Reimagining COPPA: Safeguarding Children’s Privacy in the Digital Age

In 1998, Congress passed the Children’s Online Privacy Protection Act (COPPA) in response to growing concerns over the dissemination of children’s personal information on the Internet. COPPA set privacy standards for websites directed toward children under thirteen, requiring websites to provide notice about data collection practices and to obtain verifiable parental consent before collecting a child’s personal information. [1] At the time, this legislation was a groundbreaking move to protect children’s privacy in an emerging digital world. However, over two decades later, COPPA has proven inadequate in addressing the complex and evolving landscape of data collection technologies.

COPPA was designed to enhance parental involvement in children’s online activities, protect children’s safety in online forums, and limit the collection of personal information without parental consent. Personal information, as defined under COPPA, includes names, addresses, phone numbers, email addresses, social security numbers, and photographs. The law also prohibits websites from sharing or selling children’s data. [2] Despite these provisions, COPPA’s execution falls short. The law is riddled with ambiguities, lacks effective enforcement mechanisms, and applies only to children under thirteen, leaving teens unprotected.

The age restriction of thirteen has sparked debate over its rationale and efficacy. Congress established this age limit recognizing that younger children are particularly vulnerable to overreaching by marketers and may not fully understand the safety and privacy issues associated with the online collection of personal information. [3] By focusing on children under thirteen, lawmakers sought to protect the demographic deemed most susceptible to exploitation. However, COPPA does not extend its protections to teenagers, whose online privacy is also at risk. Although the Federal Trade Commission (FTC) has acknowledged the privacy concerns of teens and advocated for stronger protections for this group, stating, “the FTC is concerned about teen privacy and does believe that strong, more flexible, protections may be appropriate for this age group,” the law remains focused exclusively on younger children. [4] As a result, teens are left exposed in a digital environment where 97 percent of them report daily Internet use as of 2022. [5]

Online data collection occurs in two primary ways: through voluntary and involuntary submission. [6] Voluntary submission is straightforward; users may provide email addresses, phone numbers, or other personal information. [7] Involuntary submission, however, is not as simple. Websites that utilize involuntary submissions use technologies called “cookies” that allow websites to track users’ activities without their knowledge. Cookies, which are small computer programs stored on a user’s device, monitor online behaviors and send this data back to the originating website [8]. These tools reveal detailed user information, like browsing habits, to create a digital profile of users, often unbeknownst to them. Data protection is crucial for preventing fraud, identity theft, phishing, and other malicious activities. [9] With the rise of artificial intelligence, this personal data can also be misused to clone voices or create deepfake images. [10]

United States v. Amazon.com, Inc. and Amazon.com Services LLC (2023) illustrates COPPA’s inadequacies in addressing data retention and deletion. According to the Federal Trade Commission’s (FTC) complaint, Amazon retained children’s voice recordings and geolocation data collected through Alexa-enabled devices for years despite parental requests for deletion, in direct violation of COPPA’s requirement to retain data “only as long as necessary.” [11] The FTC noted that Amazon exploited these retained recordings to train its algorithms, prioritizing technological advancement over statutory compliance. [12]

The ambiguity of COPPA’s language played a key role in Amazon’s defense. The company argued that its retention of children’s data was justified to improve Alexa’s ability to understand children’s voices. [13] The FTC, however, emphasized that “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.” [14] The federal court ultimately ordered Amazon to delete inactive child accounts and prohibited the use of children’s data for algorithm training, underscoring that Amazon’s actions “sacrificed privacy for profits.” [15] The penalty of $25 million, while significant in isolation, was negligible compared to Amazon’s 2023 revenue of $574.8 billion. [16] This underscores a key issue with COPPA: financial penalties alone do not deter non-compliance for large corporations.

New Mexico ex rel. Balderas v. Google (2020) further revealed loopholes in COPPA’s regulatory framework, specifically the statute’s allowance for schools to act as intermediaries for parental consent. [17] The state of New Mexico alleged that Google used its G Suite for Education (GSFE) platform to collect data from schoolchildren without directly notifying parents or obtaining their consent. Instead, Google relied on schools to act as intermediaries, a practice explicitly permitted under COPPA. [18] According to the Federal Trade Commission, “the Rule does not preclude schools from acting as intermediaries between operators and parents in the notice and consent process, or from serving as the parents’ agent in the process.” [19] This means that operators can rely on schools to provide consent on behalf of parents, as long as the operators disclose their data collection practices to the schools. Importantly, this authorization is limited to educational purposes with the intention of ensuring that any data collected under such consent cannot be used for broader commercial activities.

