On January 27, 2014 Google’s motion for interlocutory review was denied in In re Google Inc. Gmail Litig. In late 2013, a group of plaintiffs sued Google alleging violations of federal wiretapping laws
, when Google tapped into users’ e-mails. United States District Judge Lucy H. Koh of the Northern District of California said plaintiffs could pursue allegations that Google violated federal law by reading private e-mails of Gmail users to build behavioral advertising profiles.
Google asserted implied consent defenses for many of the allegations brought against them. In a footnote, the court mentions that based on the clauses of Gmail’s Terms of Service, minors (between ages 13-17) could not have offered valid consent.
However, the parties in their briefs disputed whether teens could legally consent, despite state law to the contrary. Google contends that the Children’s Online Privacy Protection Act (“COPPA”) preempts any state laws on the matter. COPPA, detailed below, is a federal statutory scheme with special provisions covering minors under age 13. Google cites a proposed version of COPPA which included all minors (even those aged 13-17). Accordingly, Google argues Congress’s explicit decision not to use that version is indicative of its intent that minors between ages 13 and 17 can consent to digital contracts.
1. What Is COPPA?
COPPA, enacted on October 21, 1998, was created to grapple with two concerns: “(i) overmarketing to children and collection of personally identifiable information from children that is shared with advertisers and marketers, and (ii) children sharing information with online predators who could use it to find them offline.” Currently, the stated goal is to keep parents in control of children’s activities online.
The five primary elements of COPPA are (1) Notice; (2) Parental Consent; (3) Parental Review; (4) Limits on the Use of Games and Prizes; and (5) Security.
2. Who Must Comply with COPPA?
COPPA applies to any commercial website operator or online service directed to children under 13 that collects personal information, or a general website that has actual knowledge it collects personal information from children.
The Federal Trade Commission (“FTC”) has indicated that when it determines whether a website is directed to children, they consider: (a) subject matter; (b) visual or audio content; (c) age of models on the site; (d) language; (e) whether site advertising is directed to children; (f) information regarding the age of the intended audience; and (g) whether the site has animated characters or other child-oriented features.
Actual knowledge is present, according to the FTC, when a general audience site learns of the child’s age either through site registration or upon notice from a parent who has learned that their child is participating in the site.
3. What Must Covered Companies Do?
Sites governed by COPPA have a number of obligations. First, operators must post privacy policies, and provide parents with information, concerning the collection, use, and disclosure of personal information from children. Second, in most cases, operators must obtain “verifiable parental consent” before collecting, using, or disclosing personal information, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented. Further, the parent, on request, should be able to review the personal information collected from the child and prevent further use of that information or the future collection of additional information. Moreover, an operator cannot condition a child’s participation, in something like a game, on the child disclosing more information than reasonably necessary to participate. Lastly, operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information gathered.
4. Recent Changes to COPPA
In 2012, the FTC amended COPPA. Now sites must obtain parental consent before collecting a child’s photographs, videos, or geolocational information. Further, the amendments closed a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent and extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA. Covered entities must now take reasonable steps to release children’s personal information only to companies capable of keeping it secure and confidential, and operators are expected to adopt reasonable procedures for data retention and deletion under the amendments. Moreover, the changes strengthen the FTC’s oversight of self-regulatory safe harbor programs, and COPPA was extended to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs .
5. Notice Required by COPPA
For notice, COPPA requires the posting of a privacy notice on the site and demands direct notice to parents of children from whom the operator wishes to collect information. There also must be a link to the operator’s privacy notice on the site’s home page and on every page that collects information from children, that is both “clear and prominent.”
The privacy notice must be clearly written so children will understand it, and the notice must include:
(1) the name and contact information of the operators collecting or maintaining the
(2) types of personal information collected and the collection methods used (direct or
passively through cookies);
(3) how the information is used;
(4) whether the operator discloses the data to third parties, and, if so, the operator must
(i) the nature of the third party’s business,
(ii) the purpose for which the data is used, and
(iii) whether the third party maintains confidentiality;
(5) notice that the operator may not require the child to disclose more data than necessary
to participate; and
(6) notice that the parent can request:
(i) to review the information,
(ii) to have information deleted, and
(iii) a halt to any further collection of information.
