COPPA: Children’s Online Privacy Protection Act Explained

Josh Langeland, CIPM

by Josh Langeland, CIPM

December 21, 2023

Generate a COPPA Privacy Policy
COPPA-Childrens-Online-Privacy-Protection-Act-Compliance-Guide-01

Business owners whose websites or online platforms collect information from children under the age of 13 need to ask themselves an important question:

“Am I compliant with the Children’s Online Privacy Protection Act (COPPA)?”

COPPA, a federal U.S. law, protects the privacy of minors, and the consequences of violating it are severe.

If you’re unsure if this act applies to you or don’t know how to comply, keep reading — our COPPA compliance guide will answer your questions and help protect your business and the children using your platform.

Table of Contents
  1. What Is the Children’s Online Privacy Protection Act (COPPA)?
  2. COPPA Key Terms and Definitions
  3. What Does the Children’s Online Privacy Protection Act Cover?
  4. Requirements of the Children’s Online Privacy Protection Act
  5. COPPA vs. US State Privacy Laws: Similarities and Differences
  6. How Are Consumers Impacted by COPPA?
  7. How Are Businesses Impacted by COPPA?
  8. Who Must Comply With COPPA?
  9. How Can Businesses Comply With COPPA?
  10. How Is COPPA Enforced?
  11. Fines and Penalties Under the Children’s Online Privacy Protection Act
  12. How Termly Helps With COPPA Compliance
  13. Are There Other Privacy Related Laws in the US?
  14. Summary

What Is the Children’s Online Privacy Protection Act (COPPA)?

COPPA is a federal U.S. law that establishes a strict set of guidelines online businesses must follow to protect the privacy of children under the age of 13.

Designed to limit the amount of information businesses collect from young children, COPPA applies to any company worldwide that processes children’s data in the U.S.

COPPA Effective Date

COPPA was signed into law in 1998 and took effect in April 2000.

The Federal Trade Commission (FTC) manages the law and updated it in 2013 to include stronger provisions.

COPPA Key Terms and Definitions

To understand how the FTC enforces COPPA and what it means for online businesses, let’s look at how COPPA defines some key terms.

Operator

The FTC considers any website or online service that collects or controls personal information or pays for the collection or maintenance of this information to be an “operator.”

Read the entire definition of operator (as it appears in COPPA) below:

“Any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States or with 1 or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45). Personal information is collected or maintained on behalf of an operator when:

(1) It is collected or maintained by an agent or service provider of the operator; or 

(2) The operator benefits by allowing another person to collect personal information directly from users of such Web site or online service.”

Personal Information

COPPA’s definition of personal information includes “persistent” identifiers, which include details that may identify a person over time, like IP addresses.

Read exactly how COPPA defines personal information below:

Individually identifiable information about an individual collected online, including:

  • (1) A first and last name; 
  • (2) A home or other physical address including street name and name of a city or town; 
  • (3) Online contact information as defined in this section; 
  • (4) A screen or user name where it functions in the same manner as online contact information, as defined in this section; 
  • (5) A telephone number; 
  • (6) A Social Security number; 
  • (7) A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier; 
  • (8) A photograph, video, or audio file where such file contains a child’s image or voice; 
  • (9) Geolocation information sufficient to identify street name and name of a city or town; or 
  • (10) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

If your website collects personal information using cookies, you must publish a cookie policy to detail those activities.

Collecting

According to COPPA, “collecting” includes:

  • Enabling a child to make personal information available to the public
  • Encouraging the submission of personal data
  • Passively tracking a known child

Below, you can read exactly how COPPA defines collects or collection in its entirety:

The gathering of any personal information from a child by any means, including but not limited to:

(1) Requesting, prompting, or encouraging a child to submit personal information online; 

(2) Enabling a child to make personal information publicly available in identifiable form. An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public and also to delete such information from its records; or 

(3) Passive tracking of a child online.

Disclose

COPPA uses a broad definition for the term disclose or disclosure, which encompasses everything from making the data publicly available to releasing it for any purpose.

Read the entire definition as it appears in the text of the law below:

“… with respect to personal information: 

(1) The release of personal information collected by an operator from a child in identifiable form for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the Web site or online service; and 

(2) Making personal information collected by an operator from a child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service; a pen pal service; an electronic mail service; a message board; or a chat room.

Obtaining Verifiable Consent

To collect or process personal data from children under COPPA, you must make every reasonable effort to obtain verifiable consent from a legal guardian.

Read exactly how the law defines this term below:

“Making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child: 

(1) Receives notice of the operator’s personal information collection, use, and disclosure practices; and 

(2) Authorizes any collection, use, and/or disclosure of the personal information.”

