The Difference Between COPA, COPPA and Copa Cabana


Richard J. Greenstone* and Robert G. Pimm

        The law utilizes acronyms more than any institution save the United States military. These acronyms which identify statutory enactments often lead to confusion amongst practitioners. Two of them, COPA and COPPA, must be distinguished, but amazingly enough, may work hand in hand. Their importance should not be underestimated especially because of their applicability to our most precious resource-children.

        COPA, the "Child Online Protection Act," amends the Communications Act of 1934 and is primarily enacted at 47 U.S.C. § 231. COPA's purpose is to restrict access to minors:

Whoever knowingly and with knowledge of the character of the material, in inter-state or foreign commerce by means of the World Wide Web, makes any commu-nication for commercial purposes that is available to any minor and that includes any material that is harmful to minors shall be fined not more than $50,000, im-prisoned not more than 6 months, or both.

47 U.S.C. § 231(a)(1). COPA includes penalties for intentional violations and a civil penalty provision. Material that is harmful to minors is defined as,

any communication, picture, image, graphic image file, article, recording, writing, or other matter of any kind that is obscene or that -
(A) the average person, applying contemporary community standards, would find, taking the material as a whole and with respect to minors, is designed to appeal to, or is designed to pander to, the prurient interest;
(B) depicts, describes, or represents, in a manner patently offensive with respect to minors, an actual or simulated sexual act or sexual contact, an actual or simulated normal or perverted sexual act, or a lewd exhibition of the genitals or post-pubescent female breast; and
(C) taken as a whole, lacks serious literary, artistic, political, or scientific value for minors.

47 U.S.C. § 231(e)(6).

        Section 231(b) provides a safe harbor to (1) a telecommunications carrier engaged in the provision of telecommunications services; (2) a person engaged in the business of providing an Internet access service; (3) a person engaged in the transmission, storage, retrieval, hosting, formatting, or translation ( or any combination thereof) of a communication made by another person, without selection or alteration of the content of the communication (with some exceptions for the editing function allowed to comply with the affirmative defense of Section 231(c) and with Section 230 (covering Good Samaritan blocking). COPA provides affirmative defenses to a defendant if, in good faith, the defendant restricts access by minors to materials that are harmful to minors by (1) requiring use of a credit card, debit account, adult access code, or adult personal identification number; (2) accepting a digital certificate that verifies age; or (3) any other reasonable measures that are feasible under available technology.

        COPA also established a 19 member temporary commission to study "methods to help reduce access by minors to material that is harmful to minors on the Internet. COPA Section 1405. The Commission fulfilled its statutory mandate delivering to Congress its Report on October 20, 2000. The Commission made specific recommendations in the areas of public education, consumer empowerment efforts, law enforcement, and industry action.

        COPA was immediately challenged by the ACLU and other organizations and individuals in a Complaint for Declaratory and Injunctive Relief. American Civil Liberties Union, et al. v. Janet Reno, Civil Action No. 98-5591 (E.D. Pa.); see also the Complaint in the Eastern District of Pennsylvania. Judge Reed, in a Memorandum Opinion stayed the law by issuing a preliminary injunction. The Justice Department appealed and the injunction was upheld by the United States Court of Appeals for the Third Circuit. As of this writing, COPA appears in limbo.

        While COPA seeks to protect children from access to certain materials, COPPA works to control the collection of personal information from children. COPPA or the Children's Online Privacy Protection Act of 1998 is enacted at 15 U.S.C. § 6501 through § 6506. COPPA prohibits,

an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b) of this section.

15 U.S.C. § 6502(a)(1). Subsection (b) specifies the content of the regulations. The regulations can be found at 16 C.F.R. § 312.

        COPPA regulations are administered by the Federal Trade Commission (FTC). The regulations are directed at operators of websites directed to children,or any website operator that has actual knowledge that it is collectingor maintaining personal informationfrom a child without consent. 16 C.F.R. § 321.

        The regulations define a childas any individual under the age of thirteen. 16 C.F.R. § 312.2. The term "directed to children" is undefined but will be a decision left to the FTC. The FTC may base their decision on several factors including subject matter, visual or audio content, age of models, language or other characteristics of the website or online service. 16 C.F.R. § 312.2.

        Collecting information is defined as requesting children to submit personal information online by any means.This might include personal home pages, email, pen pal services, chat rooms and message boards (unless the operator deletes all individually identifiable information from postings before they are made public). Passive tracking through use of identifying codes (e.g. cookies) is also deemed collecting information. 16 C.F.R. § 312.2.

        Personal information includes individually identifiable information such as first and last name, home address, email address, telephone number, social security number, identifying codes (e.g. cookies), or information about parents combined with identifying codes. 16 C.F.R. § 312.2.

        The regulations also outline notice provisions for websites directed to children. There must be clear and understandable notices posted, or a link provided to such notice, on the homepage describing the website's information practices regarding children. Even if the website is not directed at children, as defined by these regulations, if it has a designated area for children, then such notices must be provided on the children's page. The contents of the notice must spell out the prohibitions against collecting information from children without consent, and/or conditioning participation on provision of personal information. 16 C.F.R. § 312.4.

        Verifiable consentrefers to making a reasonable effort to ensure that before personal information is collected from a child, the parents have given their consent. Parental consent requires giving notice to parents about the operator's information collection methods, disclosure of what information is being collected, and receipt of an authorization from the parents to collect the information. Consent mechanisms complying with this regulation include provision of consent forms to be signed by parents and returned by mail or fax, requiring use of parental credit cards, having parents call a toll-free 800 number, or use of a PIN or password obtained by the parent on behalf of the child. 16 C.F.R. § 312.5.

        There are several exceptions to the parental consent requirement. They include where the information is collected from the child in order to obtain parental consent, or where it is necessary to respond to a child's one-time request for information and the collected data will not be used to recontact the child at a later date, or for child safety considerations. 16 C.F.R. § 312.5.

        Website operators must provide a reasonable means for parents to review the personal information collected from a child to permit it's further use or maintenance. And website operators cannot condition a child's participation in games, prize drawings, or other activities on disclosures by the child of personal information. Finally, the operator must also establish and maintain reasonable procedures to protect confidentiality and security of personal information collected from children after verifiable consent. 16 C.F.R. § 312.6.

        The safe harbor provisions provide that an operator will be deemed in compliance with these regulations if they follow self-regulatory guidelines approved by the FTC. Of course the FTC will only approve self-regulation guidelines substantially similar to the regulations that have been listed above. 16 C.F.R. § 312.10.

        Although some may object to COPPA on First Amendment grounds or COPA as another regulatory intrusion into the conduct of business, their purposes and protections combine to shelter the children of our society. The benefits may not be immediately apparent, but one thing is certain: by protecting children, and allowing them to be children in our difficult culture, they can grow up with an untainted wonder appreciating the dance and music of the Copa Cabana.

Law Office of
Richard J. Greenstone
Attorneys and Counselors at Law
465 California Street, Suite 300
San Francisco, CA 94104
Tel 415/438-1890
Fax 415/438-1899

For more information, send e-mail to or call.

Find us on a map.

Copyright © 2001 Richard J. Greenstone. All rights reserved. The green diamond device is a registered trademark and Law Bytesis a trademark of Richard J. Greenstone.

This article was first published in The Licensing Journal,May 2001.