*This Essay was published (October 21, 2025) exactly 25.5 years after the COPPA took effect (April 21, 2000).
Introduction
Recent surveys suggest that most Americans are deeply concerned about online privacy, and most teenagers believe they have little control over what information social media companies collect.[1] In 2022, about 1.7 million minors had personal information potentially compromised.[2] Information policies of websites or other online services implicate the constitutional right to free speech because they shape the storage, moderation, and dissemination of information.[3] Because operators of websites or other online services often collect personal information, privacy is also at stake.[4] Moreover, because children are more vulnerable to predatory practices, stealing personal information from them is even more unsettling.[5] The Children’s Online Privacy Protection Act of 1998 is the prevailing federal statute that safeguards children’s online privacy. [6] Its goal is to create a safer online environment for children.[7] To implement the Act, the Federal Trade Commission (FTC) promulgated the COPPA Rule that applies to any operator of a commercial website or online services directed to children that “collect, use, or disclose” information from and about them (the Act and the Rule collectively, COPPA).[8] This Essay explores how COPPA can be improved. It suggests that the lack of public disclosure by operators of their risk assessments of processing personal information collected from children impedes online privacy protection. It argues that federal law should require operators to make such a disclosure periodically.
Argument
This Essay proceeds as follows. Part I reviews COPPA, with a focus on its notice requirements. It suggests that COPPA does not require public disclosure of periodic risk assessments. Part II argues that it should, because such disclosure will strengthen COPPA protections. Part III suggests that such disclosure will also improve the protection of children’s online privacy in general by aligning inconsistent state laws. Part IV considers whether such disclosure will disproportionately burden covered operators and concludes that it will not.
I. COPPA Does Not Require Public Disclosure of Periodic Risk Assessments.
Under COPPA, operators must make reasonable efforts to provide both online notice and direct notice to parents, but it does not require public disclosures of their periodic risk assessments.[9] Operators must provide an online notice of their information practices and ensure its visibility.[10] This online notice must not only specify what information is being collected from the child at issue and how the operator collects and uses the information, but also indicate parental rights to review and delete the information and withdraw permission.[11] This online notice must also include a written data retention policy.[12] Before collecting personal information from a child, operators must, among other things, make reasonable efforts to provide direct notice to (and acquire verifiable consent from) a parent of the child as well.[13] This direct notice must include a hyperlink to the online notice, items of personal information being collected, information on third-party disclosure, and relevant parental rights.[14] In addition, operators must provide direct notice again and seek fresh consent in light of “material changes” in the policy that parents have consented to.[15] However, COPPA does not mandate public disclosures of operators’ periodic risk assessments.[16]
II. Public Disclosure of Periodic Risk Assessments Will Strengthen COPPA.
To strengthen operators’ internal control of risks, the 2025 amendment requires operators to “at a minimum…establish, implement, and maintain” a written information security program and perform periodic risk assessments.[17] Still, it does not require operators to disclose their risk assessments to the public.[18] Children’s online privacy can be better protected if federal law requires operators to periodically disclose risk assessments to the public, as this can enhance parental control, improve operators’ compliance, and inform FTC regulation. Periodic disclosure will enhance parental control by giving parents more opportunities to understand the relevant privacy terms in notices.[19] A recent survey shows that it is not unusual for Americans to “click through” privacy policies.[20] Although parents consider their children’s privacy crucial, many rely on institutions for its protection.[21] Because repeated exposure to similar content can enhance learning, public disclosure of periodic risk assessments will make parents more likely to have actual knowledge of the policy and more effectively exercise their right to review the information collected, direct deletion of such information, and withdraw permission as appropriate.[22] For the same reason, it will better equip parents with knowledge to judge the effect of “material changes” when operators send direct notices again and seek fresh consent.[23] Also, periodic disclosure of risk assessments can improve compliance by clarifying the law. Because it remains unclear what constitutes a material change, operators can be unexpectedly sanctioned for changes to the status quo if they fail to seek fresh consent when they should.[24] As the FTC is expanding its enforcement, compliance becomes more difficult.[25] Periodic disclosures will not only incentivize operators to conduct more careful risk assessments but also enable the risk-averse to learn what material changes are through recorded, concrete examples, thereby avoiding severe civil sanctions.[26] Lastly, periodic disclosure of risk assessments can inform FTC regulation. To be effective, FTC regulation of operators to protect children’s online privacy must be informed by technical innovations and address urgent parental concerns.[27] Because public disclosure of risk assessments can reveal operators’ compliance strategies more fully, it will enable the FTC to better understand and address parents’ concerns in light of available technology.[28] It will also allow the FTC to consider the unintended consequences of its enforcement actions more carefully.[29] Therefore, public disclosure of periodic risk assessments will strengthen COPPA because it will enhance parental control, improve compliance, and inform FTC regulation.
