Thank you for sharing!

Your article was successfully shared with the contacts you provided.
While the Children’s Online Privacy Protection Act of 1998 was designed to rein in commercial sites that target children as buyers of goods, it has caused legal difficulties for those who provide services such as camps, schools, after-school activities, and sports clubs. The providers of such services must regularly wrestle with the ways they collect prospects from their sites. COPPA generally requires commercial Internet sites to refrain from collecting personal data from children under the age of 13 without parental consent. Internet site operators have taken three mutually exclusive legal approaches to coping with COPPA: securing verified parental consent; preparing to manage a complaint; and implementing substantial compliance procedures. While users of provider sites are usually parents looking for schools, camps, and so on, children also use these sites and report on their choices to their parents. Many providers incorrectly assume they are in substantial compliance with the spirit of COPPA because they subsequently contact the parents or guardians of those children from whom they have collected data. The rationale is that it would be prohibitively expensive to determine the age of a site user beforehand, so they make sure they follow up with a parent or guardian. If such behavior is representative of a significant sector of a particular industry (such as summer camp providers) and presented to the Federal Trade Commission, a formal exemption from COPPA may be granted. However, without such a grant, the aforementioned activity is clearly unlawful. BACKGROUND COPPA is a recent development in the area of privacy law concerning personal information. While privacy in one’s private facts was part of Warren and Brandeis’ original conception of privacy � Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,” 4 Harv. L. Rev. 193 (1890) � courts subsequently found that a privacy right existed in a person’s “personal information” separable from the subject of the information. See Whalen v. Roe, 429 U.S. 589 (1977). This right has gained importance over time as computers and the Internet have enabled governments, banks, schools, and other third parties to rapidly collect, store, and dispense personal information. An individual’s right in his or her personal information is narrow. The right to privacy is protected in both the common law and the Constitution. However, neither gives a person significant rights in their personal information. In particular, the Constitution protects personal information against government intrusion, but this interest in “avoiding disclosure of personal matters” is narrow. Consider Whalen, where the Court declined to find that the government’s recording of personal drug prescription data desecrated the constitutional right to privacy because the information was satisfactorily protected. The privacy torts typically do not apply to misuse of personal information of a person unless the information was taken from that person directly or from a private source with whom that person confided such personal information, such as a bank. Even under such circumstances, courts are unlikely to find misuse of “nonprivate” personal information to be “highly offensive to a reasonable person” � which is the general standard for the privacy torts. Both federal and state statutes have been enacted to fill the void left by the common law and the Constitution. For example, Arizona, California, Florida, Hawaii, Illinois, Louisiana, South Carolina, and Washington, among other states, have privacy provisions in their constitutions that have been applied to informational privacy. Among the most comprehensive federal laws concerning the misuse of information is the Privacy Act of 1974 (5 U.S.C. �552a (2000)). This statute primarily applies to state-issued or state-collected information such as welfare benefit data and Social Security numbers. Four other federal laws give rise to an individual’s right to informational privacy. First, the Fair Credit Reporting Act, 15 U.S.C. �1601, limits the use of certain personally identifiable financial information in the credit and financial industries. It also requires credit agencies to make personal credit histories and ratings available to their owners. Second, the Computer Fraud and Abuse Act, 18 U.S.C. �1030, has criminal and civil penalties for certain computer-related intrusions into personal property. Third, the Electronic Communications Privacy Act, 18 U.S.C. �2510, protects private communications, such as e-mail, from unwarranted government and private intrusion. COPPA is the fourth. Unlike the others, COPPA is the only law to specifically target online informational privacy. THE BASICS COPPA was enacted to augment parental participation in a child’s behavior online; to look after the security of adolescents while they participate in Internet activities such as chat rooms; to secure a child’s personally identifiable information collected online; and to limit the collection of information from a child absent parental consent. COPPA is concerned with all information collected from individuals under the age of 13 on Web sites targeted toward individuals under the age of 13 or on general Internet sites where the operator knows that individuals under the age of 13 may visit. To protect children’s privacy, the act incorporates notice, parental consent, and limits on the use of games and prizes. COPPA addresses information privacy matters by placing restrictions on the practice of soliciting personal information