Do you collect information from children under the age of 13?
If you answered yes, then you need to ask yourself: “Am I compliant with the Children’s Online Privacy Protection Act (COPPA)?”
If you’re unsure if this act applies to you, or don’t know how to comply, our COPPA compliance guide will answer your questions and help you protect your business.
1. What is COPPA: Definition
COPPA is a law that establishes a strict set of guidelines for online businesses to protect the privacy of children under the age of 13.
Designed to limit the amount of information businesses collect from young children, COPPA applies to any company worldwide that processes the data of children in the US.
What Does the Children’s Online Privacy Protection Act Do?
The Children’s Online Privacy Protection Act protects the information of children under 13 years old by ensuring websites, mobile apps, plugins, and toys with online features process children’s information properly.
Not only does COPPA establish guidelines for how online businesses should treat children’s information, but it penalizes companies that fail to follow these guidelines. In 2019, YouTube was hit with a COPPA fine of $170 million for illegally harvesting children’s personal data and targeting ads at kids without their parents’ consent.
When Was COPPA Signed Into Law?
COPPA was signed into law in 1998, and took effect in April 2000.
The law is managed by the Federal Trade Commission (FTC), and was updated in 2013 to include stronger provisions.
COPPA Law Summary: Key Terms
To understand how the FTC enforces COPPA and what it means for online businesses, let’s look at how COPPA defines key terms and definitions.
The FTC considers any website or online service that collects or controls personal information, or pays for the collection or maintenance of this information, to be an “operator.”
Part of the FTC’s enforcement process is determining if an operator has “actual knowledge” — that is, they know their business is targeting and collecting information from children under 13.
If the FTC discovers that an operator has “actual knowledge” of such data processing, but doesn’t comply with COPPA, a judge will likely enforce a steeper penalty for blatant disregard of the legislation.
The FTC considers the following to be “personal information” under COPPA:
- email addresses
- first and last names
- screen names
- instant message details
- physical addresses
- telephone numbers
- video and audio files
COPPA’s definition of personal information also includes “persistent” or “anonymous” identifiers. These are details that can be used to identify a person over time, such as IP addresses, customer information collected using cookies (or other tracking technologies), and device serial numbers.
According to COPPA, “collecting” includes the following activities:
- allowing information to be made available to the public (e.g., via a profile page)
- encouraging the submission of personal information (e.g., prompts to complete a profile page)
- tracking a child passively online in any manner (e.g., using cookies)
Now that you know the essentials of COPPA and its purpose, let’s look at whether your business is subject to this law, and how you can comply.
2. Does COPPA Compliance Matter for My Business?
COPPA applies to any business worldwide that collects personal information from children under 13 who reside in the US.
Many people assume that this privacy law only affects websites, but COPPA’s compliance requirements apply to the majority of online services, including the following:
- mobile apps
- gaming platforms
- ad networks
- geolocation services
- VOIP Services
- toys or devices that connect to the internet
If your online business is located outside of the United States, but you still market to American consumers, the FTC could come after you like they did with China’s app maker, BabyBus.
If your business falls into any of the categories above, you need to assess whether you meet the FTC’s definition of “targeting children.”
To determine if a business targets children under the age of 13, the FTC considers factors like:
- whether the business’s subject matter appeals to that age group
- whether the business offers visual and audio content aimed at young children
- the use of cartoon or animated characters
- the age of models used in advertisements
- the use of child celebrities or celebrities that are favored by children
If your business or website covers any subject matter that appeals to children 13 and under — or your service is used by sites that do — then you need to be fully compliant with COPPA.
3. How to Comply With COPPA Law
Knowing how to be COPPA compliant requires you to fully understand your data handling practices, and how you can adjust them to meet COPPA’s requirements.
We’ve broken down the COPPA compliance measures you need to implement into easy-to-follow steps.
- names, addresses, and phone numbers of the site/service operators
- type of information collected
- how information is collected from users
- how the site/service operators use the collected information
- if the operators disclose collected information to third parties and how those parties use the information
- description of how a parent has the option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that information to third parties
- explanation of parental rights, including the rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child, and review information that has been submitted to the operator about the child in question
By structuring information using questions, the policy is user friendly with a simple and straightforward table of contents that operates like a COPPA FAQ.
Step #2. Provide a Notice to Parents
Before collecting information from children, COPPA requires that you present a direct notice to parents requesting their consent.
You must inform parents of the following:
- that information (such as the child’s parent or guardian’s name and email address) was collected in order to obtain consent, and the collected information will be deleted after a reasonable amount of time, if no further consent is given
- that you wish to collect information from their child
- the type of information you will collect from their children and how it will be used
- that they must consent before your business can collect, use, and disclose their children’s information
- how they can give their consent
A direct notice should be provided to parents any time you change how or what information you collect.
