’s general rule is that any mechanism intended to gather consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.
Some of the recommended methods include multiple steps to ensure that the parent is indeed providing consent, such as e-mail plus.
Concerns about the privacy settings and practices on the Zoom platform were widespread as schools and workplaces shut down and more aspects of everyday life moved online. For a time, school districts were banning the use of the online tool for classes due to attempts to hijack calls and meetings. Zoom has implemented more security measures and requires users to put them in place, including adding waiting rooms and passwords for meetings.
Another wrinkle is how to handle consent provided by children between the ages of 13 and 17, ages at which children can contract for goods or services but can also void the agreements.
The rules of the particular platform the child is using are also important in keeping kids safe online. They are spelled out in the end user license agreement (EULA) or terms of service (ToS) for the site or platform. These documents typically spell out the code of conduct, eligibility for accounts and proper usage standards, content usage, payment terms, dispute resolution, and other legal matters related to the site.
If the app or platform is for gaming, this can include provisions about proper behavior in in-game chat, whether fans can create user-generated content from the game’s intellectual property, and the game rules. For apps and games that allow in-app purchases, it is important to understand how those payments can be made and what settings can be turned on or off to regulate such purchases by children.
After the implementation of GDPR and CCPA, a wave of online privacy laws is expected to in many states across the United States. There is also talk of a possible federal U.S. privacy law aimed at making compliance simpler.