The Children's Online Privacy Protection Rule (COPPA) is a federal law designed to protect the online privacy of children. COPPA prevents companies from collecting and tracking personally identifiable information of children under the age of 13 without the consent of their parents. The act empowers the Federal Trade Commission (FTC) to investigate violations and levy hefty fines (up to $40,000 per affected child). Since the law came into effect in 2000, the FTC has fined over two dozen companies for COPPA violations. Below are some of most notable cases and an overview of the COPPA violations they committed.
Girls Life, Inc., Monarch Services, Inc., and Looksmart, Ltd.
In 2001, the FTC issued its first ever COPPA penalty against the operators of girlslife.com (Girls Life), bigmailbox.com (Monarch Services), and insidetheweb.com (Looksmart). These companies were required to jointly pay $100,000 in civil penalties and delete all personally identifying information from children under 13 they had collected. The FTC found that that girlslife.com, which targeted girls aged from 9 to 14, partnered with bigmailbox.com and insidetheweb.com to offer children free email accounts and access to message boards. These websites collected PII of children, including email addresses, fill names, and addresses. The websites did not post privacy policies that complied with COPPA and did not obtain consent from parents. Furthermore, bigmailbox.com shared PII of children to third-parties without parental consent.
UMG Recordings, Inc. and Bonzi Software, Inc.
In 2004, the FTC fined UMG Recordings and Bonzi Software $400,000 and $75,000, respectively, for COPPA violations. The fine assessed to UMG Recordings was the largest COPPA penalty at the time. The case against Bonzi Software addressed a software program that users could download to their computers, the first of its kind. All previous COPPA cases dealt with website collection practices. For both companies, the FTC found that they required that users enter an age in order to register for their services. These services also had content aimed towards children. Thus, both companies should have had "actual knowledge" that child users were accessing the services and should have required parental consent in order to collect child data.
The FTC issued a $1,000,000 penalty to xanga.com in 2006 for violating COPPA. This held the record for the largest COPPA fine until 2018. Xanga allows users to create accounts even if they provided a birth date which indicated that they were under the age of 13. Xanga also failed to notify parents or request consent to collect information. The FTC found that 1.7 million accounts were created for users who had indicated they were under 13.
Sony BMG Music
Sony was fined $1,000,000 for COPPA violations stemming from improper collection and disclosure of child data. Sony, which hosted over 1,000 websites for it's artists and labels, knowingly collected the data of children under 13. The FTC found at least 30,000 children who registered accounts with personal information without their parents consent, across 196 different websites.
InMobi, a Singapore-based advertising company, was forced to pay $950,000 in fines for tracking the locations of hundreds of millions of users, including children, without their consent. The FTC asserted that InMobi misrepresented how geo-location data was used, as their software was tracking the actual location of users even when the apps that used InMobi's software were not active. Since many of the apps that used InMobi's software were directed towards children, the FTC sought penalties for COPPA violations. The settlement with InMobi required the company to be independently audited every two years for the subsequent 20 years.
In December of 2018, the New York Attorney General's office settled COPPA charges with Verizon's subsidiary, Oath (formerly AOL and now renamed Verizon Media). Oath agreed to pay $4.95 million in civil penalties for enabling tracking services which violated COPPA requirements. Oath ran advertising operations on websites that it knew were targeted towards children, such as roblox.com. This was the largest COPPA penatly issued, at the time.
The social networking app Musical.ly (now known as TikTok) settled COPPA charges with the FTC for $5.7 million in February of 2019. The FTC asserted that the owners of Musical.ly has actual knowledge that many of its users were under the age of 13 but failed to request parental consent before collecting PII. The severity of the fine was due in part to the significant size of the app's user-base being under the age of 13 and the fact that the app broadcasted both the child's image (through pictures and videos) and location to other users on the app.
On September 4, 2019, Google and YouTube agreed to pay the FTC and the New York Attorney General a record $170 million to settle charges that YouTube was illegally collecting data of children under the age of 13 without parental consent. YouTube has several services dedicated towards children and many video channels are dedicated towards producing content for children. YouTube was tracking users and collecting their data, such as IP addresses, even on portions of the website which were marketed for children. YouTube did not request parental consent before tracking users who YouTube knew were likely young children. In addition to the monetary settlement, YouTube was directed to create a system which allows channel owners to flag their content as being directed towards children. These channels and those which are automatically flagged as being directed towards children must also be annually notified of how their content must comply with COPPA regulations.
The Future of COPPA
In recent years, the FTC and state agencies have been stepping up their enforcement of COPPA. The rise of multi-million dollar COPPA settlements shows the pressure that government is willing to place on companies in order to force them to protect child privacy. Many lawmakers have called for investigations into other products and services which routinely collect the data of children, such as Amazon Echo and Facebook. With increased scrutiny over data collection practices and concerns about protecting children online, even more COPPA investigations and hefty settlements are likely.
Want to Read More?
If you’re interested to learn more about Edlink’s Unified API, here are some reading suggestions:
- Transformations: How Edlink Fixes School Data Issues for EdTech Developers
- What to Know When connecting a School’s LMS to Edlink
- How Edlink Compares to Microsoft DataSense
- How does Edlink Handle Data Privacy and Security?
- Pricing FAQ
Create a Free Developer Account
Want to see a demonstration of Edlink’s Unified API, then start by signing up for a free developer account.