This article has been written by Manu Seth, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho. It has been edited by Prashant Baviskar (Associate, LawSikho) Smriti Katiyar (Associate, LawSikho).
Table of Contents
Back in 2016, Rohan was barely 8 when his parents shifted to the U.S. due to professional constraints from a northern region of a country in South Asia that has of late been lauded around the world for its burgeoning the I.T. sector. His mother is engaged in the healthcare insurance sector while his father is working with a big I.T. firm that promoted him from Regional Head in South Asia to International Headquarters based out of California. Since the work schedule of his parents is strenuous and they don’t get ample time to devote to Rohan they have ensured that he doesn’t miss out on anything, be it education or leisure-time activity, and have equipped him with the latest gadgets.
A new game that got recently released on Google Play Store had enticed Rohan to download the same for a fee by entering the credit card details of his father, and further lured him into divulging other details like his residential details, social security number of his parents apart from a family photo. Being oblivious to repercussions, Rohan does so and the operator to whom such information was provided collects the same without following the necessary guidelines it statutory requires to do and processes such information for commercial purposes. Rohan’s family, unaware of this, continues with their work-life in the manner they were. A few days later, they receive a summons from the Federal Trade Commission stating that they are victims for violation of privacy as mandated by law and need to testify before the commission against a company which was running online gaming through Google Play Store and that such company luring Rohan had obtained the credit card details of Rohan’s father along with their family photo and put them on public domain.
The authority, apart from imposing hefty fines upon such companies, also ordered the company to compensate the family for the wrongs done to them. Upon finding out the factual position, Rohan’s father wrote a thank you note to the authorities as well as the Govt. of the United States for shielding their privacy with a law which they would have never come to know of otherwise if it was in their domestic country.
Later that evening Rohan’s father researched a bit about the said law which he came to know is called COPPA or the Children’s Online Privacy Protection Act. The primary aspects of such a law were discussed amongst his family members to ensure that in future they don’t succumb to any such website or online service (websites, mobile apps, plugins, and toys) which unscrupulously yields them to give family details without their consent.
Definition and meaning
COPPA which is a U.S. based law is aimed to protect the privacy of children under the age of 13 from the dynamic nature of the internet. With the world moving towards technology at a rapid pace and increasing independence on the internet, it is imminent to make inroads in every sector whether it’s business, healthcare, insurance, banking or law. With such evolution, it must be ensured that necessary safeguards apply so that such rapid advancement on one hand would not leave a question mark on the society as a whole. Hence, the applicability of COPPA is not limited to websites but to several online services as well and places stringent rules for use and processing data of children putting their parents (including natural guardian) in the driver’s seat by empowering them by law the ability to monitor and approve information that their children share.
Such information within the meaning of the definition clause encompasses:
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) a photo, video or audio file where such file contains a child’s image or voice; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.
It is interesting to note that collection of information from children as aforesaid further includes passive tracking of a child’s activity online or prodding a child to make personal information publicly available.
COPPA is managed by the Federal Trade Commission or FTC, which is an independent agency for the enforcement of antitrust and consumer protection law. The rules enacted by FTC supplement the law ineffective enforcement.
Pertinently, the law applies to the gathering of information obtained online by entities or persons based out of U.S. jurisdiction towards safeguarding children under 13 years of age including children outside the U.S. (if the company is U.S. based). Certain acts like collecting personal information from children below 13 years of age by an operator of a website or an online service directed to children are termed unlawful if the same is done in a manner that violates the regulations made therein. Its umbrella further extends to include the operators of general audience websites or online services which are involved in collecting, using, or disclosing personal information from children under 13, and further to websites or online services which collect personal information directly from users of another website or online service directed to children. The law further inhibits operators from disclosing any information received from parents in the course of obtaining parental consent or providing parental access pursuant to COPPA.
Interestingly the term ‘online service’ as distinguished from the ‘website’ circumscribes activities like engaging in network-connected games, purchasing of goods online, online advertisements, plug-ins, mobile applications that are connected to the internet, connected computer peripherals-like smart speakers, voice assistants like Alexa, Google assistant and internet-enabled location-based services like GPS and ETA. Further, in order to determine whether a website or an online service is directed to children, the Commission will consider its subject matter viz. audio-visual content, language, presence of child celebrities who appeal to the children, age of such celebrities, the context of such service, et al.
