A nonprofit overview of:
COPPA: Children's Online Privacy Protection Act
COPA: Child Online Protection Act
CIPA: Children's Internet Protection Act
CPPA: Child Pornography Prevention Act
Portions of the following information are drawn from previous postings on the NPTalk discussion list. The following material is provided merely for background and reference information, and should not be considered or substituted for legal advice. Please consult with your organization's legal counsel for more information.
COPPA: Children's Online Privacy Protection Act
COPPA is enforced by the U.S. Federal Trade Commission. It requires U.S.-based websites that collect personal information from people under the age of 13 to obtain permission from parents or guardians before asking for such data. It prohibits websites from requiring the collection of personal information as a prerequisite for accessing online interactive services (such as chat rooms), and allows parents to determine, review (and delete) any data on kids that is provided to online services, and block any further data collection.
It also spells out requirements and guidelines for site and content design to accommodate privacy protections, such as the link to a privacy statement, and easily understood privacy guarantees. In order to comply with the law, websites must either receive e-mail verification of age or parental permission if the data is only for internal purposes, or have written permission (regular mail or fax), telephone verification (like a call to a toll-free 800 number) or a "digital signature" (similar to
credit card verification) if the site in question will either give or sell the information it collects to a third party. Sites violating COPPA can face a potential fine of $11,000 for each violation.
That said, a
March 2001 report authored by Professor Joe Turow of the Annenberg Public Policy Center at the University of Pennsylvania (and conducted with help from the FTC), suggests that all is not necessarily copasetic with regards to the commercial websites with the highest volume of young visitors. Of the 162 sites examined, 17 of the sites that collect personal information had no link to a privacy policy on their home page; of these, 14 had no privacy policy anyway. Some 90 of the 162 sites collected personal information and also had a privacy policy, and of these:
- 96% explained what type of data is collected and hos it was used
- only 44% of these sites followed FTC guidelines for highlighting
the privacy link
- 68% stuck the privacy link in small type at the bottom of the page
- 38% left out COPPA language regarding the review of submitted data
- 50% of these particular sites failed to include COPPA's restriction
on further data collection
- 50% of the privacy policies were found to be too complex or
time consuming
The report makes a simple, but instructive, point. If the commercial sites that are designed to appeal to kids cannot, or will not, comply with federal rules because they are viewed as burdensome or difficult to understand, then it is much less burdensome for them to not collect data in the first place. The report also suggests that if the commercial sites want to collect data, then they should find a way to create a consistent easily-implemented approach to meeting federal rules
for privacy policies and providing parents with a guarantee that the sites respect parental preferences for data collection.
In April 2001, the Center for Media Education issued its
first year assessment of commercial website compliance with COPPA. The majority of the 153 sites examined, more were found to have begun limiting the range of information collected, and more were using privacy policies. Yet there was also a noticeably consistent lack of understanding about COPPA compliance, including a prominent link to the privacy policy, proper parental consent measures, and the use of data collection techniques that leave the door open for potentially false data to be entered by minors.
Needless to say a number of commercial sites, especially smaller once, have complained, since COPPA became law, that the requirements are a confusing burden, issued without clear guidance on what constitutes compliance. For the year preceding the settlement, the FTC has attempted to conduct an education and outreach campaign, materials development, and seminar series about the rule-- even directing an e-mail mass mailing last summer to most of the major online kids services.
For three commercial sites, however, April 19, 2001 reiterated the implications of non-compliance. That day, three websites coughed up a combined US$100,000 to settle FTC charges that they were violating COPPA. The three websites were charged with gathering personal information from children under 13, a big COPPA no-no. Though they paid the fine, the sites never admitted liability, only that they had agreed to settle the charges. In addition to the fine, the three sites have to have to remove all of the personal information from the site they ever collected since the rule went into effect, and have to keep their noses clean from now on in their data collection practices.
GirlsLife.com (the web version of a popular print publication) has an audience of mostly girls under the age of 13, accessing content and polls and the like. Like any commercial portal worth its salt, it provided free e-mail addresses and accounts for subscribers to the site (thanks to
BigMailbox.com), and it also provided "online community" through message boards (thanks to
Looksmart's insidetheweb.com bulletin board services).
