COPPA turns 20: How it has impacted data privacy law for children

The pioneering law protecting children’s activity online, COPPA, is 20 years old this week.

 The occasion is being marked by events taking place on Capitol Hill this week and at Georgetown University next week, where the original author of the landmark legislation, Sen. Ed Markey (District of Massachusetts), and industry participants are discussing the law’s impact and where to take it next.

The Children’s Online Privacy Protection Act (COPPA) was the first privacy legislation specifically addressing kids. It was created at the dawn of the commercial internet in 1998, well before we had social media, behavioural advertising, location-tracking and smartphone addiction.  It was radical for its time, and remained the world’s only data privacy law protecting kids in a meaningful way for nearly 20 years.

But the real revolution that COPPA spawned started in 2013.  This is when the amended rule came into effect.  It expanded the definition of Personal Information to include persistent identifiers, photo/video/voice and precise geolocation.  The change made it clear that data about you could be private and sensitive even if you were not identifiable by name. This was a truly radical idea (It also meant that it was now illegal to passively profile children based on their browsing behaviour, as was happening on a huge scale across the web). Today, that concept is built into new children’s data privacy law being rolled out in Europe, China, India and many other countries.

This is the reason we founded SuperAwesome that same year – to build the technology infrastructure that would enable this

At the event hosted by the Centre for Digital Democracy (CDD) this week, Senator Ed Markey, CDD, Common Sense, EPIC, CCFC and SuperAwesome discussed where to take COPPA next.   The Senator repeated his call to raise the age of COPPA protections to 16—a provision included in the Do Not Track Kids Act which he has tabled in Congress.

Our CEO Dylan Collins reviewed the current state of kidtech (you can see his 5-minute talk here), and called on senators and the FTC to support efforts to take kids’ privacy protections beyond the content owners and operators.  

Today it is publishers who continue to bear nearly all the responsibility (and legal liability) to prevent PII collection from children. Yet there is virtually no legal obligation on the technologies and services which form part of the same ecosystem.

This makes it nearly impossible for content owners to be fully compliant.  As Dylan said, “How do we bring the same level of responsibility to the infrastructure owners, the advertising technologies, even the media agencies?  We have to think beyond the content owners. This is critical to creating a kidsafe internet.”

The next phase of protecting kids’ data privacy will require ad networks, agencies and advertisers to adapt their methods and their technologies to respect kids’ publishers desire not to have their users’ data collected.

In the meantime, COPPA continues to be the blueprint behind the increasingly global protection for children’s digital privacy.  The EU’s new data privacy law, GDPR, incorporates the core concept of COPPA in its Article 8 (GDPR-K).  China’s new Cybersecurity Law and associated Standards introduced the same concepts last year to protect hundreds of millions of kids in China.  Upcoming privacy laws in India, Argentina, Chile and other countries are also following suit.

Happy birthday, COPPA!


Max Bleyleben is Managing Director at SuperAwesome.

Leave a Reply