Cyberlaw Meets Family Law:
The Children’s Online Privacy
Protection Act of 1998 (COPPA)
Class of Nov. 11, 2002
Professor Susanna Fischer
COPPA, COPA, CIPA
• What’s the difference?
• COPPA is a very significant statute because
it is the first and only federal privacy statute
that is specific to the Internet.
WHAT IS COPPA’S MAIN
• The primary goal of COPPA as well as the
COPPA Rule is to place parents in control
over what information is collected from
their children online. The Rule was
designed to be strong, yet flexible, to
protect children while recognizing the
dynamic nature of the Internet.
Who Must Comply With COPPA
• Operators of commercial websites
• 1. Directed to children 12 and under that
collect/maintain personal information
• 2. That have actual knowledge that are
collecting/maintaining personal information
about children 12 and under
What is “Personal Information”
• Last name? First name?
• E-mail address? Phone number?
• Social security number?
• IP address?
• Information Stored in Cookies?
WHAT DOES COPPA REQUIRE
SUCH OPERATORS TO DO?
• Provide parents with NOTICE of their
• Obtain PRIOR VERIFIABLE PARENTAL
CONSENT for the collection, use and/or
disclosure of personal information from children
(with certain limited exceptions)
• Provide a parent, on request, with the MEANS
TO REVIEW personal information collected
from his/her child.
WHAT DOES COPPA REQUIRE
SUCH OPERATORS TO DO?
• Provide a parent with the OPPORTUNITY TO
PREVENT further use of personal information
collected from their child (or further collection)
• Limit collection of personal information for
child’s online participation in games, prize offers,
or other activities to information that is
REASONABLY NECESSARY for such activity.
• Establish and maintain REASONABLE
PROCEDURES to protect the confidentiality,
security, and integrity of the personal information
• FTC tried to devise a method that would satisfy 2
goals: (1) ensure child’s parent actually agrees to
let a website collect personal info from his/her
child (2) do so without undue burden
• Reasonable efforts must be made to obtain
verifiable parental consent, taking into
consideration available technology, including:
consent form to be signed by parent and returned
by mail or fax, toll-free phone number for parent
to call, digital certificate using public key
encryption technology, e-mail accompanied by
• For internal use of information, parental
consent can be obtained through e-mail
combined with additional step following
receipt (confirmatory e-mail, letter or
• Sliding scale in force until April, 2005
DOES COPPA WORK?
• FTC Survey April 2002 of 144 sites at:
• Earlier study: Joseph Turow study on
COPPA compliance in privacy policies on
children’s websites for the Annenberg
Public Policy Center (March, 2001)
ENFORCEMENT OF COPPA
• How is COPPA enforces, who enforces it,
and what are the penalties for violating
• In April, 2001 FTC announced first civil penalty
cases brought under COPPA against:
• Monarch Services and Girl’s Life (operators of
• Bigmailbox.com, Inc./Nolan Quan (operator of
• Looksmart Ltd. (operator of
• Under settlement, 3 companies agreed to pay
$100,000 in civil penalties and delete personally
identifiable information collected by children
• 6 COPPA enforcement actions to date
• April 2001 Ohio Art Company (operators of the
Etch A Sketch Website at: http://www.etch-a-
sketch.com/) – under settlement agreed to pay
$35,000 penalty and not further violate COPPA
• Feb. 2002: American Pop Corn Company “Jolly
Time” web site at: http://www.jollytime.com
• (had a Kid’s Club)– under settlement agreed to
pay $10,000 and not to further violate COPPA
• Oct. 2001: Lisa Frank, Inc. (makes toys, school
supplies; website at: http://www.lisafrank.com) –
under settlement agreed to pay $30,000 and not to
further violate COPPA
IS COPPA TOO ONEROUS?
• Companies – is it to expensive to comply? For
example, Surf Monkey (see
www.surfmonkey.com) apparently spent between
$50,000 and $100,000 to comply with COPPA
• Parents – is it too onerous to read privacy
policies? For an example, see:
http://www.toucansam.com/privacy/ Also, is opt-
in too onerous?
DOES COPPA WRONGLY
• Websites’ information practices are still subject to
Section 5 of the FTC Act, which prohibits unfair
or deceptive trade practices.
• October 2002: FTC settles with 2 companies
(National Research Center for College and
University Admissions (NRCCUA) and
American Student List (ASL)) that collected
extensive personal information from millions of
high school students claiming they would only
share this with educational institutions, and then
sold it to commercial marketers.
IS COPPA A GOOD LAW AS A
• What does Anita Allen-Castellito think?
• Do you agree?
• Is COPPA a good law as privacy law?
Should children be able to waive privacy
rights in online personal information?
DO THE FOLLOWING SITES
COMPLY WITH COPPA?