from individuals under the age of 13 via the Internet. Generally, COPPA prohibits e-communication between commercial enterprises and individuals under the age of 13 unless parental consent is secured through any reasonable effort. COPPA prohibits children-focused Internet sites from requiring the disclosure of more personal information than necessary to participate on the site. The act also requires operators of these sites to establish procedures that will best protect the collected information. Certain exceptions to COPPA’s rules, known as safe harbor provisions, protect Web sites that work to protect themselves. Parental consent, for example, is not necessary when the operator collects personal information for the sole purpose of responding directly on a one-time basis to a specific request from a child and the information is not used to recontact the child. Most important, the provisions require all Internet site operators to submit plans to the FTC for approval, which would presumably estop the FTC from proceeding against an approved Internet site operator. Each violation of COPPA may result in a fine of $11,000. COPPA also empowers courts to grant injunctive or other equitable relief. APPLICATION In Sable Communications Inc. v. FCC, 492 U.S. 115 (1989), the Supreme Court held that parents and the government have a legal basis for protecting children. More specifically, in Meyer v. Nebraska, 262 U.S. 390 (1923), the Court held that the liberty guaranteed by the 14th Amendment includes the liberty to bring up children. In addition, the economic burden on Internet providers associated with COPPA is easily outweighed by the government’s compelling interest in the protection of children. Thus, COPPA has a constitutional basis. The act simply renders it unlawful to collect personal information from a child without parental consent. The COPPA enabling statute empowers the FTC to enforce COPPA. FTC regulations expressly apply to any Web site operator, defined as any person who operates a Web site located on the Internet or an online service, and who collects or maintains personal information from or about the users or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, where such Web site or online service is operated for commercial purposes � including any person offering products or services for sale through that Web site or online service � involving commerce: •�among the several states or with one or more foreign nations; •�in any territory of the United States or in the District of Columbia, or between any such territory and any state or foreign nation. Thus, COPPA contains no limitation on jurisdictional applicability. Based on the implementation of the European Union’s application of Data Protection Law to Personal Data to non-E.U.-based Web sites, it is likely that COPPA will be respected by E.U. countries. COMPLIANCE APPROACHES Securing verified parental consent as demanded by COPPA is generally unsuccessful because COPPA’s verification measures are complicated to implement and costly to execute. Existing measures are too slow to be effective; even if verification is being performed through the most rapidly approved method � faxing in a credit card number � the process is too slow for Internet transactions. In addition, this method exposes parents to new and additional privacy risks. The second approach to compliance is to use verification techniques not authorized by COPPA. For example, an Internet operator may attempt to be in substantial compliance by trying to verify the age of a user and bar those under the age of 13 from the site. In such an instance, an Internet site operator merely asks a user to check a box indicating whether he or she is over the age of 13 and bars those who do not check the box. This approach, if used, should be supplemented with a clause in the terms of use agreement barring those under the age of 13 from the site. In addition, it is recommended that companies using this approach implement a random audit of users to ferret out those who violate its terms of use and to confirm that they are in substantial compliance. Children’s camp providers commonly use a modification of this approach by putting a notice on their sites quoting COPPA, which must be viewed prior to the collection of data. A third approach to compliance is to knowingly not comply with COPPA. In such a case, an Internet site operator must be prepared to argue that it is unclear whether the government has the power to protect children from people who solicit their personal information. It might be successfully argued that no court has actually held that a right exists that protects a child from disclosure of the child’s personal information. For a court to make such a finding, it would have to deal with the lack of laws prohibiting a child from talking to strangers on the street and giving such a person private information. It would be argued that such a law would not withstand judicial scrutiny. The FTC’s slack enforcement of COPPA � the FTC cannot possibly police the whole Internet � and the high cost of compliance as compared to the cost of noncompliance, has resulted in many Web site operators simply deciding to not comply. Jonathan Bick is of counsel to WolfBlock Brach Eichler ( www.wolfblock.com) of Roseland, N.J., and is an adjunct professor of Internet law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need to Know About Internet Law (Random House, 2000). This article first appeared in the New Jersey Law Journal, the American Lawyer Media weekly newspaper published in Newark.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.