The Children’s Online Privacy Protection Act (COPPA) was originally passed in 1998 with the intent of protecting the youngest Internet users (those less than 13 years of age). The core expectation of the law is that parents should make all decisions regarding what information children covered by this legislation provide as a consequence of their access. The expectations established by this law have been updated several times in order to address the greater variety of devices children might use online and to be more specific regarding the types of information that parents should approve.
Earliest implementations restricted the sharing of such obvious personal data as name, address, and means of contacting children without approval. The most recent expectations are far more restrictive and go beyond the types of data that would have to be actively input. The newest restrictions include IP numbers and device IDs, photographs and video, and geolocation data.
So, for example, photos I collect with my phone automatically include the GPS locations where the image was taken (previous post describing this capability). If a child uploaded an image from such a phone, the child could be providing a device ID, possibly an image of another child, and a GPS location. A site encouraging the sharing of such input could be in violation of the new guidelines.
The clear target of this legislation would be those who offer web sites to those under 12. Why might companies providing content for young users want to collect data on these users? A likely reason would be the same reason companies offer the rest of us content and collect information in the process. The companies may want to target ads based on browsing histories.
In my opinion which certainly has no legal value, teachers and librarians should be aware of these expectations should they encourage students to use specific web sites for educational reasons. Are students signing up to use such sites? Have parents been involved in the process of registering their children?
Also, in my opinion, the law is still too vague at this point. Any content offered from a server may collect IP addresses as part of the standard log file. It seems unlikely this could be a concern. I would think we would also want to encourage the development of educational content for users of all ages. What would be the motivation to do so? One might charge for such content and parents would have to give permission when they sign their children up for such services. We also have accepted ad supported content. What makes Internet based content different than content offered to children via other means is the interactive nature (I would describe as active or passive) of accessing this content. Once you include IP numbers and device IDs among the data that cannot be collected, the situation becomes complicated. These data are sent automatically. It would be sad if companies simply put a 13 year old age restriction on their site to avoid any concern they might be collecting IP numbers OR if such companies went to a paid subscription model if even to cover the cost of collecting parental consent data.
Every time I find myself attempting to understanding legal issues I am frustrated by the vagueness with which such expectations are written. I understand that case law (working out the vagueness in court) is part of the process, but when I read what is written I immediately come up with scenarios that for me have not been clearly explained (e.g., the potential of every server to college IP data).
If interested in this issue, you might want to review some of the following sources:
Text of law (pdf)
Corporate Counsel analysis