III. Public Disclosure of Periodic Risk Assessments Will Improve State Protection.
As much as public disclosure will inform the FTC, it will also inform the decision-making of local authorities.[30] It will improve states’ protection of children’s online privacy by aligning inconsistent state laws. Addressing gaps in COPPA, states have installed additional safeguards.[31] To expand the law’s coverage, many have redefined major terms of the law, such as “operators,” “minors,” and “personal information,” creating exploitable inconsistencies.[32] Some have also relied on age-appropriate design codes and verification laws, and imposed other restrictions on children’s accessibility to harmful content, making compliance and regulation even more difficult.[33] At the individual level, periodic disclosure will educate local constituents.[34] At the state level, periodic disclosure will inform local authorities of how a covered interstate operator responds to inconsistencies in state laws.[35] This information can contribute to a more transparent and coherent approach to protecting children’s online privacy, making the system less exploitable.[36] Public disclosure of periodic risk assessments can thus enhance children’s online privacy law beyond COPPA.
IV. Public Disclosure of Periodic Risk Assessments Will Not Impose Disproportionate Burdens.
Publicly disclosing operators’ risk assessments will enhance children’s online privacy law without imposing disproportionate burdens because it will not be unduly costly and will likely benefit covered operators. Such public disclosure will not be unduly costly because COPPA has already required operators to “establish, implement, and maintain” an information security program and perform annual risk assessments as a part of their self-regulation.[37] Of course, risk assessment reports for internal controls are not necessarily and should not be identical to reports for public disclosure due to differing practical or legal concerns.[38] However, this does not mean that it is impossible to develop a disclosure regime that can reconcile the two. With appropriate adaptations, these risk assessments can be disclosed to the public.[39] Just like public companies that are required to make periodic public disclosures in compliance with the law of insider trading to protect investors because insider trading undermines their right to fair trading, covered operators should be required to make periodic public disclosures to protect children because stealing personal information from and about them undermines their right to privacy.[40] Indeed, public disclosure will likely benefit covered operators because it will allow them to reduce the compliance costs associated with inconsistent requirements, offsetting the operational cost of disclosure.[41] It will benefit covered operators also because parents are more likely to trust those with a transparent privacy policy.[42] Hence, periodically disclosing operators’ risk assessments of their data processing will not impose disproportionate burdens on them.
Conclusion
This Essay proposes a modification to the current law. Operators of commercial websites or other online services that collect personal information from and about children should be required to disclose periodic risk assessments to the public. Because COPPA has already required periodic risk assessments, the public disclosure can be implemented to enhance our protection of children’s online privacy, without imposing disproportionate burdens on those operators.
Graph by author (depicting FTC COPPA enforcement from 2013–2023), based on hand-collected data from the FTC (https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/kids-privacy-coppa). Civil penalty as appeared in either proposed or stipulated orders for permanent injunction and civil penalty judgment.
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
* J.D. expected May 2027, The George Washington University Law School. I thank Alex Day, Karol Miranda, Viktoria Popovska, Marcella Rubini for their superb edits and improvements to this piece. Any errors remaining are my own.
