Home > Major Acts of Congress > Children's Online Privacy Protection Act (1998)

Michael H. Koby

The Children's Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277, 112 Stat. 2681) protects the online privacy of children under thirteen by requiring commercial Web sites and online services to request parental consent for the collection, use, and disclosure of a child's personal information.

This legislation grew out of the fact that by 1998 roughly ten million American children had access to the Internet, and at the same time, studies indicated that children were unable to understand the potential effects of revealing their personal information online, and parents failed to monitor their children's use of the Internet. The targeting of children by marketers resulted in the release of large amounts of private information into the market and triggered the need for regulation.

In March 1998 the Federal Trade Commission (FTC) presented Congress with a report addressing the inadequate protection of children's information online. In July 1998 Senator Richard Bryan, a Democrat of New York, along with Republican Senators John McCain of Arizona and Conrad Burns of Montana, introduced the Children's Online Privacy Protection Act of 1998. The Senate Communications Committee held a hearing in September 1998, and the full Senate Commerce Committee passed an amended version of the bill by a unanimous vote on October 1. The House of Representatives incorporated portions of that bill into 105 H.R. 4328, a Department of Transportation appropriations bill enacted by Congress and signed by President Clinton on October 21, 1998. COPPA became effective on April 21, 2000.

The act applies to commercial Web sites and online services (both foreign and domestic) that are directed at children in the United States. And while the act does not apply to general audience Web sites, operators of such sites who have actual knowledge of children using their sites must comply with the act's regulations. Congress's intent in passing COPPA was to increase parental involvement in children's online activities, thereby ensuring safety during participation in such activities and protecting children's personal information.

Under COPPA it is unlawful for an operator of a commercial Web site or online service that targets children, or knowingly collects their personal information, to gather such information without:

1. incorporating a detailed privacy policy that describes the information collected from its users;
2. receiving verifiable parental consent;
3. offering parents an opportunity to revoke consent and have personal information deleted;
4. limiting collection of personal information from children participating in online games; and
5. establishing reasonable procedures to protect the confidentiality, security, and integrity of any personal information collected from children.

Personal information covered by the act includes Social Security numbers, names, addresses (mailing and e-mail), and telephone numbers. Verifiable parental consent is defined as any reasonable effort to ensure that a parent or legal guardian of a child receives notice of and gives authorization for the operator's personal information collection, use, and disclosure practices. Operators may avoid compliance with these regulations, however, if they propose, and the FTC approves, similar self-regulatory guidelines.

An FTC survey conducted in April 2002 showed that the general trend with respect to COPPA is one of increased compliance among Web sites, although some provisions have been followed less consistently. Importantly, courts are willing to strictly interpret these provisions and grant damages or other forms of relief against Web site operators who violate the act, and this trend may contribute to the high level of compliance. Moreover, at the federal level, COPPA violations are treated like unfair or deceptive trade practices under section 5 of the Federal Trade Commission Act, for which the FTC can impose civil penalties. At the state level, COPPA authorizes state attorneys general to bring actions in federal district court to enforce compliance with the regulations, as well as to obtain compensation and relief.

Critics of the act have argued that it is the responsibility of the parents to control their children's online activity, and that the act draws an arbitrary line between teenagers and younger children. Furthermore, critics claim the methods outlined by the FTC for verification are insufficient and impractical, and that they infringe on First Amendment free speech rights.

See also: COMPUTER SECURITY ACT OF 1987; COUNTERFEIT ACCESS DEVICE AND COMPUTER FRAUD AND ABUSE ACT OF 1984.