Judge Nancy Freudenthal, dismissing the case, acknowledged that COPPA permits schools to serve as agents for parental consent when operators provide notice to the school of their data collection practices. However, the FTC’s guidance adds that such delegation is appropriate only “where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose.” The state argued that Google violated this limitation, using children’s data for broader commercial purposes, but the court held that New Mexico failed to substantiate its claims. The FTC’s compliance guidance states that operators must make “any reasonable effort” to notify parents, but the lack of specificity in what constitutes “reasonable” creates a compliance gray area that companies like Google can exploit. [20]

Furthermore, in United States of America v. ByteDance Ltd., ByteDance Inc., TikTok Ltd., TikTok Inc., TikTok Pte. Ltd., and TikTok U.S. Data Security Inc. (2024), the FTC alleged that the platform flagrantly violated COPPA by collecting and retaining personal data from children under thirteen without parental consent. [21] TikTok allowed children to create accounts using credentials from third-party platforms, designating these accounts as “age unknown” and bypassing COPPA’s consent requirements. [22] The FTC emphasized that TikTok’s reliance on self-reported age verification rendered its compliance mechanisms ineffective. Moreover, the complaint revealed that TikTok employees were aware of the platform’s violations, with one compliance officer noting internally, “We can get in trouble … because of COPPA.” [23] The FTC Chair, Lina Khan, highlighted the systemic failure, stating, “TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country.” [24] While the FTC sought civil penalties under COPPA, the statute’s penalties again proved insufficient to create a meaningful deterrent for companies with global operations and massive revenues. [25]

Each of these cases demonstrates a different facet of COPPA’s ineffectiveness. Amazon exploited ambiguities in data retention, Google leveraged intermediary consent to bypass parental involvement, and TikTok circumvented protections through inadequate age verification. COPPA’s vague language and outdated mechanisms fail to provide meaningful safeguards for children’s privacy. The law’s limited scope and weak enforcement mechanisms allow companies to prioritize profit over compliance, leaving children’s data vulnerable.

In contrast, the European Union’s General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA) provide compelling models for more robust and inclusive data protection frameworks than COPPA. [26] GDPR stands out due to its universal applicability and stringent enforcement. Unlike COPPA, which applies only to children under thirteen, the GDPR protects all users, ensuring broad and consistent data privacy standards. Key principles like data minimization require companies to collect only necessary data, and the “storage limitation” principle prohibits indefinite retention, directly addressing COPPA’s vague provision allowing data retention “as long as necessary.” [27]

Furthermore, GDPR’s enforcement mechanisms are significantly more impactful. Fines are proportional to a company’s global revenue, creating a strong compliance incentive. Companies face penalties of up to €20 million or 4 percent of their global turnover, whichever is higher. This contrasts sharply with COPPA, where fines do not account for a company’s global financial scale, reducing their deterrent effect. [27]

The CCPA, enacted in 2020 and strengthened by the CPRA in 2023, offers a robust U.S.-based model that addresses many of COPPA’s shortcomings. While COPPA focuses narrowly on children under thirteen, the CCPA extends protections to all California residents, reflecting modern privacy needs more comprehensively. [28] Key features of the CCPA include five core consumer rights: the right to know, delete, correct inaccuracies, opt-out of sale or sharing, and limit the use of sensitive personal information, thus giving consumers significant control over their data. [29] For instance, residents can request detailed disclosures about the personal information collected, how it is used, and with whom it is shared—rights that COPPA lacks. [30] Additionally, the CCPA empowers users to demand the deletion of personal information and prohibits the sharing of data for behavioral advertising without consent, directly addressing contemporary privacy concerns. [31]

To enhance its effectiveness, COPPA could benefit from integrating elements from both the GDPR and CCPA. Expanding protections to all minors under eighteen, introducing a “right to know,” and implementing revenue-based fines would significantly strengthen COPPA. GDPR’s global enforcement and detailed protections set a high international standard, while the CCPA demonstrates how robust consumer protections can be achieved domestically. COPPA, in its current form, offers limited scope, outdated enforcement, and insufficient penalties. By incorporating GDPR’s enforcement rigor and CCPA’s broader coverage, COPPA could better safeguard the privacy of minors in today’s rapidly evolving digital landscape.

