Protections of Children's Online Privacy

Given the tremendous popularity of the Internet among children and the potential for unscrupulous Internet actors to prey on the inexperience and naivety of young people, it is not surprising that the federal government intervened early on in the development of the online world with the enactment of the Children's Online Privacy Protection Act (“COPPA”), which became effective April 21, 2000 and can be found at 15 U.S.C.A. §§ 6501 et seq. In general, COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the Internet [16 C.F.R. § 312.1].  The Federal Trade Commission (“FTC”) has developed regulations for implementation of certain provisions of COPPA which have been documented as the Children's Online Privacy Protection Rule (“Rule”) in 16 C.F.R. Pt. 312.  After several years of soliciting comments and internal debate, the Rule was substantially changed by the FTC as of July 1, 2013, and the changes have been touted as bringing online child protection into the 21st Century. 

From the time it was first adopted COPPA applied to commercial Web sites or online services (1) directed to children under the age of 13 that collected personal information from children, or (2) that operated general audience Web sites and had actual knowledge that they collect personal information from children. [15 U.S.C.A. §§ 6501, 6502]. The definition of a “Web site or online service directed to children” provided several factors (e.g., subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or child-oriented actives or incentives) the FTC could use to determine whether a site is directed at children. [15 U.S.C.A. § 6501(10). According to the Statement of Basis and Purpose of the FTC's Children's Online Privacy Protection Rule (64 Fed. Reg. 59888, 59892 (Nov. 3, 1999)), a Web site operator possessed “actual knowledge” if it “learns of a child's age or grade from the child's registration or a concerned parent …,” or learns of such information from other age-identifying questions.] The original Rule defined the term “operator”, for purposes of determining who would be subject to COPPA, to include any person (i) who operated a Web site located on the Internet or an online service and who collected or maintained personal information from or about the users or visitors or (ii) on whose behalf such information was collected or maintained. The intent was to be sure that Web site operators who explicitly engaged “agents” to act on “their behalf” to collect personal information from children would be covered by COPPA.

As time went by, however, new tools were developed that did not fit within the original notion of “agent” but nonetheless allowed Web site operators to collect information in ways that arguably should be subject to COPPA. In response, the Rule was revised to provide that: “Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such Web site or online service.” Web site operators need to comply with COPPA if they enable third party apps that collect personal information about children or integrate outside services, such as plug-ins or ad networks, that collect such information. Accordingly, operators need to conduct a thorough investigation of their practices with respect to third party apps and other outside services to determine whether COPPA is applicable to their online activities.

Since its inception COPPA and the Rule have required protection of easily understood personally identifiable information such as a child's full name, home address, e-mail address, telephone number, or any other information that would allow a third person to identify or contact the child. [64 Fed. Reg. 59888, 59892 (Nov. 3, 1999)] COPPA was also understood to be covering other types of information, including hobbies, interests, and information collected through the use of cookies or other types of online tracking mechanisms, whenever such information was associated with a particular child. [16 C.F.R. § 312.2]  As time has gone by, however, there has been a growing recognition of the substantial changes that have occurred in communications technology since COPPA first became law and this led to changes in the Rule to expand the definition of “personal information” for purposes of the Rule to include “online contact information,” including instant messaging user identifiers, voice over internet protocol (VOIP) identifiers and video chat user identifiers; a “screen or user name where it functions in the same manner as online contact information;” “persistent identifiers,” including an Internet Protocol (IP) address or mobile device IDs that can be used to recognize a user over time and across different Web sites or online services; a photograph, video, or audio file where such file contains a child's image or voice; and geolocation information sufficient to identify street name and name of a city or town.

For detailed discussion of COPPA’s general requirements on website owners, privacy notices, parental consent requirements and the FTC’s “safe harbor” program under which an operator is deemed to be in compliance with the Rule if the operator complies with FTC-approved self-regulatory guidelines, see §§ 128:95 – 128.99.

In addition to complying with the requirements of COPPA, website operators must be mindful of laws and regulations that have been adopted at the state level.  For example, an operator of an Internet Web site, online service, online application, or mobile application directed to minors (referred to herein as an “operator”) must comply with California's law regarding Privacy Rights for California Minors in the Digital World [Bus. & Prof. Code, §§ 22580 to 22582] which prohibits them from knowingly marketing or advertising the following products or services to minors [Bus. & Prof. Code, § 22580, subd. (i)]:

(1) Alcoholic beverages, as referenced in Sections 23003 to 23009, inclusive, and Section 25658.

(2) Firearms or handguns, as referenced in Sections 16520, 16640, and 27505 of the Penal Code.

(3) Ammunition or reloaded ammunition, as referenced in Sections 16150 and 30300 of the Penal Code.

(4) Handgun safety certificates, as referenced in Sections 31625 and 31655 of the Penal Code.

(5) Aerosol container of paint that is capable of defacing property, as referenced in Section 594.1 of the Penal Code.

(6) Etching cream that is capable of defacing property, as referenced in Section 594.1 of the Penal Code.

(7) Any tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance, as referenced in Division 8.5 (commencing with Section 22950) and Sections 308, 308.1, 308.2, and 308.3 of the Penal Code.

(8) BB device, as referenced in Sections 16250 and 19910 of the Penal Code.

(9) Dangerous fireworks, as referenced in Sections 12505 and 12689 of the Health and Safety Code.

(10) Tanning in an ultraviolet tanning device, as referenced in Sections 22702 and 22706.

(11) Dietary supplement products containing ephedrine group alkaloids, as referenced in Section 110423.2 of the Health and Safety Code.

(12) Tickets or shares in a lottery game, as referenced in Sections 8880.12 and 8880.52 of the Government Code.

(13) Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A, as referenced in Section 379 of the Penal Code.

(14) Body branding, as referenced in Sections 119301 and 119302 of the Health and Safety Code.

(15) Permanent tattoo, as referenced in Sections 119301 and 119302 of the Health and Safety Code and Section 653 of the Penal Code.

(16) Drug paraphernalia, as referenced in Section 11364.5 of the Health and Safety Code.

(17) Electronic cigarette, as referenced in Section 119405 of the Health and Safety Code.

(18) Obscene matter, as referenced in Section 311 of the Penal Code.

(19) A less lethal weapon, as referenced in Sections 16780 and 19405 of the Penal Code.

With respect to marketing or advertising provided by an advertising service, an operator shall be deemed to be in compliance if the operator notifies the advertising service, in the manner required by the advertising service, that the site, service, or application is directed to minors. [Bus. & Prof. Code, § 22580, subd. (h)(1)] If an advertising service is properly notified, the advertising service is prohibited from marketing or advertising a product or service on the operator's Internet Web site, online service, online application, or mobile application that is included in the list above. [Bus. & Prof. Code, § 22580, subd. (h)(2)]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s