In the course of their data gathering from the under-13 year olds, according to the FTC, none of the three sites ever posted privacy statements or got parental consent prior to delivering service in accordance with the rules presented under COPPA. Though the data collected through the three sites was used for internal purposes, it was not collected with parental consent. BigMailbox.com also got in trouble for attempting to mislead users by stating that no child could start an e-mail account without parental permission, and the company was also found to have provided information to outside parties. The upshot
is that GirlsLife.com pays US$30K, while Looksmart (which discontinued its Insidetheweb.com service, yet promptly launched a new bulletin board service) and BigMailbox.com each pay US$35K.
Also that day, the FTC also put out a notice about the second COPPA "safe harbor" program (one that represents an industry's
self-monitoring of problems in a given policy area to preempt government regulation. If complied with, safe harbors represents
adherence to the law applicable in that area). The
Entertainment Software Rating Board (ESRB) privacy protection program follows the advertising industry's
Children's Advertising Review Unit of the Council of Better Business Bureaus (CARU) as safe harbors.
Speaking of COPPA "safe harbors", consider the extremely vocal attempts by the Disney Company throughout 2000 to have its privacy efforts designated as such by the FTC, while ironically navigating the privacy minefield caused by its now defunct online toy retailer Toysmart. Toysmart has the distinction of being the first entity charged (versus successfully prosecuted) with a COPPA violation, because it collected personal information from children without parental consent. Toysmart was already in serious trouble with the FTC regarding accusations that it was going to sell its confidential database of consumer information culled from customer transactions as part of its bankruptcy proceedings in May 2000.
The trouble really started when the failing company decided to file for bankruptcy, but faced objections by 39 state attorneys general who charged that the agreement violated not only the Federal Trade Commission Act, which applies to unfair or deceptive acts, but the consumer protection laws in each of their states. Toysmart's privacy policy dictated that it would never sell its customer information, yet made that very activity a crucial part of its bankruptcy filing.
As part of its Chapter 11 bankruptcy filing, Toysmart was treating its customer list as an asset separate from its website and other property. The FTC said that as part of its approval of the bankruptcy plan, the company had to tie in the database with the website, and that any potential buyer must not only be in a related market, but must also respect the obligations attached to the list, including the privacy agreement to never sell or share customer information with third parties. Toysmart was also told to provide an option to let individuals "opt-out" from the list. The COPPA charges led to a settlement, blasted by both
public interest groups and the attorneys general, and Disney wound up spending US$50K during January 2000 to just simply delete the information.
COPA: Child Online Protection Act
COPPA went into effect April 21, 2000, but was actually signed into law by President Clinton in 1998-- a significant year that also saw the passage of COPA by Congress.
COPA, passed in October 1998, treated activity involving the publishing (for commercial purposes) of communications or content (particularly sexual in nature0 that includes material harmful to minors, but that also does not restrict access to minors. Under COPA, violators could expect up to a $50,000 fine, six months in jail, and/or additional civil fines. COPA was basically a second attempt by Congress to pass a federal law that would shield children from harmful online content.
The first attempt, known as the Communications Decency Act (CDA), was struck down by the U.S. Supreme Court in
Reno v. American Civil Liberties Union, which sought to ban offensive content on the Internet as a whole. This case addressed a portion of CDA that prohibited "indecent", "patently offensive" content directed towards minors online, though adults had a
First Amendment right to the same content, based on "community standards" and other tests. The Court, in a 7-2 decision, found that Internet speech ranks amongst speech afforded highest First Amendment protection, that Congress' ends did not justify the restrictive means employed, and that community standards did not hold up in the wake of the dissolved geographic boundaries of the Internet. More telling, the Court rejected the notion that the CDA could override the authority of parents to choose what their children should or should not have access to, and that the articulators of objectionable content should face numerous confusing (and sometimes) conflicting mechanisms in distributing their content.