Now that you know the essentials of COPPA and its purpose, let’s examine whether your business is subject to this law and how you can comply.

What Does the Children’s Online Privacy Protection Act Cover?

The Children’s Online Privacy Protection Act covers the information of children in the U.S. under 13 years old by ensuring websites, mobile apps, plugins, and toys with online features process their data properly.

Not only does COPPA establish guidelines for how online businesses should treat children’s information, but it also penalizes companies that fail to follow these guidelines.

For example, in 2019, the FTC hit YouTube with a COPPA fine of $170 million for illegally harvesting children’s data and targeting ads at kids without their parents’ consent.

Requirements of the Children’s Online Privacy Protection Act

We’ve broken down the COPPA compliance requirements businesses must implement in the following sections.

Create a COPPA-Compliant Privacy Policy

Businesses must publish a privacy policy that meets the law’s strict requirements.

Even if you already have a privacy policy on your website or app, it may not satisfy COPPA’s specific guidelines.

According to the FTC’s rules, your privacy policy must include the following information:

  • The names, addresses, and phone numbers of all site/service operators
  • A description of what information the operator collects from children
  • How information is collected from users
  • How the site/service operators use the collected information
  • If the operators disclose collected information to third parties and how those parties use the information
  • A description of the legal guardian’s option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that information to third parties

It must also feature an explanation of legal guardian’s rights, including the rights to:

  • Avoid disclosure of more information about children under 13 than is necessary
  • Refuse to provide information about a child
  • Review information submitted to the operator about the child in question

You can meet some of these guidelines by adding a COPPA disclosure to your website, which the Education software Classkick does in their privacy policy, pictured below.

Classkick-privacy-policy-COPPA-disclosure

Clicking the COPPA and FERPA Compliance hyperlink brings you directly to their COPPA policy, which meets all standards described by the law.

When creating your COPPA privacy policy, remember to contact any third parties you work with and ask about their data collection methods, which you must include in your privacy policy.

Finally, you must feature your privacy policy on the homepage of your website and anywhere you collect information from children.

Provide a Notice to Parents

Before collecting information from children, COPPA requires that you present a direct notice to parents requesting their consent.

The following is what must be in your direct notice to the parent required under COPPA:

  • That information (such as the child’s parent or guardian’s name and email address) was collected to obtain consent
  • That the collected information will be deleted after a reasonable amount of time if no further consent is given
  • That you wish to collect information from their child
  • The type of information you will collect from their children and how it will be used
  • The legal guardian must consent before your business can collect, use, and disclose their children’s information
  • How they can find your privacy policy
  • How they can give their consent

Additionally, you should provide a direct notice to parents and legal guardians any time you change what information you collect or modify how it is collected.

Get Verifiable Parental Consent

Verifiable parental consent is consent given by a parent or guardian in which you’ve reasonably confirmed the identity of said parent or guardian.

Under COPPA, you must obtain this consent before collecting information from children.

These are acceptable methods for obtaining consent from parents and authenticating their identity:

  • A signed consent form
  • Use of a credit or debit card (at the time of a monetary transaction)
  • A telephone call with trained personnel
  • A video call with trained personnel
  • Challenge questions that would be difficult for someone other than the parent to answer correctly
  • Photo ID

If the information you collect is only for your business’s internal use, then you may use what’s known as the “email plus” method to collect parents’ consent:

  • Email the parent or legal guardian
  • Ask them to respond with their consent
  • Confirm you received it

If you are using the “email plus” method, you must ensure that you do not disclose any personal information of children during the process of verifying consent.

For a COPPA compliance checklist, the FTC offers a 6-Step Plan that walks you through the entire process.

Consent Exemptions

COPPA outlines several scenarios where you don’t need to obtain parental consent before collecting personal information from users under the age of 13, including:

  • To collect information to seek parental consent
  • Through “one-time contact” (contests, giveaways, questions)
  • To protect a child’s safety (if a child irresponsibly shares their information publicly)
  • To protect the security or integrity of your site
  • To support the internal operations of your site

COPPA vs. US State Privacy Laws: Similarities and Differences

The Children’s Online Privacy Protection Act is a federal law in the U.S., but several states also have data privacy laws in place or entering into action over the next few years, including the:

  • California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
  • Colorado Privacy Act (CPA) — currently in force
  • Connecticut Data Privacy Act (CTDPA) — currently in force
  • Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
  • Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
  • Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
  • Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
  • Oregon Data Privacy Act (ODPA) — effective July 1, 2024
  • Tennessee Information Protection Act (TIPA) — effective July 1, 2024
  • Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
  • Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
  • Virginia Consumer Data Protection Act (VCDPA) — currently in force

You can compare some of the requirements of COPPA to the U.S. state laws in the table below.

State Law Opt-in consent for certain types of data processing Opt-out consent for certain types of data processing Must present users with a privacy policy (or notice) Requires Data Protection Assessments Outlines Contractual Obligation with Third-Party Processors Allows for civil lawsuits or private right of action Must honor Global Privacy Controls/browser privacy settings
COPPA
CCPA/CPRA
CPA
CTDPA
DPDPA
FDBR
Indiana CDPA
Iowa CDPA
MCDPA
ODPA
TIPA
TDPSA
UCPA
VCDPA

How Are Consumers Impacted by COPPA?

COPPA impacts consumers by protecting the privacy of children under 13, allowing for a safer internet for minors.

The law gives rights to legal guardians regarding how and if their children’s data gets collected and used.

That choice, control, and transparency means parents and guardians can make more informed choices to keep their kids safer online.

Who Does COPPA Apply To?

The Children’s Online Privacy Protection Act applies to children under 13 in the United States.

It does not protect anyone older than 13 or who is located outside of the U.S.

How Are Businesses Impacted by COPPA?

Even though COPPA is a U.S. law, it impacts businesses around the globe — even those that don’t necessarily target children under 13.

How Does COPPA Affect My Privacy Policy?

COPPA heavily impacts all businesses’ privacy policies.

For businesses subject to complying with COPPA, you must follow particular requirements in your privacy policy, which include:

  • Provide your website or service name, address, and phone number.
  • Listing all types of information you collect, how you collect it, and how you use it.
  • If you disclose the data to any third parties and how they use that information.
  • A clear description of all legal guardians’ rights concerning their children’s data.

Additionally, you must place a link to your policy wherever data collection of a child occurs.

Even if COPPA doesn’t apply to you, you must include a clause in your privacy policy stating that you don’t target children or knowingly collect their personal information. 

You also must explain how parents or guardians can contact you if they believe you’ve accidentally collected data about their child.

Who Must Comply With COPPA?

Your business must comply with COPPA if you’re for-profit and collect personal information from children under 13 who reside in the U.S.

Many people assume this privacy law only affects websites, but COPPA’s compliance requirements apply to the majority of online services, including the following:

  • Mobile apps
  • Gaming platforms
  • Plugins
  • Ad networks
  • Geolocation services
  • Voice Over Internet Protocol (VOIP) services
  • Toys or devices that connect to the internet
  • Internet of Things (IoT) devices

Even if your online business is located outside the United States, the FTC could come after you if you market to American consumers, as was the case with China’s app maker, BabyBus.

If your business falls into any of the categories above, you need to assess whether you meet the FTC’s definition of “targeting children” — the FTC considers factors like:

  • Whether the business’s subject matter appeals to that age group
  • Whether the business offers visual and audio content aimed at young children
  • The use of cartoon or animated characters
  • The age of models used in advertisements
  • The use of child celebrities or celebrities that children favor

If your business or website covers any subject matter that appeals to children 13 and under — or your service is used by sites that do — then you must fully comply with the law.

In addition to COPPA, if you collect personal info from EU citizens, you’ll need to ensure your business complies with the General Data Protection Regulation (GDPR).

Who Is Exempt From COPPA?

Nonprofit organizations that don’t need to follow Section 5 of the FTC Act are exempt from following COPPA.

Or, if your services aren’t available in the U.S. and you don’t target minors, you don’t need to follow COPPA requirements.

Regardless, don’t forget that you still must include a clause in your privacy stating that you aren’t subject to the specific COPPA requirements.

How Can Businesses Comply With COPPA?

Businesses can comply with COPPA by ensuring they have a compliant privacy policy that meets all obligations described by the law.

You should also implement a process for verifying and obtaining appropriate consent from parents or legal guardians before collecting any personal information from minors.

Remember to consider what internet cookies your website uses, as many cookies collect personal data from visitors.

How Is COPPA Enforced?

The FTC and state Attorney General offices enforce COPPA and impose high penalties on companies that fail to comply.

For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro violated COPPA because one of their advertising partners used cookies to track the personal information of their users.

To find violators, the FTC encourages internet users to submit a complaint for a site that they think is violating the guidelines.

Actual Knowledge

Part of the FTC’s enforcement process for COPPA is determining if an operator has “actual knowledge” that they’re targeting and collecting information from children under 13.

If the FTC discovers that an operator has “actual knowledge” of such data processing but is not compliant with COPPA, a judge will likely enforce a steeper penalty for blatant disregard of the legislation.

Fines and Penalties Under the Children’s Online Privacy Protection Act

COPPA violations can now reach a maximum penalty of up to $50,120 per violation, according to the FTC.

If you collect personal information from only ten children but violate COPPA, you could be fined up to $501,200.

In the past, the maximum penalty was $16,000, which was increased to $40,654 in 2016.

Generally, the penalty amount a business receives depends on how flagrant the violation is and how much the company gained from the personal information.

As you can see in the chart below, several prominent companies have been penalized.

Name (Click for FTC fine details) Date Fine Reach Cost Per
Ms. Fields Famous Brands 2/27/2003 $100,000 84,000 $1.19
Xanga.com 9/7/2006 $1,000 1,7000,000 $0.59
Imbee.com 1/30/2008 $130,000 10,500 $12.38
Sony BMG Music Entertainment 10/11/2008 $1,000,000 30,000 $33.33
Iconix Brand Group 10/20/2009 $250,000 1,000 $250
Playdom, Inc. 5/13/2011 $3,000,000 1,244,000 $2.45
W3 Innovations LLC 9/8/2011 $50,000 50,000 $1
Skidekids.com 11/8/2011 $100,000 56,000 $17.86
RockYou, Inc. 3/27/2012 $250,000 79,000 $1.40
Artist Arena LLC 10/4/2012 $1,000,000 75,000 $13.33
Path, Inc. 2/1/2013 $800,000 3,000 $266.67
YouTube 9/4/2019 $170,000,000 N/A N/A

While $170 million might not be much to a large company like YouTube, it could easily destroy a small or medium-sized business.

In season 4 of the HBO show Silicon Valley, there is a fictional story that represents an actual possibility, where an employee discovers that his company lacks a privacy policy but is already collecting user data, meaning they violated COPPA and are liable for upwards of $25 billion!

YouTube and COPPA Compliance

In 2019, YouTube received a $170 million fine for violating COPPA, which acts as a good example of how the FTC enforces COPPA violations.

Technically, YouTube’s parent company, Google, received the record-breaking penalty for using cookies to track children’s browsing habits on kids’ channels without obtaining parental consent.

The video-sharing service profited from the children’s information by delivering targeted ads on those channels.

As a result of the investigation, YouTube notifies channel owners that their content is subject to COPPA and allows them to identify “child-directed content.”

The new system means YouTube content creators are now fully responsible for their content and must correctly set their channel’s audience or face individual COPPA fines from the FTC.

How Termly Helps With COPPA Compliance

Termly offers a Privacy Policy Generator and a Privacy Policy Template that complies with several privacy laws from around the world.

The generator asks basic questions about your business and data processing activities and makes a unique privacy policy you can embed directly on your website or app.

To use the template, you fill in blank sections of the document with details about how your website or app collects and processes data.

You can then edit the template or portions of the generator to meet the requirements of the COPPA.

We even offer a privacy policy writing guide if you want to take a crack at it yourself (not recommended).

While the U.S. does not currently have a federal consumer data privacy law, some privacy-related laws exist, including the following:

  • Gramm-Leach-Bliley Act (GLBA): This federal law outlines requirements for financial institutions, including privacy and security guidelines.
  • Health Insurance Portability and Accountability Act (HIPAA): This federal law standardizes the electronic exchange of medical information and outlines privacy requirements.
  • Family Educational Rights and Privacy Act (FERPA): This federal law protects student data and requires confidentiality.
  • Privacy Act of 1974 (the Privacy Act): This federal law requires agencies to follow the fair information principles when collecting personal data but outlines several exceptions.
  • Fair Credit Reporting Act of 1970 (Fair Credit Reporting Act): This federal law prohibits Credit Reporting Agencies from misusing their personal data and limits who they can disclose those details with.

Each state also has a data breach notification law that outlines what entities must do and within what timeframe when a cyber or data breach occurs.

Summary

Let’s recap the key points about what COPPA compliance looks like for online businesses:

  • COPPA establishes strict guidelines to protect the online privacy of children under 13
  • Any company worldwide that targets kids of this age in the US must comply
  • The maximum penalty for noncompliance is $50,120 per violation
  • Businesses must create a privacy policy and obtain parental consent to process kids’ data
  • YouTubers must set their content as “made for kids” if they publish videos aimed at children

If you’re looking for further COPPA guidance for your operations, start with the following resources:

  • Complaint Assistant: The Federal Trade Commission’s Complaint Assistance is an online submissions manager that consumers can use to submit a potential violation.
  • Frequently Asked Questions: In 2013, the Federal Trade Commission released a list of frequently asked questions regarding COPPA and its application. This FAQ is designed to help parties comply with the law.
  • Text of COPPA: You can find the various requirements included in COPPA in 15 United States Code, Chapter 91, which contains definitions, exceptions to the act, the power of states to commence actions, the administration and applicability of the act, and government reviews.

If your business is subject to COPPA, build a privacy policy and customize it to meet the law’s requirements to avoid penalties.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources