Termly

Home Resources Articles & News The Children’s Online Privacy Protection Act (COPPA): COPPA Compliance Guide

The Children’s Online Privacy Protection Act (COPPA): COPPA Compliance Guide

| By | Reviewed By Masha Komnenic CIPP/E

Do you collect information from children under the age of 13? If you answered yes, then the next question you need to ask yourself is: “Am I compliant with the Children’s Online Privacy Protection Act?”

Whether you’re unsure if the act applies to you, or don’t know the necessary steps to take in order to comply, our informational guide will take you through every nook and cranny to help you protect your business.

Table of Contents
  1. What is COPPA?
  2. Does COPPA apply to my business?
  3. COPPA Compliance
  4.  COPPA Enforcement: What happens if I don’t comply?
  5. Additional Resources

1. What is COPPA?

Passed in 1998, the Children’s Online Privacy Protection Act (COPPA) is a law that establishes a strict set of mandates created to protect the privacy of children under the age of 13. The act’s requirements are used to ensure that websites, mobile applications, plugins, and toys with online features that target children 13 and younger follow the proper steps to protect their information.

Before we go any further, there are some terms that a person must know in order to understand how the Federal Trade Commission enforces these rules. These terms include:

Operator: The Federal Trade Commission considers any online entity that owns or controls personal information or pays for the collection or maintenance of this information to be an “operator.”

Actual Knowledge: A part of the FTC’s enforcement process is determining if an operator has “actual knowledge,” which simply means that the operator is aware that their business is targeting and collecting information from minors. If the FTC discovers that an operator has “actual knowledge” of these actions, but does not comply with COPPA, the FTC considers this a blatant disregard of the law and a judge will likely bring down steeper penalties.

Personal Information: It is also important for operators to understand what is encompassed by the definition of “personal information.” The FTC considers the following to be personal information:

  •   email addresses
  •   first and last names
  •   screen names
  •   geolocation
  •   instant message details
  •   physical addresses
  •   telephone numbers
  •   hobbies/interests
  •   photographs
  •   audio files

The definition of personal information also extends to “persistent” or “anonymous” identifiers, which are various details that can be used to identify a person over time, such as IP addresses, customer information collected using cookies or other tracking technologies, and device serial numbers (if this applies to you, make sure those activities are disclosed in your cookie policy).

Collecting: According to the act, “Collecting” entails allowing information to be made available to the public, encouraging the submission of personal information, or tracking a child passively online in any manner.

2. Does COPPA apply to my business?

Before discussing how to comply with COPPA, most business owners want to know if the law even applies to them. Most people wrongly assume that the law only applies to websites, but the act can also apply to:

  • mobile apps
  • gaming platforms
  • plug-ins
  • ad networks
  • geolocation services
  • VOIP Services
  • toys or devices that connect to the internet

If your online business is located outside of the United States, but you still market to American consumers, the FTC could still come after you like they did with China’s app maker, BabyBus.

As you can see, COPPA applies to the vast majority of online services. If your business falls into any of the categories above, the next step you need to take is to assess whether you fall under the FTC’s definition of “targeting children.” The FTC considers a variety of factors in order to decide if a business targets children under the age of 13, including:

  • whether the business’s subject matter appeals to that age group
  • whether the business offers visual and audio content aimed at young children
  • the use of cartoon or animated characters
  • the age of models used in advertisements
  • the use of child celebrities or celebrities that are favored by children

Basically, if your online business covers any subject matter that could appeal to children 13 and under or your service is used by sites that do, then you’ll need to make sure you are compliant with all requirements.  

3. COPPA Compliance

Step #1. Create a Privacy Policy

If you determine that your online business targets children under 13 or collects information from children 13 or under, then you must generate a privacy policy that complies with COPPA immediately. Even if you already have a privacy policy on your website or app, it may not follow the FTC’s specific guidelines.

In order to comply with COPPA, your privacy policy must cover the following:

  • names, addresses, and phone numbers of the site operators
  • type of information collected
  • how information is collected from users
  • how the site operators use the collected information
  • if the operators disclose collected information to third parties and how those parties use the information
  • description of how the parent has the option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that info to third parties
  • explanation of parental rights, including the rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child, and review information that has been submitted to the operator about the child in question.

The law also requires that your privacy policy be placed on the homepage of your website as well as any area on the site where you collect information from children.

Download our free privacy policy template to help you get started on complying with COPPA.

Below is an example of a privacy policy that’s compliant with COPPA. Classkick, which provides resources for teachers and students, does an excellent job of making their policy user friendly with a simple and straightforward table of contents that operates like an FAQ.

Classkick's Coppa Privacy policy

Contact any third parties that you work with and ask them about their data collection methods. You will need to include these in your privacy policy.

Step #2. Send a Notice to Parents

Before collecting info from children, COPPA also requires that you send a direct notice to parents requesting their consent first. Site operators must inform parents of the following:

  • that their children’s information was collected in order to get parental consent that their contact information will be deleted within a reasonable amount of time if they do not consent
  • that you wish to collect information from their child
  • the type of information you will collect from their children and how it will be used
  • that they must consent before your business can collect, use, and disclose their children’s information
  • how they can find your privacy policy
  • how they can give their consent

This notice should be sent any time you plan to change how or what information you collect.

Step #3. Get Parental Consent

COPPA allows for some flexibility when it comes to getting consent from parents. Below are the acceptable methods for obtaining consent from parents and authenticating their identity:

  • a signed consent form
  • at the time of a monetary transaction, require the parent to use a credit or debit card
  • over the phone
  • video conference
  • challenge questions that would be difficult for someone other than the parent to get correct
  • collect photo ID

If the information you collect is only for your business’s internal use, then you may use the “email plus” method whereby you email the parent asking for them to respond with their consent and confirm you have received their consent.

The FTC offers a 6-Step Compliance Plan and does a great job of walking you through the entire process.

4. COPPA Enforcement: What happens if I don’t comply?

With the number of sites on the Internet, enforcing COPPA can be a nightmare. That’s why the Federal Trade Commission uses a wide variety of techniques to help them find violations. For instance, the FTC encourages people to submit a complaint for a site that they think is violating the guidelines.

Do you watch the HBO show, Silicon Valley? In season 4 episode 2, Dinesh finds out that since PiperChat lacks a privacy policy, but is already collecting data from users, that his company violates COPPA and he is liable for $25 billion!

States and other federal agencies also have jurisdiction to enforce the law. For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro were all in violation of COPPA because an advertising partner they worked with used cookies to track personal information of their users.  

In the past, the maximum penalty per violation was $16,000, but since 2016 the maximum penalty has been increased to $40,654 per violation. This means that if a business collected personal information from only 10 kids, it could be fined up to $4,065,400! Generally, the amount a business is penalized largely depends on how flagrant the violation is and how much the company gained from the personal information.

As you can see in the chart below, companies are rarely penalized for the maximum amount:

COPPA Penalties by Company

Although the companies in the table were only charged an average of $2.28 per violation, the fines listed above should not be brushed off. While $1 million might not be much to a large company like Xanga, it could easily destroy a small-to-medium online business.

Are there any exceptions?

There are several scenarios when you do not need to obtain parental consent before collecting personal information from visitors under the age of 13:

  • collect information to seek parental consent
  • “one-time contact” (contests, giveaways, questions)
  • protect a child’s safety (child irresponsibly sharing their information publicly)
  • to protect the security or integrity of your site
  • support the internal operations of your site

Even if you aren’t based in the EU, if you collect personal info from EU citizens, then you’ll also need to make sure that your online business is compliant with the new General Data Protection Regulation (GDPR). Read our What is GDPR? guide to learn the requirements.

5. Additional Resources

If you’re looking for more information on COPPA, then check out the links below:

  • Complaint Assistant: The Federal Trade Commission’s Complaint Assistance is an online submissions manager that consumers can use to submit a potential violation.
  • Frequently Asked Questions: In 2013, the Federal Trade Commission released a list of frequently asked questions regarding COPPA and its application. This FAQ is designed to help parties comply with the law.
  • Text of COPPA: The various requirements included in COPPA can be found in 15 United States Code, Chapter 91. This section includes several elements including definitions, exceptions to the act, the power of states to commence actions, the administration and applicability of the act, and government reviews.

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more.

Reader Interactions

Leave a Reply

We’re looking forward to hearing your thoughts! Please keep in mind that all comments are moderated, and abusive or spammy comments will NOT be published.

Related Resources