COPPA’s limitations have left children’s privacy vulnerable in the digital age. To protect minors effectively, the law must evolve to address the realities of modern technology and data collection practices. Strengthening COPPA with clearer rules, stricter enforcement, and broader protections—such as those in GDPR—would ensure that children’s data is safeguarded and that companies are held accountable. Reforming COPPA is not just a necessity; it is a legal obligation to protect the youngest and most vulnerable users of the Internet.

Edited by Tal Dimenstein

[1] “Complying with COPPA: Frequently Asked Questions”, Federal Trade Commission.

https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-que

stions

[2] “Complying with COPPA: Frequently Asked Questions.”

[3] “Complying with COPPA: Frequently Asked Questions.”

[4] “Complying with COPPA: Frequently Asked Questions.”

[5] Monica Anderson, “Teens, Social Media and Technology 2018,” Pew Research Center, May

31, 2018,

https://www.pewresearch.org/internet/2018/05/31/teens-social-media-technology-2018/#.

[6] “How Websites and Apps Collect and Use Your Information,” Federal Trade Commission, Accessed December 9, 2024,

https://consumer.ftc.gov/articles/how-websites-and-apps-collect-and-use-your-informatio

n#:~:text=Websites%20may%20track%20your%20online,settings%20to%20track%20your%20activity.

[7] “Privacy Policy,” United States Patent and Trademark Office, Accessed December 9, 2024,

https://www.uspto.gov/privacy-policy#:~:text=When%20you%20voluntarily%20submit

%20information,rights%20under%20the%20Privacy%20Act.

[8] “What are Cookies?” Kaspersky, Accessed December 9, 2024,

https://usa.kaspersky.com/resource-center/definitions/cookies?srsltid=AfmBOorZlc23JJY

IkLnV9AkeO1xQPzgvCOAtwkuGePe9KmaBpIFkv55d.

[9] “What are Cookies?”

[10] Lewis, Max, “Scammers using AI to clone people’s voices; experts say it’s never been

easier,” Fox59 News, February 28, 2024,

https://fox59.com/news/national-world/scammers-using-ai-to-clone-peoples-voices-exper

ts-say-its-never-been-easier/#:~:text=INDIANAPOLIS%20%E2%80%94%20Imagine%2

0if%20someone%20could,try%20to%20steal%20your%20money.

[11] Amazon.com (Alexa), U.S. v. United States of America, (W.D. Wash. 2023).

[12] Amazon.com (Alexa), U.S. v. United States of America.

[13] Amazon.com (Alexa), U.S. v. United States of America.

[14] Amazon.com (Alexa), U.S. v. United States of America.

[15] Amazon.com (Alexa), U.S. v. United States of America.

[16] “Amazon Revenue 2010-2024 | AMZN,” Macrotrends, Accessed December 9, 2024,

https://www.macrotrends.net/stocks/charts/AMZN/amazon/revenue#:~:text=Amazon%20

annual%20revenue%20for%202023,a%2021.7%25%20increase%20from%202020.

[17] New Mexico ex rel. Balderas v. Google, LLC, 489 F. Supp. 3d 1254 (D.N.M. 2020).

[18] New Mexico ex rel. Balderas v. Google, LLC.

[19] “Testing, testing: A review session on COPPA and schools,” Federal Trade Commission,

January 23, 2015,

https://www.ftc.gov/business-guidance/blog/2015/01/testing-testing-review-session-copp

A-schools.

[20] New Mexico ex rel. Balderas v. Google, LLC.

[21] ByteDance, LTD., US v. United States of America, (C.D. Cal. 2024).

[22] ByteDance, LTD., US v. United States of America.

[23] ByteDance, LTD., US v. United States of America.

[24] ByteDance, LTD., US v. United States of America.

[25] ByteDance, LTD., US v. United States of America.

[26] “California Consumer Privacy Act (CCPA),” California Department of Justice, May 13,

2024, https://oag.ca.gov/privacy/ccpa#top.

[27] “What is GDPR, the EU’s new data protection law?” GDPR.edu, Accessed December 9, 2024, https://gdpr.eu/what-is-gdpr/

[28] “California Consumer Privacy Act (CCPA).”

[29] “California Consumer Privacy Act (CCPA).”

[30] “California Consumer Privacy Act (CCPA).”

[31] “California Consumer Privacy Act (CCP

Zoie GeronimiDecember 22, 2024