Online Privacy of Children Under Federal & California Law

As young children explore the Internet for educational and recreational purposes, their parents may worry about protecting their privacy. Under the federal Children’s Online Privacy Protection Act (COPPA), Congress directed the Federal Trade Commission to devise regulations in this area. The resulting COPPA Rule allows parents to control the personal information that is collected online from children who are under 13 years old. This includes not only the personal information of the child from whom it is collected but also the personal information of their family members, friends, or other people. However, the COPPA Rule does not cover the online collection of personal information about children from their parents. It also does not control the content that children view online.

Personal information includes, among other things:

  • First and last name
  • Online contact information, including a username
  • Home address and telephone number
  • Social Security number
  • Photograph, video, or audio files containing the image or voice of a child
  • Geolocation information that can identify the name of a street and city

COPPA applies even if a website or service collects information that is volunteered by children and not required by the operator. Moreover, the definition of “collection” extends beyond the active collection of information to the passive tracking of information through a persistent identifier.

What the COPPA Rule Requires

An entity covered by COPPA must post a privacy policy outlining its practices for the personal information that it collects from children. It must provide notice to parents and get parental consent before collecting this information. Parents must be allowed to consent to the collection of information and its internal use by the operator while refusing to allow the operator to share the information with third parties. Parents must have an opportunity to prevent the further use or collection of personal information.

In addition, covered entities must take measures to protect the information collected from children. They should share this information only with parties that also can protect it. Once the information is no longer needed to serve the purpose for which it was collected, a covered entity must delete the information while taking precautions to prevent its unauthorized access or use. When a child seeks to participate in an online activity, a covered entity cannot require them to provide personal information that is not reasonably necessary for participation.

Covered Entities Under COPPA
  • Commercial websites and online services that are directed to children under 13 and collect, use, or disclose personal information from children
  • General audience websites or online services that know that they are collecting, using, or disclosing personal information from children under 13
  • Websites or online services that know that they are collecting personal information from users of another website or online service directed to children

Enforcing the COPPA Rule

When a parent believes that they have identified a COPPA violation, they can report the violation to the FTC by phone or online. The FTC then may bring an enforcement action for civil penalties, subject to a cap per violation. Penalties may be relatively greater when an operator has a history of violations, numerous children have been affected, a substantial amount of information was collected, or the information was shared with third parties, among other factors.

In addition to the FTC, state attorneys general may bring actions to enforce compliance with COPPA when appropriate. Federal agencies that oversee specific industries may enforce compliance in those industries. Parents do not have a private right of action for COPPA violations. This means that they cannot sue a website or online service on their own.

California Law Governing Online Privacy of Children

In 2022, California passed a groundbreaking law called the California Age-Appropriate Design Code Act, which will take effect in 2024. The law applies to businesses that provide an online service, product, or feature that is likely to be accessed by children, who are defined as people under 18 years old. Thus, the California law extends more broadly than the COPPA Rule.

Among other requirements, businesses must configure default privacy settings for products, services, or features that are likely to be accessed by children to offer a high level of privacy. Businesses cannot use the personal information of children in a way that is materially detrimental to their health or well-being. Moreover, businesses cannot collect, sell, share, or retain the personal information of children when this is not required to provide a service, product, or feature that is likely to be accessed by children.

No Private Right of Action

The California Attorney General will enforce the Age-Appropriate Design Code Act by seeking injunctions and civil penalties, which will be enhanced for willful violations. Like COPPA, though, the law does not provide a private right of action.

Child Safety Legal Center Contents   

Related Areas