COPPA in the Age of COVID-19: The Need for Greater Accountability of Ed Tech Companies

By Susan Derasmo

            In 1998, the United States Congress passed the Children’s Online Privacy Protection Act (“COPPA”) to “prohibit unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children under the age of 13 on the internet.”[1] COPPA requires website operators with actual knowledge that they are collecting or maintaining personal information from children, to provide certain notices and obtain parental consent to collect, use, or disclose information about children.[2] In May 2022, the Federal Trade Commission (“FTC”) discussed its prioritization of the enforcement of COPPA as it applies to the use of education technology (“ed tech”).[3] This focus is needed because children regularly use ed tech to attend school or participate in other educational activities due to COVID-19.[4]

COPPA requires companies that collect personal information online from children under the age of thirteen to provide notice of such collection and use practices and obtain verifiable parental consent.[5] In April 2020, the FTC issued guidance urging ed tech companies to heed the requirements of COPPA during COVID-19.[6] However, little else has been done to enforce compliance.

COPPA has not been revisited since its enactment, despite criticism of its definition of who is considered a “child” and what constitutes “actual knowledge” of child users.[7] Under COPPA, a “child” is anyone under the age of thirteen.[8] Last year, the Children and Teens’ Online Privacy Protection Act was introduced in the Senate, which serves as a “COPPA 2.0”, but has not yet been passed.[9] It extends COPPA to twelve to sixteen year-olds.[10] It establishes greater online privacy protections for children and prohibits website operators of online services and applications directed to children with constructive knowledge that the user is a minor from collecting the user’s personal information without notice and consent.[11]

Currently, applications (“apps”) can bypass the consent requirement by operating as a “general audience” service.[12] This allows creators to claim that they do not have the requisite “actual knowledge” of children’s usage of their app while  telling marketers that their apps reach children.[13] By removing the “actual knowledge” requirement and holding companies to the standard of “constructive knowledge”, apps and websites would be responsible for determining whether children are using their services and comply accordingly. [14]

COPPA was written to protect children’s privacy at a time when technology was newly developing.[15]  In its current form, it does not reflect the pervasiveness of data tracking technology.[16] During the pandemic, parents essentially had to choose between protecting their child’s online privacy or sending them to school; ed tech became unavoidable.[17] It is time to revisit COPPA and bring the protection of children’s privacy into the twenty-first century to effectively enforce it.


[1] Children’s Online Privacy Protection Act, 16 C.F.R. §312 (1998).

[2] Id.

[3] Kirk J. Nahra, Tamar Pinto, & Ali A. Jessani, United States: FTC Votes Affirmatively on COPPA Compliance for Education Technology and On Seeking Public Comment for Endorsement Guides, Mondaq, (May 27, 2022), https://www.mondaq.com/unitedstates/privacy-protection/1196502/ftc-votes-affirmatively-on-coppa-compliance-for-education-technology-and-on-seeking-public-comment-for-endorsement-guides.

[4]  Id.

[5] 16 C.F.R. §312 (1998).

[6] Brian Bradley, Follow the Law on Privacy During COVID-19, FTC Tells Ed-Tech Companies, Ed Week: Market Brief (April 14, 2020), https://marketbrief.edweek.org/marketplace-k-12/follow-law-privacy-covid-19-ftc-tells-ed-tech-companies/.

[7] Shannon Finnegan, How Facebook Beat the Children’s Online Privacy Protection Act: A Look into the Continued Ineffectiveness of COPPA and How to Hold Social Media Sites Accountable in the Future, 50 Seton HALL L. REV. 827, 830-31 (2020).

[8] 16 C.F.R. §312 (1998).

[9] Common Sense Media, Fact Sheet: COPPA 2.0 – Children and Teens’ Online Privacy Protection Act, https://www.commonsensemedia.org/sites/default/files/featured-content/files/coppa-2.0-one-pager-2022.pdf (last visited Sept. 3, 2022).

[10] Children and Teens’ Online Privacy Protection Act, S.1628, 117th Cong. (2021) (as introduced, May 13, 2021).

[11] Id.

[12] Geoffrey A. Fowler, Your Kids’ Apps Are Spying on Them, The Washington Post (June 9, 2022), https://www.washingtonpost.com/technology/2022/06/09/apps-kids-privacy/.

[13] Common Sense Media, supra note 9.

[14] Id.; Geoffrey A. Fowler, supra note 12.

[15] Common Sense Media, supra note 9.

[16] Geoffrey A. Fowler, supra note 12.

[17] Kirk J. Nahra et al., supra note 3.