The Children’s Online Privacy Protection Act (COPPA), passed in 1998, marks the first action by the government specifically limiting companies’ dissemination of private information over the Internet. COPPA prohibits an operator of a website or online service directed at children or any operator that has actual knowledge that children are using its website, from collecting personal information from a child, unless the operator meets certain regulatory requirements.
These regulatory requirements include providing notice on the website as to what information is collected from the children and how the operator plans to use the information. In addition, the operator must obtain verifiable parental consent for the collection, use, or disclosure of personal information from children. Finally, operators are required, upon the request of a parent, to provide a description of the specific types of personal information collected from the child by that operator and an opportunity to prevent further collection or use of such information.
COPPA applies to websites and online services that are specifically directed at children under the age of thirteen and to operators of websites where the operators have actual knowledge they are collecting information from children under the age of thirteen. In 2000, the Federal Trade Commission filed its first action under COPPA, against a website called Toysmart. After it declared bankruptcy, Toysmart had attempted to sell the data it had collected selling toys. The FTC and Toysmart eventually agreed to a consent degree which allowed Toysmart to sell its database but only to a qualified buyer who focused its business in the same area that Toysmart did and agreed to the same limitations on that information that Toysmart had to follow under COPPA.