Happy 20th birthday, COPPA

October 20, 2018, marked 20 years since Congress passed the Children’s Online Privacy Protection Act. Many of the kids the law was originally designed to protect are now parents themselves. Looking back on two decades of COPPA, here are our five key takeaways.

The FTC continues to be committed to rigorous COPPA enforcement. At the direction of Congress, the FTC issued the COPPA Rule in 2000. Since then, we’ve brought 28 cases to enforce the Rule. Those cases have yielded more than $10 million in civil penalties and have put strong provisions in place to require those companies to change how they collect and protect kids’ personal information. Two recent examples: law enforcement actions against a seller of internet-connected toys and a web-based talent search firm charged with violating COPPA.

COPPA has responded to developments in technology. The only thing that moves as fast as kids is technology. The FTC has worked to keep COPPA current by amending the Rule to address innovations that affect children’s privacy – social networking, online access via smartphone, and the availability of geolocation information, to name just a few. After hosting a national workshop and considering public comments, we announced changes to the Rule in 2013 that expanded the types of COPPA-covered information to include photos, video, or audio files that contain a child’s image or voice. Even before widespread access to facial recognition software, voice-activated digital personal assistants, and internet-connected toys, we were taking steps to keep pace with the marketplace.

The FTC seeks new ways to ensure verifiable parental consent. Before collecting personal information from kids under 13, covered entities must get “verifiable parental consent.” That’s the centerpiece of COPPA, but right now there may not be a one-size-fits-all approach. What the law requires is a method “reasonably calculated, in light of available technology, to ensure the person providing consent is the child’s parent.” The Rule lays out a non-exhaustive list of approved methods, but also encourages the development of new ways of getting verifiable parental consent. In a creative form of crowdsourcing, the 2013 amendments added a procedure for seeking approval for innovative consent methods. Since then, the FTC has OKed two new methods: 1) a system that uses challenge questions; and 2) a way that combines photo verification with facial recognition through web or mobile devices.

COPPA recognizes the importance of self-regulation. By “incentivizing” companies’ self-regulatory efforts, the FTC’s Safe Harbor Program demonstrates our commitment to working with industry to help streamline COPPA compliance. So far, the FTC has approved seven Safe Harbor Programs that companies can work with to ensure their practices are up to scratch.

The FTC reaches out to companies to help them stay within the law. Looking for quick guidance on COPPA? Read our Six-Step Compliance Plan. If you’re ready for a deeper dive, your question may be answered in our COPPA FAQs. In the past few years, we’ve also issued an enforcement policy statement on COPPA’s applicability to collecting voice recording, held a public workshop on how COPPA applies to student privacy and Ed Tech, and fielded questions sent to COPPAHotLine@ftc.gov.