Dhara Shah
Senior Editor
Loyola University Chicago School of Law, JD 2020
Data protection measures have been increasingly crossing news headlines ever since the General Data Protection Regulation (GDPR) came into effect in 2018. However, data protection measures did not begin with the GDPR. In the United States, where there is a sectoral system in place, there have been regulations in place for years that monitor children’s online privacy (COPPA), health information (HIPAA), spam (CAN-SPAM), and even video rental history (VPPA). Despite these systems being implemented years ago, large companies still fail to properly comply with the requirements set forth. Recently, a settlement between YouTube and the FTC brought to light the importance of compliance with COPPA.
What is COPPA?
The Children’s Online Privacy Protection Rule, or COPPA, requires that all online services directed towards collecting or maintaining children’s personal information must give clear notice on “what information it collects… how it uses such information… and its disclosure practices for such information.”
COPPA takes to defining various measures of this rule, including that a child is any individual under 13 years old, but does not specifically state how one must comply. Rather, COPPA provides that these online services must (1) provide notice and attain parental consent prior to collection of a child’s information; (2) have a clear and comprehensive privacy policy; and (3) keep information that is collected from a child both confidential and secure.
What did YouTube (not) do?
This brings us back to the recent settlement between the FTC and YouTube and its parent company, Google. Google and YouTube faced a $170 million settlement after the FTC brought action stating that YouTube was illegally collecting personal information from children without obtaining parental consent—serving to be the largest penalty in a COPPA case.
So what was YouTube’s mistake? YouTube continued to call itself a platform for the general-audience; however many of its individual channels, such as children shows or toy channels, were unmistakably child-directed. YouTube chose to operate as a general-audience platform through telling advertising agencies it did not have children under 13 on their platform, but at the same time would market itself as “today’s leader in reaching children age 6-11 against top TV channels.”
In addition to the fine, YouTube must now put into place measures that allow for individual channel owners to identify child-directed content to ensure compliance with COPPA. Additionally, YouTube was mandated to provide notice regarding their data collection practices as well as ensure that parental consent is attained prior to any personal information collection from a child.
From here to beyond
The learning lesson from this instance is that content creators cannot tread lightly when it comes to data collection, especially in regard to children’s personal information. It is crucial that if a platform is aware they are producing content that is child-directed, it is to comply with COPPA. The mistake that YouTube made, and the one that other platforms must be wary of, is that even if a company’ general content is geared towards those aged over 13, if they have a corner of their platform directed towards children, they must still comply with what COPPA sets forth.
To prevent being in the same shoes as YouTube and Google, companies should keep the following in mind. COPPA applies to “individually identifiable information” about a child that is collected online. This serves to be anything that could identify or serve to contact the child—such as their name or a phone number. At the very least, companies should place a privacy notice upon their site that highlights what personal information is being collected, by whom, how it is being used, if it is being disclosed to third-parties, whether the parent has the ability to agree to the use and collection of data, and state that a parent has the ability to ask for deletion or suspend further collection of the data.
COPPA is just one of many data protection measures put into place in the U.S., and with states enacting their own policies and international data protection measures in place, companies must ensure compliance with each in order to avoid both large penalties and putting children and adult’s personal information at risk.