Step #3. Get Verifiable Parental Consent
Verifiable parental consent is consent given by a parent or guardian, in which the parent or guardian’s identity has been reasonably confirmed. Under COPPA, you need to obtain this consent before collecting information from children.
Below are the acceptable methods for obtaining consent from parents, and authenticating their identity:
- a signed consent form
- use of a credit or debit card (at the time of a monetary transaction)
- a telephone call
- a video conference call
- challenge questions that would be difficult for someone other than the parent to answer correctly
- photo ID
If the information you collect is only for your business’s internal use, then you may use the “email plus” method to collect parents’ consent. Simply email the parent asking for them to respond with their consent, and then confirm you have received it.
If you’re looking for a COPPA compliance checklist, the FTC offers a 6-Step Plan that walks you through the entire process.
4. How Are COPPA Regulations Enforced?
The FTC uses various methods to enforce COPPA, and imposes high penalties on companies that fail to comply.
To find violators, the FTC encourages internet users to submit a complaint for a site that they think is violating the guidelines.
States and other federal agencies also have jurisdiction to enforce the law. For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro were all in violation of COPPA because an advertising partner they worked with used cookies to track personal information of their users.
In the past, the maximum penalty per violation was $16,000. However, in 2016 the maximum penalty was increased to $40,654 per violation.
Therefore, if you collect personal information from only 10 children, but do not comply with COPPA, you could be fined up to $4,065,400! Generally, the amount a business is penalized depends on how flagrant the violation is, and how much the company gained from the personal information.
As you can see in the chart below, several prominent companies have been penalized:
|Name (Click for FTC fine details)||Date||Fine||Reach||Cost Per|
|Ms. Fields Famous Brands||2/27/2003||$100,000||84,000||$1.19|
|Song BMG Music Entertainment||10/11/2008||$1,000,000||30,000||$33.33|
|Iconix Brand Group||10/20/2009||$250,000||1,000||$250|
|W3 Innovations LLC||9/8/2011||$50,000||50,000||$1|
|Artist Arena LLC||10/4/2012||$1,000,000||75,000||$13.33|
While $170 million might not be much to a large company like YouTube, it could easily destroy a small- or medium-sized business.
Are There Any Exceptions to the COPPA Rules?
There are several scenarios where you don’t need to obtain parental consent before collecting personal information from users under the age of 13, including:
- to collect information to seek parental consent
- through “one-time contact” (contests, giveaways, questions)
- to protect a child’s safety (if a child irresponsibly shares their information publicly)
- to protect the security or integrity of your site
- to support the internal operations of your site
In addition to COPPA, if you collect personal info from EU citizens, then you’ll need to make sure your business is compliant with the General Data Protection Regulation (GDPR).
YouTube and COPPA Compliance
The $170 million fine against YouTube in 2019 for a COPPA violation is a good example of how COPPA regulations are enforced, and how companies can stay on the right side of this law.
YouTube’s parent company, Google, received the record-breaking penalty for using cookies to track children’s browsing habits on kids channels without first obtaining parental consent. The video sharing service then profited from the information by delivering targeted ads on those channels.
This isn’t the first time Google has violated global privacy law. See the Google GDPR fine for an example of how the tech giant has ignored regulations before.
As a result of the investigation, YouTube must notify channel owners that their content is subject to COPPA and allow them to identify “child-directed content.”
Under this new system, YouTube content creators are now fully responsible for their content. They need to correctly set their channel’s audience, or face individual COPPA fines from the FTC.
5. Key Takeaways and COPPA Resources
If you made it this far, you should know how to comply with COPPA. Let’s recap the key points about what COPPA means for online businesses:
- COPPA establishes strict guidelines to protect the online privacy of children under 13
- Any company worldwide that targets kids of this age in the US must comply
- The maximum penalty for noncompliance is $40,654 per violation
- YouTubers must now set their content as “made for kids” if they publish content aimed at children
If you’re looking for further COPPA guidance for your operations, start with the following resources:
- Complaint Assistant: The Federal Trade Commission’s Complaint Assistance is an online submissions manager that consumers can use to submit a potential violation.
- Frequently Asked Questions: In 2013, the Federal Trade Commission released a list of frequently asked questions regarding COPPA and its application. This FAQ is designed to help parties comply with the law.
- Text of COPPA: The various requirements included in COPPA can be found in 15 United States Code, Chapter 91. This section includes several elements including definitions, exceptions to the act, the power of states to commence actions, the administration and applicability of the act, and government reviews.