[1] Michelle Faverio, Key Findings about Americans and Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://tinyurl.com/pewresearch-findings-americans (last visited Aug. 6, 2025) (finding that more than 80% Americans were concerned about operators’ collection of data for targeted advertising to or tracking online activities of children); Emily A. Vogels & Risa Gelles-Watnick, Teens and Social Media: Key Findings from Pew Research Center Surveys, Pew Rsch. Ctr. (Apr. 24, 2023), https://tinyurl.com/pewresearch-teens-socialmedia (last visited Aug. 6, 2025) (finding that roughly 60% teenagers believed they had little or no control over how social media sites collect information about them).
[2] Personal information here means personally identifiable information that can be used to trace the individual’s identity; the study found that 1.74 million children had their personal information stolen and used fraudulently in 2022. Allison Bondi, 1.7 Million U.S. Children Fell Victim to Data Breaches, According to Javelin’s 2022 Child Identity Fraud Study, Javelin (Oct. 26. 2022), https://tinyurl.com/javelinstrategy-17millchildren (last visited Aug 6, 2025).
[3] Here, information policies are rules and procedures that govern the operators’ information practices. See Jane Bambauer, Is Data Speech? 66 Stan. L. Rev. 57 (2014) (discussing the relationship between data and free speech). Many resist information regulation because of its free speech implications. See generally Meg Jones, Is Childproofing the Internet Constitutional? A Legal Expert Explains, PBS News (Oct. 12, 2024, 2:53 PM), https://tinyurl.com/pbs-childproofingtheinternet (last visited Aug. 23, 2025).
[4] For a discussion about the connection between information privacy and data protection, and the limitations of privacy rights as a protective device, see Daniel J. Solove, The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023).
[5] See Suzanne Kaufman, The Invisible, Yet Omnipresent Ear: The Insufficiencies of the Children’s Online Privacy Protection Act, 78 N.Y.U. Ann. Surv. Am. L. 101, 104 (2022) (noting children’s vulnerabilities in recognizing dangers related to excessive information collection).
[6] Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–05. Children’s Internet Protection Act (CIPA) administrated by the Federal Communications Commission is the other one, which requires schools and libraries to restrict children’s access to explicit content.
[7] For a discussion of COPPA’s basic requirements, see Nancy L. Savitt, A Synopsis of the Children’s Online Privacy Protection Act, 16 J. Civ. Rts. & Econ. Dev. 631 (2002); Tianna Gadbaw, Legislative Update: Children’s Online Privacy Protection Act of 1998, 36 Child. Legal Rts. J. 228 (2016).
[8] Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.1 (2025); COPPA also applies to any operator that has actual knowledge that it is collecting or maintaining personal information from children. 16 C.F.R. § 312.3. The original COPPA Rule was adopted in 1999 and went into effect in 2000. Press Release, Fed. Trade Comm’n, New Rule Will Protect Privacy of Children Online (Oct 20, 1999), https://tinyurl.com/ftc-new-rule-will-protect-priv. It was heavily criticized. See e.g., Joshua Warmund, Can Coppa Work? An Analysis of the Parental Consent Measures in the Children’s Online Privacy Protection Act, 11 Fordham Intell. Prop. Media & Ent. L.J. 189, 213–16 (2000) (finding parental consent measures “impractical, inadequate, and constitutional suspectable”). The FTC updated the Rule in 2013. Press Release, Fed. Trade Comm’n, FTC Strengthens Kids’ Privacy, Gives Parents Greater Control Over Their Information by Amending Children Online Privacy Protection Rule (Dec. 19, 2012), https://tinyurl.com/ftc-strengthens-kids-privacy; see Suzanne, supra note 5, at 111–12 (summarizing major changes made by the 2013 amendment). Discontent regarding its scope of protection and FTC enforcement continued. See, e.g., Diana S. Skowronski, COPPA and Educational Technologies: The Need for Additional Online Privacy Protections for Students, 38 Ga. St. U. L. Rev. 1219, 1236 (2022) (noting that COPPA does not apply to schools directly and the lack of COPPA enforcement in schools); Zackary A. Blanton, Moving the United States into the 21st Century for Children’s Online Privacy Rights, 28 J. Tech. L. & Pol’y 47, 64–65 (2023) (suggesting that COPPA should cover those under 18); Anna O’Donnell, Why the VPPA and COPPA Are Outdated: How Netflix, YouTube, and Disney+ Can Monitor Your Family at No Real Cost, 55 Ga. L. Rev. 467, 495 (2020) (urging the FTC to enforce COPPA with more substantial monetary sanctions); Shannon Finnegan, How Facebook Beat the Children’s Online Privacy Protection Act: A Look into the Continued Ineffectiveness of Coppa and How to Hold Social Media Sites Accountable in the Future, 50 Seton Hall L. Rev. 827, 838–46 (2020) (considering FTC enforcement “loose”); Andrew Parra, Coping with COPPA: Exploring Alternatives to the Children’s Online Privacy Protection Act, 12 Ind. J.L. & Soc. Equal. 193, 207–08 (2024) (suggesting that COPPA must be more proactive); Kodie McGinley, “Take Your Pictures, Leave Your (Digital) Footprints”: Increasing Privacy Protections for Children on Social Media, 53 Golden Gate U. L. Rev. 199, 204–07 (2023) (noting the need to protect children from third-party sharing). In 2025, the FTC updated the Rule again, which requires full compliance by 2026. Press Release, Fed. Trade Comm’n, FTC Finalizes Changes to Children’s Privacy Rule Limiting Companies’ Ability to Monetize Kids’ Data (Jan. 16, 2025), https://tinyurl.com/ftc-finalizes-privacy-rule. A violation of the Rule is “an unfair or deceptive act or practice” that violates the Federal Trade Commission Act. 16 C.F.R. § 312.9. As of this writing, the fate of COPPA 2.0 remains uncertain. See Kevin Collier, Why A Landmark Kids Online Safety Bill That Just Passed the Senate Is Still Deeply Divisive, NBC News (Jul. 31, 2024, 2:03 PM), https://tinyurl.com/nbcnews-coppa (last visited Aug. 23, 2025); see also Will Oremus, Parents Rally, LGBTQ+ Groups Push Back on Online Child Safety Bill, Wash. Post (Jun. 24, 2025), https://tinyurl.com/washingtonpost-kosa-trans (last visited Aug. 23, 2025).
[9] 16 C.F.R. § 312.3.
[10] 16 C.F.R. § 312.4.
[11] Id.
[12] 16 C.F.R. § 312.10 (“The operator must provide its written data retention policy addressing personal information collected from children in the notice on the website or online service provided in accordance with § 312.4(d).”).
[13] 16 C.F.R. § 312.3.
[14] 16 C.F.R. § 312.4.
16] See 16 C.F.R. § 312.8.
[17] Id.
[18] Id.
[19] See supra Part I.
[20] Colleen McClain et al., How Americans View Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/ (last visited Aug. 6, 2025) (finding that nearly 60% Americans skip reading privacy policies frequently).
[21] See Hannah Utter et al., Parents’ Perceptions of Privacy Policies and Practices for School-Issued Digital Devices: Implications for School Practices, 92 J. School Health 99, 108 (2022) (finding that parents deem their children’s digital privacy “very important”, but they believe schools are reasonable for protecting their children and many parents have no idea whether the school has a privacy policy that regulates school-issued devices). See also Paweena Manotipya & Kambiz Ghazinour, Children’s Online Privacy from Parents’ Perspective, 117 Procedia Comput. Sci. 178 (2020) (finding that parents should be educated more on how to protect the privacy of their children because parents’ sharing of information online can compromise children’ privacy); Rachael Malkin, How the Children’s Online Privacy Protection Act Affects Online Businesses and Consumers of Today and Tomorrow, 14 Loy. Consumer L. Rev. 153, 170 (2002) (“Parent consumers who are concerned with their children’s privacy rights will appreciate Internet companies showing respect for customer privacy.”).
