Given the tremendous popularity of the Internet among children and the potential for unscrupulous Internet actors to prey on the inexperience and naivety of young people, it is not surprising that the federal government intervened early on in the development of the online world with the enactment of the Children's Online Privacy Protection Act (“COPPA”), which became effective April 21, 2000 and can be found at 15 U.S.C.A. §§ 6501 et seq. In general, COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the Internet [16 C.F.R. § 312.1]. The Federal Trade Commission (“FTC”) has developed regulations for implementation of certain provisions of COPPA which have been documented as the Children's Online Privacy Protection Rule (“Rule”) in 16 C.F.R. Pt. 312. After several years of soliciting comments and internal debate, the Rule was substantially changed by the FTC as of July 1, 2013, and the changes have been touted as bringing online child protection into the 21st Century.
From the time it was first adopted COPPA applied to commercial Web sites or online services (1) directed to children under the age of 13 that collected personal information from children, or (2) that operated general audience Web sites and had actual knowledge that they collect personal information from children. [15 U.S.C.A. §§ 6501, 6502]. The definition of a “Web site or online service directed to children” provided several factors (e.g., subject matter; visual and audio content; age of models; language or other characteristics; advertising appearing on or promoting the site or service; competent and reliable empirical evidence of audience composition; evidence regarding the intended audience; and whether the site uses animated characters or child-oriented actives or incentives) the FTC could use to determine whether a site is directed at children. [15 U.S.C.A. § 6501(10). According to the Statement of Basis and Purpose of the FTC's Children's Online Privacy Protection Rule (64 Fed. Reg. 59888, 59892 (Nov. 3, 1999)), a Web site operator possessed “actual knowledge” if it “learns of a child's age or grade from the child's registration or a concerned parent …,” or learns of such information from other age-identifying questions.] The original Rule defined the term “operator”, for purposes of determining who would be subject to COPPA, to include any person (i) who operated a Web site located on the Internet or an online service and who collected or maintained personal information from or about the users or visitors or (ii) on whose behalf such information was collected or maintained. The intent was to be sure that Web site operators who explicitly engaged “agents” to act on “their behalf” to collect personal information from children would be covered by COPPA.
As time went by, however, new tools were developed that did not fit within the original notion of “agent” but nonetheless allowed Web site operators to collect information in ways that arguably should be subject to COPPA. In response, the Rule was revised to provide that: “Personal information is collected or maintained on behalf of an operator when: (a) it is collected or maintained by an agent or service provider of the operator; or (b) the operator benefits by allowing another person to collect personal information directly from users of such Web site or online service.” Web site operators need to comply with COPPA if they enable third party apps that collect personal information about children or integrate outside services, such as plug-ins or ad networks, that collect such information. Accordingly, operators need to conduct a thorough investigation of their practices with respect to third party apps and other outside services to determine whether COPPA is applicable to their online activities.
For detailed discussion of COPPA’s general requirements on website owners, privacy notices, parental consent requirements and the FTC’s “safe harbor” program under which an operator is deemed to be in compliance with the Rule if the operator complies with FTC-approved self-regulatory guidelines, see §§ 128:95 – 128.99.
In addition to complying with the requirements of COPPA, website operators must be mindful of laws and regulations that have been adopted at the state level. For example, an operator of an Internet Web site, online service, online application, or mobile application directed to minors (referred to herein as an “operator”) must comply with California's law regarding Privacy Rights for California Minors in the Digital World [Bus. & Prof. Code, §§ 22580 to 22582] which prohibits them from knowingly marketing or advertising the following products or services to minors [Bus. & Prof. Code, § 22580, subd. (i)]:
(1) Alcoholic beverages, as referenced in Sections 23003 to 23009, inclusive, and Section 25658.
(5) Aerosol container of paint that is capable of defacing property, as referenced in Section 594.1 of the Penal Code.
(6) Etching cream that is capable of defacing property, as referenced in Section 594.1 of the Penal Code.
(7) Any tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance, as referenced in Division 8.5 (commencing with Section 22950) and Sections 308, 308.1, 308.2, and 308.3 of the Penal Code.
(10) Tanning in an ultraviolet tanning device, as referenced in Sections 22702 and 22706.
(11) Dietary supplement products containing ephedrine group alkaloids, as referenced in Section 110423.2 of the Health and Safety Code.
(13) Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A, as referenced in Section 379 of the Penal Code.
(16) Drug paraphernalia, as referenced in Section 11364.5 of the Health and Safety Code.
(17) Electronic cigarette, as referenced in Section 119405 of the Health and Safety Code.
(18) Obscene matter, as referenced in Section 311 of the Penal Code.
With respect to marketing or advertising provided by an advertising service, an operator shall be deemed to be in compliance if the operator notifies the advertising service, in the manner required by the advertising service, that the site, service, or application is directed to minors. [Bus. & Prof. Code, § 22580, subd. (h)(1)] If an advertising service is properly notified, the advertising service is prohibited from marketing or advertising a product or service on the operator's Internet Web site, online service, online application, or mobile application that is included in the list above. [Bus. & Prof. Code, § 22580, subd. (h)(2)]