We cover children’s privacy and advertising weekly. However, in light of COPPA’s recent 20th anniversary, and in the wake of CARU’s biggest-yet West Coast CARU conference, ADLaw has enlisted CARU super lawyer Katie Goldstein* to help us recap the past 2.5 decades of KIDlaw.

1998: A Concern for Children’s Privacy Was Born

From the moment home computers had the capacity to connect to the Internet, or in other words about the time Al Gore invented the Internet, children had the ability to use these technologies to access websites and online services. In the 1990s, concerns about children’s privacy and safety online arose amid fears of pedophile creepers and abusive online marketing practices.

The Children’s Advertising Review Unit (CARU), founded in 1974, has always been on the forefront of the effort to safeguard children’s privacy. CARU is the self-regulatory arm of the children’s advertising industry, tasked with promoting truth in children’s advertising by reviewing and evaluating child-directed ads in all media to ensure they are truthful, accurate and appropriate. CARU also monitors online privacy practices as they affect children.

Before there was any legislation on the matter, CARU monitored a burgeoning Internet and observed how children’s privacy and safety were being compromised. CARU’s mandate has always been to preserve the interests of children while ensuring that advertisers have clear ways to responsibly reach the child audience.

In 1996, two years before the passage of any childen’s privacy legislation, CARU formally updated its guidelines to include a section titled “Interactive Electronic Media” (now, “Guidelines for Online Privacy Protection”), governing the privacy and safety of children under age 13 on the Internet.

At that point, it was clear that there was a growing need for oversight on the Internet. Several articles and studies that raised awareness of widespread data collection and advertising practices targeted at children online were published. In fact, these reports uncovered hundreds of sites supposedly collecting personal information from children without obtaining parental permission.

In response, federal legislators passed the Children’s Online Privacy Protection Act (COPPA) in 1998, which became effective on April 21, 2000. When the FTC drafted COPPA, it based the law on CARU’s original “Interactive Electronic Media” guidelines. The law applies to websites and online service operators that (1) directly target children to collect, use or disclose personal information from children; or (2) have actual knowledge that they are collecting, using or disclosing personal information from children. “Children,” as defined by COPPA, includes individuals under the age of 13.

COPPA authorized the Federal Trade Commission (FTC) to promulgate rules to further the law’s mandates, and gives it the power to obtain civil penalties for noncompliance. For a great primer on COPPA written to help businesses understand what they need to do to comply, click here.

The goal of the legislation was to protect personal information collected from children. The law requires online service operators to provide a transparent and accessible privacy policy; to obtain verifiable parental consent before collection, use or disclosure of personal information from children (with narrow exceptions, such as internal operational purposes, one-time responses and “email plus” verification for certain uses); and to implement heightened security practices. The law also contains other requirements on how to specifically protect children’s personal information, and places limits on the use of children’s personal information for direct marketing purposes.

2013: COPPA Experiences Its First Growth Spurt

To understand COPPA better, let’s look at how it has evolved along with digital media. In 2013, the FTC revised the COPPA rules to broaden the definition of children’s personal information to include data types such as persistent identifiers, cookies, geolocation information, photos, videos and audio recordings. Before this update to the definition, an Internet Protocol address (an identifier that differentiates a device from other devices, including through its general location) was considered nonpersonal information. The update was made after extensive public comments and reflects relatively minor revisions to the regulations implementing the law.

When the COPPA revisions went into effect in July 2013, CARU updated its guidelines to lay the foundation to enforce the newly fortified law, particularly with respect to the newly defined forms of personally identifiable information and COPPA’s new prohibition on behavioral targeting without parental consent.

2017: COPPA Matures and Adapts to Its Surroundings, and Considers the Future

In 2017, the FTC updated its COPPA compliance plan to clarify how COPPA applies to evolving technologies such as audio recordings, and to reiterate that COPPA applies to any type of device that connects to the Internet (including “internet of things” devices such as connected toys). The FTC also added new acceptable ways of obtaining verifiable parental consent (e.g., asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID). These changes reflect some of the cultural changes in the use of technology among children. As COPPA is interpreted now, it applies to any service, application or device that connects to the Internet and is targeted toward children. This includes video game consoles, educational or classroom connected devices, hospital medical connected devices, websites, connected toys, and mobile applications. Third-party advertisers should note that if they are advertising on particular online services, COPPA also applies to third-party advertising plug-ins or other interactive features.

CARU: Self-Regulation Guides Child-Directed Online Services Toward Compliance

Since COPPA’s nuances can be difficult to interpret, especially for newcomers to the space, the law has a “safe harbor” provision designed to enable industry groups and others to assist companies with COPPA compliance. Members of the safe harbor are presumed to be in compliance with COPPA and essentially insulated from FTC action. CARU was the first FTC-approved safe harbor program back in 2001 and continues to be a leader in supporting COPPA through providing guidance to industry and acting as a leader in self-regulation.

