The Children’s Online Privacy Protection Act of 1998 is often viewed as an unfairly burdensome law by online business owners. It is difficult to argue with this view, but a look at the history of COPPA helps explain the original goal of the drafters of the law and how we ended up where we are today.
The last few years of the Clinton administration represented a golden age for the passage of federal laws addressing online topics. Legislative efforts such as the Digital Millennium Copyright Act and Child Online Protection Act were pushed through Congress in an effort to provide a legal framework for the web, something desperately needed in the days of the lawless web.
The Children’s Online Privacy Protect Act was enacted during this period as well. Senator Richard Bryan, a Democrat from Nevada, introduced the bill to the Senate on July 17, 1998. The purpose of the bill was to provide parents with a method to police the collection of information about their children online. The bill defined children as kids under age 13. The 13 number was picked because it was felt that kids over this age were tech savvy enough to understand the ramifications of providing information to third parties.
The Senate Communications Committee held one hearing on the proposed law on September 23, 1998. One week later, on October 1, 1998, the Senate approved the legislation. The House followed suit and the legislation was signed into law by President Clinton as an amendment to the Internet Tax Freedom Act.
The legislative history of COPPA is fascinating because there is so little of it. This bill was introduced and slammed through the system in less than three months, which is very rare. This suggests the potential ramifications of the law were most likely not fully debated. Lest you think it a partisan move by Democrats, the bill was co-sponsored by prominent Republicans such as John McCain and Conrad Burns.
Pass The Buck
One of the reasons COPPA was enacted so quickly may be a certain “pass the buck” element to the law. COPPA is actually very short in length compared to most legislation. It does, however, contain one key section reading as follows.
Not later than 1 year after October 21, 1998, the Commission shall promulgate under section 553 of title 5 regulations that –
(A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child – [List of topics to be covered by the regulations.]
15 U.S.C. 6502(b)(1)(a)
The “Commission”, of course, is the Federal Trade Commission. The clause noted above essentially requires the FTC to write its own law detailing the very specific steps required for an online operator to comply with COPPA. This is a rather alarming transfer of authority by Congress, but more and more common these days.
FTC Regulations – The First Rule
The FTC issued the first set of COPPA regulations in 1999. The Agency actually refers to the collective regulations as the “Rule.” Although much criticized, the regulations were actually fairly concise and clear at that time. The regulations provided step-by-step instructions for online operators to follow from a compliance perspective. Unfortunately, the FTC failed to recognize the web evolves at hyper speed; a pace that soon turned the Rule into an antiquated document that didn’t address many common issues faced by websites.
For example, consider the explosion of social media. Neither Facebook nor Twitter existed in 1999. As these sites launched and grew, they started issuing apps to third party sites. One very popular app tool is the login mechanism whereby a user can sign into a third party site simply using their Facebook or Twitter login information. However, this process raised and still raises a host of COPPA questions.
- If the user is under 13, is the site responsible for complying with COPPA even when using a third party login app?
- How is the site to ascertain if the person signing up is under 13 if the signup process is handled by Facebook or Twitter?
- Are Facebook, Twitter or another party supplying the login app responsible for COPPA compliance?
The 1999 regulations provided no answers to these and many other questions. This resulted in massive confusion and demands the regulations either be updated or COPPA be revised. Despite this, the FTC sat on its collective derriere for more then a decade before finally taking action.
FTC Regulations – Part Deux
After years of criticism, the FTC finally announced it would review and revise the 1999 regulations. To its credit, the Agency tore up the old regulations and issued a new set designed to address both the then current 2012 technology and foreseeable future technological developments.
The regulations represented a major change to the FTC approach to COPPA. Comments and hearings were held with businesses small and large arguing for major changes to the proposed regulations. In the end, the FTC made a few substantive changes and then issued the final, binding regulations in January 2013. Businesses were given a six-month period to adjust to the new Rule, which went into effect on July 1, 2013. This second set of regulations remains in place to this very day.
Complying with the Children’s Online Privacy Protect Act of 1998 can be very frustrating for business owners. The goal in writing this history of COPPA is to provide you with at least a feel for what the drafters were trying to achieve with the legislation and how the FTC fits into the equation. Perhaps complying with the law will now be slightly less annoying. Perhaps not. Contact us today to get started with the compliance process.
Richard A. Chapo, Esq.