In order to regulate unfair or deceptive practice in connection with the collection, use, and disclosure of personal information collected from children over the internet, COPPA rules enlist a number of requirements which are:
- A notice on the website about the fact of collection of information from children, how such information shall be used and its disclosure practices for such information;
- Obtaining of verifiable consent from the parent or natural guardian prior to collection, use and disclosure of personal information from such children;
- Providing a reasonable mechanism to review such information as collected from children by his/her parent;
- Setting up regulations for disclosing information which is minimally necessary or adequate;
- Establishing procedures to ensure that the information collected is within the confines of confidentiality, security and personal information collected from children.
It is imperative to note that the consent obtained by the website operator from the child’s parent can be revoked anytime and in such an event the concerned website must stop collecting, using and disclosing information of such child.
Applicability of COPPA
The law is applicable to an individual or entity if it:
- runs a website or an online service directed to children under 13 years of age and collects personal information from them, or allow others to do so;
- runs a plug-in or ad-network having knowledge that personal information is being collected from users of a website or service directed to children under 13 years of age;
- service through website or online is directed to a general audience, but knows that personal information that is collected is from children under 13.
Ever since its inception, several websites were caught in its loop for failing to implement the mandate the legislature had directed. Most of the kids these days and we adults must be aware of ‘Hershey’, the brand known in the market for its chocolate syrup amongst others, but little do we know that the same brand was fined $85,000 in 2003 for operating candy-related websites and obtaining information through children in violation of COPPA. Even Sony BMG Music was fined $1,000,000 in 2008 for improperly collecting and disclosing personal information related to children.
It is astonishing to note that in 2019 our all-time search engine Google and its reliable video cousin YouTube were fined $170 million to settle allegations of tracking and collecting information pertaining to children in violation of COPPA which so far has been the highest amount the FTC ever obtained since COPPA came into effect. The settlement apart from monetary fine also includes developing, maintaining and implementing a system that can permit YouTube channel owners to identify child-related content on their channel so that COPPA can be effectively implemented. Also, it required both the companies to provide notice about their data collection practices and obtain parental consent before collecting data from children in any manner.
Why does COPPA apply only to children under 13?
The intent of the legislature was to provide statutory protection to young children who are vulnerable to online businesses and marketing and may not understand privacy concerns that may crop out of it.
How can one figure out if the website operator or such company as involved in rendering online services have actual knowledge of a user’s age?
Although FTC rules are silent, it can be deduced if the website or service concerned asks for and receives information from the user that allows it to determine the age. Queries in the form of user registration page seeking (i) date of birth; or (ii) year of birth; or (iii) which grade are you in or when did you pass your high school?
How can verifiable consent of the parent or local guardian be obtained?
COPPA rules are silent on this however the same is to be done in the manner acceptable in the light of modern-day technology. Some of the methods may include but are not limited to as follows:
- Call by trained staff personnel for inquiry;
- Seeking copy of government issued identity for verification;
- Signing up of consent form and sending it back to the operator through email, scan, fax or any other modes as applicable;
- Seeking answers to a series of questions that only a parent would be able to answer.
Can COPPA help in enforcing acts such as restraining children from watching pornography?
Not really, since the applicability of COPPA is limited to granting parental control overuse or disclosure of information collected from children online.
The COPPA legislation was originally enacted in 1998 and came into effect in 2000 with multiple amendments thereafter, however, considering the ambit of law and parameters it encompasses with, the legislation was indeed a way ahead of its time and had timely dealt with the problems effectively.
With the evolution of the internet into multiple mainstreams and the rapid spread of technology across the world, the developing nations must brace themselves and go by the adage ‘adapting technology with the responsibility’ meaning thereby that it is equally essential for the developing world to arm themselves with laws in the light of prevailing times which must be adequate and imperative to counter the bane that boon may bring along with.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: