COPPA: Children’s Online Privacy Protection Act Compliance Guide

KJ Dearie

by KJ Dearie

December 5, 2019

Build My Privacy Policy
COPPA-Childrens-Online-Privacy-Protection-Act-Compliance-Guide-01

Do you collect information from children under the age of 13?

If you answered yes, then you need to ask yourself: “Am I compliant with the Children’s Online Privacy Protection Act (COPPA)?”

If you’re unsure if this act applies to you, or don’t know how to comply, our COPPA compliance guide will answer your questions and help you protect your business.

Table of Contents
  1. What is COPPA: Definition
  2. Does COPPA Compliance Matter for Your Business or Website?
  3. How to Comply With COPPA Law
  4. How Are COPPA Regulations Enforced?
  5. Key Takeaways and COPPA Resources

1. What is COPPA: Definition

COPPA is a law that establishes a strict set of guidelines for online businesses to protect the privacy of children under the age of 13.

Designed to limit the amount of information businesses collect from young children, COPPA applies to any company worldwide that processes the data of children in the US.

What Does the Children’s Online Privacy Protection Act Do?

The Children’s Online Privacy Protection Act protects the information of children under 13 years old by ensuring websites, mobile apps, plugins, and toys with online features process children’s information properly.

Not only does COPPA establish guidelines for how online businesses should treat children’s information, but it penalizes companies that fail to follow these guidelines. In 2019, YouTube was hit with a COPPA fine of $170 million for illegally harvesting children’s personal data and targeting ads at kids without their parents’ consent.

When Was COPPA Signed Into Law?

COPPA was signed into law in 1998, and took effect in April 2000.

The law is managed by the Federal Trade Commission (FTC), and was updated in 2013 to include stronger provisions.

COPPA Law Summary: Key Terms

To understand how the FTC enforces COPPA and what it means for online businesses, let’s look at how COPPA defines key terms and definitions.

Operator

The FTC considers any website or online service that collects or controls personal information, or pays for the collection or maintenance of this information, to be an “operator.”

Actual Knowledge

Part of the FTC’s enforcement process is determining if an operator has “actual knowledge” — that is, they know their business is targeting and collecting information from children under 13.

If the FTC discovers that an operator has “actual knowledge” of such data processing, but doesn’t comply with COPPA, a judge will likely enforce a steeper penalty for blatant disregard of the legislation.

Personal Information

The FTC considers the following to be “personal information” under COPPA:

  •   email addresses
  •   first and last names
  •   screen names
  •   geolocation
  •   instant message details
  •   physical addresses
  •   telephone numbers
  •   hobbies/interests
  •   photographs
  •   video and audio files

COPPA’s definition of personal information also includes “persistent” or “anonymous” identifiers. These are details that can be used to identify a person over time, such as IP addresses, customer information collected using cookies (or other tracking technologies), and device serial numbers.

Collecting

According to COPPA, “collecting” includes the following activities:

  • allowing information to be made available to the public (e.g., via a profile page)
  • encouraging the submission of personal information (e.g., prompts to complete a profile page)
  • tracking a child passively online in any manner (e.g., using cookies)

Now that you know the essentials of COPPA and its purpose, let’s look at whether your business is subject to this law, and how you can comply.

2. Does COPPA Compliance Matter for Your Business or Website?

COPPA applies to any business worldwide that collects personal information from children under 13 who reside in the US.

Many people assume that this privacy law only affects websites, but COPPA’s compliance requirements apply to the majority of online services, including the following:

  • mobile apps
  • gaming platforms
  • plugins
  • ad networks
  • geolocation services
  • VOIP Services
  • toys or devices that connect to the internet

If your business falls into any of the categories above, you need to assess whether you meet the FTC’s definition of “targeting children.”

To determine if a business targets children under the age of 13, the FTC considers factors like:

  • whether the business’s subject matter appeals to that age group
  • whether the business offers visual and audio content aimed at young children
  • the use of cartoon or animated characters
  • the age of models used in advertisements
  • the use of child celebrities or celebrities that are favored by children

If your business or website covers any subject matter that appeals to children 13 and under — or your service is used by sites that do — then you need to be fully compliant with COPPA.

3. How to Comply With COPPA Law

Knowing how to be COPPA compliant requires you to fully understand your data handling practices, and how you can adjust them to meet COPPA’s requirements.

We’ve broken down the COPPA compliance measures you need to implement into easy-to-follow steps.

1. Create a COPPA-Compliant Privacy Policy

Businesses subject to comply with COPPA need to generate a privacy policy that meets the law’s strict requirements. Even if you already have a privacy policy on your website or app, it may not satisfy COPPA’s specific guidelines.

According to the FTC’s rules, your privacy policy must include the following information to be fully compliant:

  • names, addresses, and phone numbers of the site/service operators
  • type of information collected
  • how information is collected from users
  • how the site/service operators use the collected information
  • if the operators disclose collected information to third parties and how those parties use the information
  • description of how a parent has the option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that information to third parties
  • explanation of parental rights, including the rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child, and review information that has been submitted to the operator about the child in question

COPPA requires that you feature your privacy policy on the homepage of your website, as well as on any part on the site where you collect information from children.

Education software Classkick’s privacy policy is a great example of how this policy looks on a fully COPPA-compliant site:

Classkick's COPPA privacy policy

By structuring information using questions, the policy is user friendly with a simple and straightforward table of contents that operates like a COPPA FAQ.