[22] See Haoyu Chen & Jiongjiong Yang, Multiple Exposures Enhance Both Item Memory and Contextual Memory Over Time, 11 Front. Psych. 1 (2020).
[23] See supra Part I.
[24] See Office of Commissioner, Fed. Trade Comm’n, Concurring Statement of Commissioner Andrew N. Ferguson on COPPA Rule Amendments, (Jan. 16, 2025), https://www.ftc.gov/system/files/ftc_gov/pdf/ferguson-coppa-concurrence-revised.pdf [https://perma.cc/ARU3-S36A] (“Whether a change is material is dependent on the particular circumstances of the change.”).
[25] See Tracy C. Miller, Protecting Children Online: Evaluating Possible Reforms in the Law and Application of COPPA, Mercatus Ctr. (Feb. 20, 2023), https://tinyurl.com/mercatus-protecting-children, (last visited Aug 6, 2025) (finding that FTC enforcement is expanding to cover not only collecting information from children without first notifying their parents but also inappropriate behavioral advertising).
[26] See Press Release, Fed. Trade Comm’n, FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges (Mar. 14, 2023), https://tinyurl.com/ftc-order-fortnite.
[27] See Press Release, Fed. Trade Comm’n, Revised Children’s Online Privacy Protection Rule Goes Into Effect Today (Jul. 1, 2013), https://tinyurl.com/ftc-revised-child-on-privacy.
[28] Under COPPA, operators must frequently take available technology into account when handling personal information from children. See e.g., 16 C.F.R. § 312.4.
[29] See Garrett Johnson et al., COPPAcalypse? The YouTube Settlement’s Impact on Kids Content, 2025, https://ssrn.com/abstract=4430334 (May 2023) (finding FTC’s YouTube settlement likely undermining the quality of child-directed content).
[30] States with jurisdiction can enforce COPPA as well. Complying with COPPA: Frequently Asked Questions, Fed. Trade Comm’n (July 2020), https://tinyurl.com/ftc-business-guidance. [31] Natalie Runyon, Protecting Children’s Privacy Online: How to Harmonize Federal & State Laws to Ensure Internet Safety, Thomson Reuters (May 21, 2025), https://www.thomsonreuters.com/en-us/posts/human-rights-crimes/harmonizing-laws/. [32] Kyooeun Jang et al, The Fragmentation of Online Child Safety Regulations, Brookings (Aug. 14, 2023), https://www.brookings.edu/articles/patchwork-protection-of-minors/ (calling children’s online safety law “a disjointed patchwork of regulation”).
[33] Id. [34] See supra Part II; see also David Lassen, The Effect of Information on Voter Turnout: Evidence from a Natural Experiment, 49 Am. J. Pol. Sci. 103 (2004) (finding that being informed affects voting behaviors).
[35] See Sara Jodka, States Grappling with Divergent Consent Standards, Reuters ( Mar. 27, 2025, 1: 49 PM), https://tinyurl.com/reuters-privacy-tug-of-states (last visited May 21, 2025); see also Runyon, supra note 31.
[36] Id.
[37] 16 C.F.R. § 312.8.
[38] See NetChoice v. Bonta, 113 F.4th 1101, 1122 (9th Cir. 2024) (“State could have developed a disclosure regime that defined data management practices and product designs without reference to whether children would be exposed to harmful or potentially harmful content or proxies for content.”).
[39] Id.
[40] Insider trading has been regulated by the Securities and Exchange Commission primarily as a fraud under Section 10(b) of the Securities and Exchange Act of 1934 and SEC Rule 10b5. Public companies must disclose to the public annual, quarterly, and current reports. They must also disclose specifically to the SEC for compliance purposes. See Eva Su, Cong. Rsch. Serv., SEC Securities Disclosure: Background and Policy Issues (2024), https://www.congress.gov/crs-product/IF11256.
[41] See supra Part III.
[42] See supra Part II.