A number of legal commentators and scholars have pointed out that legislative restrictions on Internet speech tend to violate the First Amendment of the U.S. Constitution ("Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.").
Two additional cases are important for background...
On May 22, 2000, the U.S. Supreme Court issued its decision in
United States v. Playboy Entertainment Group. At issue was whether Section 505 of the 1996 Telecommunications Act violated the First Amendment in restricting (but not banning) adult-oriented content to "safe harbor" (late hours between 10:00 p.m. to 6:00 a.m.) if the cable operators carrying said content could not fully scramble access to it. If a channel were successfully scrambled, there would be only normal static
on screen. The problem was that cable operators sometimes had "signal bleed" creeping through on their channels (fuzzy picture with the sound intact from unauthorized channels).
In a very close ruling (5 to 4) in favor of Playboy, the Court held that Congress could not limit content to certain hours of the day, and could also not dictate the methods through which content would be blocked. The Court did say, however, that any attempt to address the issue of content harmful to minors needed to employ the
"least restrictive means test."
The "test" itself is a legal standard used by the Court in First Amendment cases, which holds that government, in looking to perform functions it is already allowed to do, must select the option that interferes the least with First Amendment rights of free expression, when it has a range of options that can effectively achieve the desired end. Congress was found to have a legitimate interest in blocking children's access to pornography, but not to the extent that it blocked Playboy from exercising its First Amendment right to show it. Since individual subscribers could either ask their individual cable operators to block
the channel, that least restrictive means would be another way of accomplishing the same goal. Regardless of the importance of material, the Court held, the First Amendment still applies, especially when the government cannot demonstrate firm evidence showing that the content in question produces specific harm to minors.
One month to the day later, on June 22, 2000, the 3rd U.S. Circuit Court of Appeals in Philadelphia, Pennsylvania, in
upholding a lower court ruling against COPA, said that the law was so broad that it would also wind up applying to websites that were not pornographic. The three-judge panel gave a lot of attention to one of the trickiest aspects of COPA, namely how to translate a notion of physical community standards advocated by the Supreme Court, into virtual ones
that apply to the full range of content available through the Internet. The "community standards" test was first articulated by the Supreme Court in its 1973
Miller v. California decision, and basically uses the following barometer to determine what is obscene speech:
- "(a) whether "the average person, applying contemporary community
standards" would find that the work, taken as a whole, appeals to the
prurient interest, Roth, supra, at 489,
- (b) whether the work depicts or
describes, in a patently offensive way, sexual conduct specifically
defined by the applicable state law, and
- (c) whether the work, taken as a
whole, lacks serious literary, artistic, political, or scientific value."
Keep in mind that speech and expression that is legal in one community, but deemed to be obscene in another, generally enjoys no national First Amendment protection. The Court, however, has also held that federal and state legislation cannot dictate community standards, which, in effect, turn instead on "an average person's" tastes. The Court has not attempted to articulate a national set of guidelines, mostly because "the community," in the online sense, happens to be, literally, the world population with access to the Internet; content that is prohibited in one community but not another is potentially still available to anyone online, regardless of its legal status in the United States.
We should add here that, even while COPA itself was slowly being dismantled in the courts, Congress set up a panel in the fall of 1999 to investigate the implications of COPA in practice. The
COPA Commission was conducted hearings under a provision in the 1998 COPA law-- which, significantly, was not challenged under the aforementioned cases. The Commission's mandate was to "identify technological or other methods that will help reduce access by minors to material that is harmful to minors on the Internet." It held a series of hearings, evaluating,
" ...a wide range of child-protective technologies and methods,
including filtering and blocking services; labeling and rating systems;
age verification efforts; the possibility of a new top-level domain for
harmful to minors material; "greenspaces" containing only
child-appropriate materials; Internet monitoring and time-limiting
technologies; acceptable use policies and family contracts; online
resources providing access to protective technologies and methods; and
options for increased prosecution against illegal online material."
The Commission released its
final report on October 20, 2000. What did they find? That, "...no single technology or method will effectively protect children from harmful material online." What did they recommend? A combined effort consisting of, " ...public education, consumer empowerment technologies and methods, increased enforcement of existing laws, and industry action." This included, for example:
- informing parents about available technologies for them to implement at
their choosing
- public-private dialogue around the how filtering technologies and
approaches can be effectively coordinated to provide safe, yet
educational, online opportunities for children
- increased enforcement of existing obscenity and child pornography laws,
and coordination to provide registries of offending sites that are not in
compliance with those laws
- voluntary action by adult online services, Internet service providers,
and other Internet industry actors to limit the access of minors to
objectionable material
In other words, no new laws; industry accountability; increased education and dialogue between parents; and vigilance that constitutional protections not be compromised.
So one might reasonably think that this would make things potentially more difficult for the U.S. Congress to enact laws regulating online speech that could (and would) pass constitutional scrutiny, and that Congress would simply not attempt to address the issue at all. Well...
CIPA: Children's Internet Protection Act
On December 15, 2000, as the 106th Congress was winding up its business, it seems that a few lines of language were inserted into the Labor, Education, and Health and Human Services portion of the omnibus appropriations (spending) bill funding government operations and programs for next fiscal year. The language required schools and libraries receiving public funds from federal programs (like the E-rate program and the 1996 Library Services and Technology Act program) to install and use
filters on computers to block out obscene online visual depictions of sexually-explicit material, and to monitor the Internet use of students and minors. The full package passed through the House and Senate, and the provision became known-- keeping true to anagram form-- as
CIPA, or the Children's Internet Protection Act.
Under the same law, there was a provision known as the Neighborhood Children's Internet Protection Act which also required schools and libraries to adopt-- after posting notice of and holding at least one local hearing around-- Internet safety policies. These policies were to cover information dissemination (including disclosure of personal information) and communication by and with minors using online tools (chat, e-mail, instant messaging, newsgroups, message boards, etc.); unlawful online activities conducted by minors (including hacking); procedures in place to restrict access to objectionable material by minors. It is important to note, however, that the determination of objectionable material is to be made by that individual school, library, or local educational authority.
CIPA was to go iinto effect on April 20, 2001, and be overseen by the Federal Communications Commission. According to April 5, 2001 FCC rules, schools and libraries have until July 1, 2002 to certify their intention-- or show proof of "undertaking action" to comply-- with CIPA rules, or else forfeit access to specified federal grants and funding like E-Rate. The original law also called for a three-judge U.S. District Court panel to be established to hear any legal challenges to CIPA. Any decision by the panel could result in an automatic appeal to the Supreme Court by either side.
Lest you think no one noticed, according to CDT, there are already two lawsuits against CIPA in the U.S. District Court for the Eastern District of Pennsylvania in Philadelphia, PA-- the court that ruled against COPA itself. Before we forget, the U.S. Justice Department filed an appeal to the Supreme Court, appealing the District Court's ruling on COPA.
One of the District Court suits is by the
American Library Association, and the other comes from the
American Civil Liberties Union. The basic thrust of the legal action at this point is on the provisions affecting libraries, and not schools (though the additional legal activity is being considered). The arguments include, paradoxically, the violation of children's privacy by a law that seeks to protect them from obscene material, in addition to limiting the expression of free speech, and local control over when and how filters should be used. The ALA concerns are
particularly interesting, including the limiting of available information in libraries, and the exacerbation of a "digital divide" forcing those who can only access the Internet from libraries to explore a constricted web of lesser quality than those who can access the Internet without filters.
Internet filtering, for the most part, involves software that screens out web pages based on a predetermined list of words and or URLs. It can also, in some cases, include newsgroups, chat rooms, or e-mail messages. The general approach in the U.S. has been to let localities, and not the government, determine when filtering is needed, and how it is to be applied. So why the push for federal regulation three times?
One thing to keep in mind, as many media accounts have done, is that each attempt at regulating children's' access to the Internet is increasingly targeted to a specific set of activities in a particular context, but that each raises the bar of technical, if not constitutional, challenges.