2. Provide a Notice to Parents

Before collecting information from children, COPPA requires that you present a direct notice to parents requesting their consent.

You must inform parents of the following:

  • that information (such as the child’s parent or guardian’s name and email address) was collected in order to obtain consent, and the collected information will be deleted after a reasonable amount of time, if no further consent is given
  • that you wish to collect information from their child
  • the type of information you will collect from their children and how it will be used
  • that they must consent before your business can collect, use, and disclose their children’s information
  • how they can find your privacy policy
  • how they can give their consent

3. Get Verifiable Parental Consent

Verifiable parental consent is consent given by a parent or guardian, in which the parent or guardian’s identity has been reasonably confirmed. Under COPPA, you need to obtain this consent before collecting information from children.

Below are the acceptable methods for obtaining consent from parents, and authenticating their identity:

  • a signed consent form
  • use of a credit or debit card (at the time of a monetary transaction)
  • a telephone call
  • a video conference call
  • challenge questions that would be difficult for someone other than the parent to answer correctly
  • photo ID

If the information you collect is only for your business’s internal use, then you may use the “email plus” method to collect parents’ consent. Simply email the parent asking for them to respond with their consent, and then confirm you have received it.

4. How Are COPPA Regulations Enforced?

The FTC uses various methods to enforce COPPA, and imposes high penalties on companies that fail to comply.

To find violators, the FTC encourages internet users to submit a complaint for a site that they think is violating the guidelines.

States and other federal agencies also have jurisdiction to enforce the law. For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro were all in violation of COPPA because an advertising partner they worked with used cookies to track personal information of their users.

In the past, the maximum penalty per violation was $16,000. However, in 2016 the maximum penalty was increased to $40,654 per violation.

Therefore, if you collect personal information from only 10 children, but do not comply with COPPA, you could be fined up to $4,065,400! Generally, the amount a business is penalized depends on how flagrant the violation is, and how much the company gained from the personal information.

As you can see in the chart below, several prominent companies have been penalized:

Name (Click for FTC fine details) Date Fine Reach Cost Per
Ms. Fields Famous Brands 2/27/2003 $100,000 84,000 $1.19
Xanga.com 9/7/2006 $1,000 1,7000,000 $0.59
Imbee.com 1/30/2008 $130,000 10,500 $12.38
Song BMG Music Entertainment 10/11/2008 $1,000,000 30,000 $33.33
Iconix Brand Group 10/20/2009 $250,000 1,000 $250
Playdom, Inc. 5/13/2011 $3,000,000 1,244,000 $2.45
W3 Innovations LLC 9/8/2011 $50,000 50,000 $1
Skidekids.com 11/8/2011 $100,000 56,000 $17.86
RockYou, Inc. 3/27/2012 $250,000 79,000 $1.40
Artist Arena LLC 10/4/2012 $1,000,000 75,000 $13.33
Path, Inc. 2/1/2013 $800,000 3,000 $266.67
YouTube 9/4/2019 $170,000,000 N/A N/A

 

While $170 million might not be much to a large company like YouTube, it could easily destroy a small- or medium-sized business.

Are There Any Exceptions to the COPPA Rules?

There are several scenarios where you don’t need to obtain parental consent before collecting personal information from users under the age of 13, including:

  • to collect information to seek parental consent
  • through “one-time contact” (contests, giveaways, questions)
  • to protect a child’s safety (if a child irresponsibly shares their information publicly)
  • to protect the security or integrity of your site
  • to support the internal operations of your site

YouTube and COPPA Compliance

The $170 million fine against YouTube in 2019 for a COPPA violation is a good example of how COPPA regulations are enforced, and how companies can stay on the right side of this law.

YouTube’s parent company, Google, received the record-breaking penalty for using cookies to track children’s browsing habits on kids channels without first obtaining parental consent. The video sharing service then profited from the information by delivering targeted ads on those channels.

As a result of the investigation, YouTube must notify channel owners that their content is subject to COPPA and allow them to identify “child-directed content.”

Under this new system, YouTube content creators are now fully responsible for their content. They need to correctly set their channel’s audience, or face individual COPPA fines from the FTC.

5. Key Takeaways and COPPA Resources

If you made it this far, you should know how to comply with COPPA. Let’s recap the key points about what COPPA means for online businesses:

  • COPPA establishes strict guidelines to protect the online privacy of children under 13
  • Any company worldwide that targets kids of this age in the US must comply
  • The maximum penalty for noncompliance is $40,654 per violation
  • Businesses need to create a privacy policy and obtain parental consent to processing kids’ data
  • YouTubers must now set their content as “made for kids” if they publish content aimed at children

If you’re looking for further COPPA guidance for your operations, start with the following resources:

  • Complaint Assistant: The Federal Trade Commission’s Complaint Assistance is an online submissions manager that consumers can use to submit a potential violation.
  • Frequently Asked Questions: In 2013, the Federal Trade Commission released a list of frequently asked questions regarding COPPA and its application. This FAQ is designed to help parties comply with the law.
  • Text of COPPA: The various requirements included in COPPA can be found in 15 United States Code, Chapter 91. This section includes several elements including definitions, exceptions to the act, the power of states to commence actions, the administration and applicability of the act, and government reviews.

If your business is subject to COPPA, build a privacy policy and customize to meet the law’s requirements to avoid penalties.

KJ Dearie
More about the author

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more. More about the author

Related Articles

Explore more resources