If the site wants additional personal information from the child, it must then send the site’s privacy notice directly to the parents by mail or e-mail.
6. Consent Requirements
An operator must obtain verifiable parental consent before collecting any personal information from a child (under 13), unless the collection fits into an exception. If the information is only used internally, and not disclosed to third parties or made publicly available, then parental consent may be obtained through use of the Rule’s “email plus” mechanism. The Rule sets forth several non-exhaustive options for obtaining consent, and sites can apply to the FTC for pre-approval of a new consent mechanism.
If the site wishes to disclose children’s personal information to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles), then the site must use a method reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Such methods include:
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method); 
- Requiring the parent, in connection with a monetary transaction, to use a credit card, or other online payment system that notifies of each transaction to the account holder;
- The parent calls a toll-free number staffed by trained personnel (or via video-chat); or
- Verifying the parent’s identity by checking a form of government-issued identification against databases of such information, if the information is promptly deleted after completing the verification.
Further, though some operators use convenience methods, such as providing parents with a PIN number after initial consent, if a site materially changes their information practices, they must send notice to the parents. The site must also give the parent access to whatever information it possesses regarding the child.
An operator must give parents the option to consent to the collection and use of a child’s personal information without consenting to the disclosure of such information to third parties (only where disclosure is not inherent in the activity to which the parent is consenting).
7. Disclosure Defined
Under 16 C.F.R. § 312.2, “disclosure” includes “[m]aking personal information collected by an operator from a child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room.”
8. How COPPA Applies to Social Networking Services
Sites may use parents’ “online contact information” to verify consent. Such information is defined as an email address, IM user identifier, VOIP/video chat user identifier, or other substantially similar identifier (not mobile phone number or app store password). However, once a site becomes connected with the parent via the parent’s online contact information, the site may request a parent’s mobile phone number in order to further communicate with him or her.
9. Third Parties Who Collect Consent
Third parties may collect consent on behalf of sites. For instance, several Commission-approved COPPA safe harbor programs offer parental notification and consent systems for operators. The amended Rule provides a mechanism for interested parties to file a written request for Commission approval of parental consent methods not currently enumerated in 16 C.F.R. § 312.5(b).
10. Trade Secret Information
Many innovative privacy corporations were concerned about their creative confidential consent mechanisms becoming public. The FTC writes: “just as the Commission has done for COPPA safe harbor applicants, it would permit those entities that voluntarily seek approval of consent mechanisms to seek confidential treatment for those portions of their applications that they believe warrant trade secret protection.”
11. Exceptions to COPPA Requirements
There are exceptions where the child’s name and e-mail address can be obtained without first obtaining verifiable parental consent. For practical reasons, a website operator is allowed to collect a child’s name and e-mail address along with a parent’s e-mail address in order to comply with COPPA by sending notification and seeking verifiable consent.
The website may also collect this information when:
(1) responding to a specific one
to re-contact the child and is subsequently deleted from their records;
(2) communicating with the child more than once in response to a specific request (e.g., a
monthly online newsletter), if the site notifies the parent and gives them the
opportunity to stop the communication;
(3) the information is used solely to protect the child’s safety when participating on the
(4) to protect the security or liability of the site, or respond to law enforcement.
12. The Safe Harbor Provision Under COPPA
COPPA includes a safe harbor provision through which the FTC has the power to approve safe harbor programs. Websites must draft self-regulatory guidelines for FTC approval. The FTC regulations set forth certain criteria for the approval of self-regulatory guidelines. After the safe harbor standards are approved, they are officially deemed COPPA-compliant, subject to the review as described in the guidelines of the safe harbor program (as opposed to an official FTC action). Since the enactment of COPPA, the FTC has approved several entities applications for acceptable safe
13. What Are the Implications of Google’s Claim?
In the Gmail case, a number of plaintiffs are pursuing Google in regard to their violation of federal wiretap laws. Plaintiffs argue that minors between 13 and 17 cannot consent on the basis of Cal. Fam. Code § 6701 (where it states that a minor cannot “give a delegation of power” or “make a contract relating to any personal property not in the immediate possession or control of the minor”).
