Children’s Online Privacy Protection Act (COPPA) of 1998: Protection for the US’s Youngest Data Subjects

A number of recent state regulations address privacy rights for consumers of all ages, but there is no equivalent federal law protecting all consumer’s privacy rights. That being said, the Children’s Online Privacy Protection Act of 1998 (“COPPA,” at 15 U.S. Code §6501 et seq.) provides some federal protection for data subjects under 13 years of age.  This act requires the operator of a “website or online service directed to children” to provide notice on the website regarding the collection, use, and disclosure of a child’s personal information and to obtain “verifiable parental consent” for the noticed collection, use, and disclosure, with some exemptions.  Parents have the right to request a description of the types of personal information collected, to revoke consent (including the operators’ use and maintenance of already collected data in addition to termination of future collection), and to obtain the personal information collected from their child(ren).  By the same token, a website operator may terminate provision of services to a child when the parent has revoked consent for the use, maintenance, and/or further collection of personal information from the child.  Additionally, website operators are prohibited from offering a prize for, or requiring a child to provide, additional personal information in order to participate in a game or activity.  Under 15 U.S. Code §6504, the Attorney General of any US state may bring civil action for violations of 15 U.S. Code §6502(b) as parens patriae on behalf of the residents of that state.

The COPPA Rule (at 16 CFR Part 312 et seq.), which went into effect in 2000 and was later updated in 2013, provides guidance on implementation of COPPA.  The 2013 revisions to this rule “address[ed] changes in the way children use and access the internet, including the increased use of mobile devices and social networking” and “widen[ed] the definition of children’s personal information to include persistent identifiers such as cookies that track a child’s activity online, as well as geolocation information, photos, videos, and audio recordings.”[1]

More recent attention to children’s data privacy mirrors the increased prevalence of personal data protection laws and regulations for all data subjects in the US. In 2019, the FTC again sought comments in relation to additional updates to the COPPA Rule, indicating that “[r]apid changes in technology, including the expanded use of education technology, reinforce the need to re-examine the COPPA Rule at this time.”[2]  This rule review is still ongoing.  In 2022, FTC Commissioner Alvaro Bedoya called upon Congress, requesting “legislative action first before updating rules.”[3] Currently, there are three legislative proposals that could provide additional data privacy protections to young data subjects, with some of these proposals extending the age range of protected children up to 15.  Senators Ed Markey (D-Mass) and Richard Blumenthal (D-CT) also issued a letter to the FTC urging the commission to update regulations under COPPA.[4]  Separately, California recently enacted the California Age-Appropriate Design Code Act, which will take effect on July 1, 2024 and provides protection to your people. This California law defined a “child” or “children” as “a consumer or consumers who are under 18 years of age.”[5]


[1] https://www.ftc.gov/news-events/news/press-releases/2013/07/revised-childrens-online-privacy-protection-rule-goes-effect-today

[2] https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-seeks-comments-childrens-online-privacy-protection-act-rule

[3] https://news.bloomberglaw.com/privacy-and-data-security/ftcs-bedoya-calls-for-congress-to-update-kids-privacy-law

[4] https://www.markey.senate.gov/imo/media/doc/lawmakers_letter_to_ftc_on_youth_online_privacy.pdf

[5] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB2273

Copyright © 2022, K&L Gates LLP. All Rights Reserved.