COPPA Nomenclature: Unpacking Verifiable Parental Consent and Personal Information

26 Jun 2024


(1) Tinhinane Medjkoune, Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG France;

(2) Oana Goga, LIX, CNRS, Inria, Ecole Polytechnique, Institut Polytechnique de Paris France;

(3) Juliette Senechal, Université de Lille, CRDP, DReDIS-IRJS France.

Abstract and Introduction


Legislation on Advertising to Children

Mechanisms for Targeting Children

Usage of Placement-Based Targeting


Related Works

Conclusion, Acknowledgements and References



A.1 Screenshots

Figure 2: Redirection from YouTube to YouTube Kids.

Figure 3: Screenshot of our two ads.

This section provides more details on the meaning and definition of precise words used in different legislations we discuss in Section 3.

A.2.1 Additional provisions in the DSA. The Article 28 of the DSA is without prejudice to Union law on protection of personal data. In particular, Article 8 of the GDPR states, concerning conditions applicable to child’s consent in relation to information society services, that, “where the criteria for making data processing lawful is consent (6.1.a of the GDPR) (...) the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

To ensure effective implementation of these due diligence obligations by platforms, the DSA defines a set of administrative sanctions and monitoring measures that will be implemented by the European Commission in relation to VLOPS. In Article 54 supplements this by the possibility for a recipient of services who suffers damage as a result of the violation of a due diligence obligation to obtain compensation for his loss in: “Recipients of the service shall have the right to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under this Regulation”. This solution is a major novelty. It is important to specify that liability will be triggered by the occurrence of a systemic risk, for example concerning the mental health of a child.

Figure 4: Example of ad explanation provided in “Why you’re seeing this ad”.

A.2.2 Additional provisions in the Directive (EU) 2018/1808 of 14 November 2018. Article 28b (3) states that “appropriate measures shall be determined in light of the nature of the content in question, the harm it may cause, the characteristics of the category of persons to be protected as well as the rights and legitimate interests at stake, including those of the video-sharing platform providers and the users having created or uploaded the content as well as the general public interest (...). For the purposes of the protection of minors (...) the most harmful content shall be subject to the strictest access control measures. Those measures shall consist of, as appropriate : (...) (f) establishing and operating age verification systems for users of video-sharing platforms with respect to content which may impair the physical, mental or moral development of minors; (...) (g) providing for parental control systems that are under the control of the end-user with respect to content which may impair the physical, mental or moral development of minors (...). ”

A.2.3 Relevant nomenclature in the COPPA. Verifiable parental consent means “any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child.”

Personal information means “individually identifiable information about an individual collected online, including: (1) A first and last name; (2) A home or other physical address including street name and name of a city or town; (3) Online contact information as defined in this section; (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; (5) A telephone number; (6) A Social Security number; (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; (8) A photograph, video, or audio file where such file contains a child’s image or voice; (9) Geolocation information sufficient to identify street name and name of a city or town; or (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.”

This paper is available on arxiv under CC 4.0 license.