In truth, the problem highlighted here
, starts before Google’s allegedly inappropriate consent practices. The fact that the plaintiffs are arguing that federal law does not apply means that federal law as it exists does not protect teens. Teens tend to be more prone than tweens to take risks and have less psychological capacity to protect themselves than adults. So while COPPA has been helpful especially in the FTC’s major enforcement suits, some internet users remain completely unprotected, though they are not typically old enough to furnish consent.
Further, as it applies to those covered by COPPA, COPPA protects the privacy of children but not their physical safety or the content children see. While this is an issue that needs to be reexamined in regard to COPPA in general, this tenet is especially true with regard to teens who often believe they have the capacity to assume safety risks that tweens would never dream of taking.
’s consent should be considered.
As far as kids under 13 are concerned, safety and content can never be addressed in their entirety, but at least an attempt to mend those problems would be beneficial. Addressing both of these issues simultaneously may significantly improve the safety of teens in the digital age. It is also safe to presume that if these problems were addressed it would enhance parents’ trust online and help online businesses (though for certain businesses such challenges would be rather burdensome).
The Gmail case only reinforces an old concern regarding the ability of minors to consent online. Though COPPA made some amendments recently, teens need to be addressed as well. Further, COPPA consists of privacy law, not safety laws. It would be essential for the protection of teens using the internet for Congress to reexamine the potential hazards stemming from these gaps in the law.
In re Google Inc. Gmail Litig., 5:13-MD-2430-LHK, 2014 WL 294441 (N.D. Cal. Jan. 27, 2014)
 In re Google Inc., 13-MD-02430-LHK, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013)
 Id.at n.8.
 Id. See Cal. Fam. Code § 6701 (where it states that a minor cannot “give a delegation of power” or “make a contract relating to any personal property not in the immediate possession or control of the minor”).
 Before an official enactment was agreed upon.
 In re Google Inc. Gmail Litig., 2013 WL 6905028 (N.D.Cal.)
 Recent Developments in Privacy Protections for Consumers: Hearing Before the Subcomm. on Telecomm. Trade & Consumer Prot., 106th Cong. (2000)
 See Anita L. Allen, Minor Distractions: Children, Privacy and E-Commerce, 38 Hous. L. Rev. 751, 763 (2001) (“COPPA confers to parents the power to function as gatekeepers of children and families’ personal information; and, because small children sometimes slip personal information under the gate, parental power to recapture information previously disclosed is critical”)
 Under 15 U.S.C.A. § 6501(2), “operator”
(A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce—
(i) among the several States or with 1 or more foreign nations;
(ii) in any territory of the United States or in the District of Columbia, or between any such territory and—
(I) another such territory; or
(II) any State or foreign nation; or
(iii) between the District of Columbia and any State, territory, or foreign nation; but
It is worth mentioning that this exception does not apply to nonprofits who operate to benefit their commercial members. See e.g., California Dental @#!*% ‘n v F.T.C., 526 US 756, 766 (1999) (where dental members were benefitting from a nonprofit organization, the FTC rules applied in such situations).
 15 U.S.C.A. § 6502(a)(1). “It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).”Id.
 1 Data Sec. & Privacy Law § 7:31 (2013)
 Children’s Online Privacy Protection Rule; Final Rule, 64 Fed. Reg. 59888, 59892.
 15 U.S.C.A. § 6501(8). Personal information is defined as (a) the child’s full name; (b) a home or other address, which includes the street and city or town name; (c) an e-mail address; (d) a telephone number; (e) a social security number; (f) any other identifying information the agency determines that permits the contacting of a specific child; or (g) information concerning the child or parent that the website collects online and combines with an identifier described inthis paragraph. The regulations go further to include such personal information as hobbies, interests and information collected through cookies and other tracking mechanisms. See id.; see also 15 U.S.C.A. § 6502(b).
