Child Online Privacy Act

Primary tabs

The Child Online Privacy Act concerns internet privacy for children. It was passed in 1998 and codified at 15 U.S.C. § 6501-6506. The law is enforced by the Federal Trade Commission, applying the regulations recorded at 16 C.F.R. § 312.

U.S. law requires special internet privacy protections for children under the age of 13. The language states that a web site must make “any reasonable effort… to ensure that before personal information is collected from a child, a parent of the child: a) receives notice of the operator’s personal information collection, use, and disclosure practices; and (b) authorizes any collection, use, and/or disclosure of the personal information” (16 CFR § 312.2). Consent must be confirmed before personal information is collected.
Violations are deemed “unfair or deceptive practices” and are subject to fines of $11,000 per violation. The FTC has imposed large penalties, numbering $100,000 or even $1 million. The FTC increases penalties if the violations are egregious, involve many children, use the information inappropriately, share the information, or are a large company. For example, in 2003, the FTC issued an $85,000 penalty against Hershey Foods for maintaining a website that got parental consent only by filling out an online form, with no independent verification that the individual was the parent.

See e.g., U.S. v. Kilbride, 584 F.3d 1240 (9th Cir. 2009)

[Last updated in August of 2022 by the Wex Definitions Team]