Consider, for a moment, how easy it is to find material that might offend your own sensibilities online. If not pornography, it might be violence, or profanity. Such content can easily be found accidentally or intentionally, and not even the best filters can screen out everything-- or make the determinations between those things that are shocking to the senses and tastes of some, yet still have, say, artistic, educational, social, political, or historical value. With the seemingly persistent assault of objectionable content, those who interact with children the most, such as parents and educators, need to have the means to protect young eyes from offensive or potentially harmful content. Having those tools, however, also entails some degree of responsibility for using those tools accompanied with knowledge about both their usefulness and limitations. But what if those tools cannot tell the difference between art, medical drawings, or an adult movie advertisement?
CIPA is also more complicated for entities like schools and libraries receiving funds, because, while not a criminal law like CDA and COPA, it does tie restrictions to federal funding, which, CIPA-proponents argue, are not forced upon schools and libraries. While the Court has not been willing to place restrictions on speech, a number of commentators have pointed out it does not have a problem with speech tied to funding, citing the 1998 decision of
NEA vs. Finley, where the Court, in an 8 to 1 decision, upheld the constitutionality of the standard of "decency and respect" the National Endowment for the Arts had to use for grantmaking. Most recently at the state level, proponents of mandatory library filtering have a spotty record. Recently a court ruled that a Loudon County, Virginia library had to stop using filters, and a California library's refusal to use filters was upheld by a court in that state.
CPPA: Child Pornography Prevention Act
There is also another set of legal activity regarding the
Child Pornography Prevention Act of 1996 (CPPA). This law, in part, made the possession or posting of digital/electronic visual representations of minors engaged in sexual activity illegal (even if the persons in the image were not minors). The constitutionality of the law U.S. District Courts. The law is now under consideration by the Supreme Court.
Ryan Turner
OMB Watch (now the Center for Effective Government)
Resources
Federal Trade Commission's COPPA Page
http://www.ftc.gov/privacy/coppafaqs.htm
Annenberg Public Policy Center
March 2001 COPPA Report
http://www.asc.upenn.edu/usr/jturow/PrivacyReport.pdf[PDF format]
Center for Media Education
April 2001 COPPA Report
http://www.cme.org/children/privacy/coppa_rept.pdf
[PDF format]
GirlsLife.com
http;//www.girlslife.com
BigMailbox.com
http://www.bigmailbox.com
Looksmart's insidetheweb.com
http;//www.insidetheweb.com
Entertainment Software Rating Board (ESRB)
Privacy Protection Program
http://www.esrb.org/privacy.asp
Children's Advertising Review Unit
Council of Better Business Bureaus (CARU)
http://www.bbb.org/advertising/safeharbor.asp
Reno v. American Civil Liberties Union
http://supct.law.cornell.edu/supct/html/96-511.ZS.html
United States v. Playboy Entertainment Group
http://supct.law.cornell.edu/supct/html/98-1682.ZS.html
Least restrictive means test
http://caselaw.findlaw.com/data/constitution/amendment01/10.html#f162
[no spaces]
6/22/00 3rd U.S. Circuit Court of Appeals COPA ruling
http://pacer.ca3.uscourts.gov/recentop/week/991324.txt [no spaces]
Miller v. California
http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?navby=case&court=US&vol=413&invol=15
[no spaces]
COPA Commission
http://www.copacommission.org
COPA Commission Final Report
http://www.copacommission.org/report
Children's Internet Protection Act
http://thomas.loc.gov/cgi-bin/bdquery/z?d106:HR04577:@@@L&summ2=m&|TOM)
[no spaces]
Federal Communications Commission CIPA Rules
http://www.fcc.gov/Bureaus/Common_Carrier/Orders/2001/fcc01120.doc
American Library Association CIPA lawsuit
http://www.ala.org/cipa/cipacomplaint.pdf
[PDF format]
American Civil Liberties Union CIPA lawsuit
http://www.aclu.org/court/multnomah.pdf
[PDF format]
NEA vs. Finley
http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&vol=000&invol=97-371
[no spaces]
Child Pornography Prevention Act of 1996
http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/crm01969.htm