In addition to COPPA, CARU also promulgates the Self-Regulatory Program for Children’s Advertising (the Guidelines). The Guidelines serve as a road map of policies and procedures for advertising industry self-regulation. They provide an effective framework that holds advertisers responsible for their practices and encourages consumer trust in the marketplace. With the proliferation of online advertising, and most notably the thousands of free apps supported by advertising, the intersection of COPPA and advertising compliance has proven challenging for content providers and advertisers to navigate.

Although the Guidelines and COPPA have many similarities, they have never been identical. In some instances, CARU’s Guidelines go beyond the requirements of COPPA, raising the bar for industry by recommending best practices it believes are in children’s best interests, including advertising practices, which are largely unaddressed by COPPA. For all safe harbors, the minimum standard is compliance with the law; however, safe harbors have the option to raise the bar, and some do.

CARU has been active in monitoring the industry for violations of its Guidelines as well as of COPPA. When CARU sees an instance of noncompliance with either its Guidelines or COPPA, it seeks change through voluntary cooperation of advertisers and online operators. In instances where companies fail to cooperate with CARU, under its procedures, CARU has the power to refer those companies to the FTC for government review. While the FTC often acts on CARU’s referrals and recommendations, the large majority of companies are happy to work with CARU and are grateful for the privacy tutorial to bring them into compliance. To date, CARU has closed more than 200 COPPA-related cases, making the space safer for children.

COPPA’s 20th Anniversary and Beyond

Oct. 21, 2018, marked the 20th anniversary of COPPA. Over the years, COPPA has evolved to adapt to the continuously changing technology landscape. From the beginning, CARU has been there to help enforce COPPA and give industry guidance on how to interpret it. COPPA remains as relevant today to the protection of young children as it was 20 years ago, and recent state and federal enforcement actions show that companies continue to encroach on children’s privacy. CARU remains vigilant and the FTC continues to extract significant financial penalties from companies that disregard COPPA.

The FTC’s most recent settlement was for $5.7 million for a mobile app that is alleged to have knowingly allowed children to post videos and share personal information without parental consent. This record-breaking settlement was the result of a CARU referral to the FTC. There’s a lesson here – when a company ignores the self-regulatory process, the FTC takes notes. Lesson No. 2: Self-regulators can’t extract money from you! Lesson No. 3: COPPA offers a safe harbor program in which CARU is a participant – convince CARU you are compliant, and the FTC won’t ding you even if they disagree.

In addition to CARU and the FTC keeping an eye on children’s privacy and bringing enforcement actions for COPPA noncompliance, state attorneys general (AGs), who also have COPPA enforcement authority, have increased their focus on children’s personal information issues. For example, in September 2018, the New Mexico AG filed a lawsuit against a number of social media companies that is still ongoing. In February 2019, the New York attorney general settled a matter for $4.95 million with a company for violating COPPA by conducting billions of auctions for ad space on hundreds of websites the company knew were directed at children. The company allegedly collected, used and disclosed children’s personal information, enabling advertisers to track and serve targeted ads to children. So, lesson No. 4, don’t think you can skirt COPPA by staying under the FTC’s radar. AGs, who are political creatures, can and will enforce COPPA, and when they do it is like kissing a baby – better yet, protecting a baby!

In March 2019, legislators including Sen. Ed Markey, D-Mass., COPPA’s original author, introduced in Congress the Do Not Track Kids Act, a bill meant to expand COPPA’s reach to teenagers. To learn more, click here. The bill is in stride with global trends, such as the European Union’s General Data Protection Regulation, enacted in 2018, which requires verifiable parental consent before processing the personal information of children under the age of 16 (unless an EU member state sets the age lower, with 13 being the youngest). Markey’s bill also accords with local state laws such as California’s Privacy Rights for California Minors in the Digital World law (enacted in 2015, allowing California residents under the age of 18 to delete publicly available personal information they have submitted) and the California Consumer Protection Act (passed in September 2018, requiring, among other things, opt-in consent to the selling of personal information of children under 16). As currently drafted, the bill seeks to expand COPPA to include children from under the age of 13 to under the age of 16, and includes additional data control rights such as providing parents and children the ability to delete publicly available personal information submitted by a child. While this bill is currently in its early stages and presents serious public policy questions about the age society should deem youth too developmentally immature to have free rein on the Internet, it demonstrates the continued focus legislators are placing on children’s privacy issues. This brings us to lesson No. 5: Providing services and advertising to children in their teens is getting more, not less, complex.

The future of COPPA seems to reflect its past – regulators and legislators seek to continue to adapt its interpretation and application to evolving technologies and cultural changes in the use of such technologies among children. CARU’s role also remains as relevant as it was 25 years ago. The FTC relied then on CARU’s expertise when drafting the law and continues to rely on CARU’s monitoring to ensure a safer online space.