 15 U.S.C.A. § 6502(b)(1)(A)(ii).
 16 C.F.R. § 312.5
 15 U.S.C.A. § 6502(b)(1)(b)
 15 U.S.C.A. § 6502(b)(1)(C).
 15 U.S.C.A. § 6502(b)(1)(D).
 Allison Fitzpatrick& Alison Winter, FTC Issues Updated FAQs on Amended COPPA Rule, 25 Intell. Prop. & Tech. L.J. 13 (2013)
 Corp Couns Gd to Privacy § 17:1
 § 19:25.Children’s Privacy—Children’s Online Privacy Protection Act of 1998 (COPPA), 2 Internet Law and Practice § 19:25
 15 U.S.C.A. § 6502(b)(1)(A)
 Corp Couns Gd to Web Site Agrmts § 6:9
 16 C.F.R. § 312.4(b)(1); 312.4(d)(1)
 16 C.F.R. § 312.4(b)(2)(i) to (vi)
 16 C.F.R. § 312.5(c).
 “Email plus” allows sites to request (in the direct notice sent to the parent’s online contact address) that the parent consent in a return message. Documenting E-Commerce Transactions § 1:24. To use the email plus method, you must take an additional confirming step after receiving the parent’s message (this is the “plus” factor). The confirming step may be: Requesting in your initial message to the parent that the parent include a phone or fax numer or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or after a reasonable time delay, sending another message via the parent’s online contact information to confirm consent. In
this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so. Complying with COPPA: Frequently Asked Questions, Bureau Consumer Protection (Apr. 2014), http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions#Verifiable%20Parental; see also 16 C.F.R. § 312.5(b)(2).
 Complying with COPPA: Frequently Asked Questions, Bureau Consumer Protection (Apr. 2014), http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions#Verifiable%20Parental
 Note: Operators would be wise to post multiple consent methods in order to avoid problems when parents disapprove of a particular method, such as offering a credit card. 2 E-Commerce and Internet Law 26.13[A] (2014 update).
 Supra note 17. Once the credit card is provided it is legally assumed that parental consent was obtained
, it is not the issue of the operator if this is not so.
 The amended Rule permits an online payment system as a form of verifiable parental consent, but only if the card or system: (1) is used in connection with a monetary transaction, and (2) provides notification of each discrete transaction to the primary account holder
. Therefore, such method cannot be used without a monetary transaction.
 Supra note 22
 See 16 C.F.R. § 312.5(a)(2)
 See 16 C.F.R. § 312.2; supra note 22; http://www.business.ftc.gov/documents/0493-Complying-with-COPPA-Frequently-Asked-Questions
 See 78 Fed. Reg. 3972, 3989.
 See 16 C.F.R. § 312.12(a).
 See 78 Fed. Reg. 3972, 3992.
 16 C.F.R. § 312.5(c)(1) (meaning, the name/e-mail address are being used solely to formulate a COPPA notice)
 16 C.F.R. § 312.5(c)(1) to (5)
 15 U.S.C.A. § 6503.Note after proper hearings and allowing for comments.
 16 C.F.R. § 312.10.
 Supra note 16
 Lauren A. Matecki, Update: COPPA Is Ineffective Legislation! Next Steps for Protecting Youth Privacy Rights in the Social Networking Era, 5 Nw. J. L. & Soc. Pol’y 369, 389 (2010)
 Id.at 389-390.
 “Meeting of the minds
.” Restatement (Second) of Contracts § 17 (1981) (one of the most basic tenants of contract law is that minors typically cannot be bound by a contract since there cannot be a meeting of the minds).
Shai Samet, Founder & President, kidSAFE Seal Program (an FTC-approved COPPA Safe Harbor provider)
On January 27, 2014, Google’s motion for interlocutory review was denied in In re Google Inc. Gmail Litig. In late 2013, a group of plaintiffs sued Google, alleging violations of federal wiretapping laws, when Google tapped into users’ e-mails. United States District Judge Lucy H. Koh of the Northern District of California said plaintiffs […]Read More