COPPA Compliance: Children's Online Privacy Guide for Websites

What is COPPA?

The Children's Online Privacy Protection Act (COPPA) is a United States federal law enacted in 1998 to protect the privacy of children under 13 years old when they use websites, online services, and mobile applications. COPPA is enforced by the Federal Trade Commission (FTC) and imposes specific requirements on operators of commercial websites and online services directed at children, as well as general audience services that knowingly collect personal information from children under 13.

COPPA was updated with a revised rule in 2013 to address emerging technologies and changing online practices, including social media, mobile apps, and new forms of data collection like geolocation and persistent identifiers. The law requires website operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children, and to maintain reasonable security procedures to protect that information.

Understanding COPPA is essential for any business that operates online and may interact with children. Violations can result in serious civil penalties, with the FTC actively pursuing enforcement actions against companies that fail to protect children's privacy. The current maximum penalty is over $50,000 per violation, and the FTC has imposed settlements reaching tens of millions of dollars in high-profile cases.

Who Must Comply with COPPA?

COPPA applies to operators of commercial websites and online services that fall into specific categories. Understanding whether your business is subject to COPPA is the first step toward compliance:

• Child-directed websites and services: Sites or apps specifically designed for children under 13, determined by factors like subject matter, visual content, use of animated characters, age of models, music, and presence of child celebrities
• General audience sites with actual knowledge: Websites and services that do not target children but have actual knowledge that they are collecting personal information from users under 13
• Mixed-audience websites: Sites that target both children and other audiences and where children can access the full site or service
• Third-party service providers: Advertising networks, plug-ins, and other services that collect personal information from users of child-directed sites or have actual knowledge of collecting children's data

The FTC considers multiple factors when determining if a site is directed at children, including the overall subject matter, visual and audio content, language of the site, whether advertising is directed at children, competent and reliable empirical evidence about audience composition, and any evidence of the operator's actual or intended audience. A site need not be exclusively child-directed to trigger COPPA obligations.

COPPA Requirements: What Operators Must Do

COPPA imposes specific obligations on covered operators. These requirements create a detailed framework for protecting children's privacy online:

1. Privacy Policy Requirements

Operators must post a clear, comprehensive privacy policy on their homepage and anywhere personal information is collected from children. The privacy policy must include:

• Contact information for all operators collecting or maintaining personal information from children
• Description of what personal information is collected and how it is used
• Description of disclosure practices to third parties
• Statement that parents can review, have deleted, and refuse further collection of their child's information
• Statement that participation cannot be conditioned on providing more information than reasonably necessary

2. Direct Notice to Parents

Before collecting personal information from children, operators must provide direct notice to parents that clearly and completely discloses:

• That the operator wishes to collect personal information from the child
• That parental consent is required for collection, use, and disclosure
• The specific types of personal information to be collected
• How the information will be used
• Whether information will be disclosed to third parties
• A link to the online privacy policy
• How parents can provide consent

3. Data Collection Limitations

COPPA prohibits operators from collecting more personal information than is reasonably necessary for children to participate in a game, contest, or other activity. This principle of data minimization is central to COPPA compliance and prevents operators from using participation as a way to collect excessive data.

Verifiable Parental Consent: Methods and Requirements

Obtaining verifiable parental consent is the cornerstone of COPPA compliance. The consent must be obtained before any collection, use, or disclosure of personal information from children. The FTC has approved several methods for obtaining consent, with the appropriate method depending on how the collected information will be used:

Exceptions to Parental Consent

COPPA provides limited exceptions where operators may collect certain personal information without first obtaining parental consent:

• One-time contact: Collecting an email to respond once to a specific request, then deleting it
• Parental notification: Collecting a parent's email solely to obtain consent or provide notice
• Safety and security: Collecting information to protect child safety or site security, used only for that purpose
• Support for internal operations: Using persistent identifiers for internal purposes like site maintenance and analytics (with limitations)

These exceptions are narrow and must be used appropriately. The internal operations exception, in particular, has specific requirements and cannot be used to build profiles for behavioral advertising to children.

Data Collection Limits and Retention

COPPA requires operators to maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. This includes implementing appropriate data minimization and retention practices:

• Collect only necessary data: Personal information collection must be limited to what is reasonably necessary for the activity
• Secure data storage: Implement reasonable security measures appropriate to the sensitivity of the information
• Limit retention: Keep children's personal information only as long as reasonably necessary to fulfill the purpose for which it was collected
• Secure disposal: Delete personal information using reasonable measures to protect against unauthorized access
• Third-party oversight: Take reasonable steps to ensure that any third parties with access to children's data maintain confidentiality and security

FTC Enforcement: Penalties and Consequences

The Federal Trade Commission is the primary enforcer of COPPA and has pursued aggressive enforcement actions against companies that violate the law. Understanding enforcement trends helps operators appreciate the importance of compliance:

Notable FTC Enforcement Actions

The FTC has brought COPPA cases against a wide range of companies, from small app developers to major technology platforms. Key enforcement themes include:

• Collecting persistent identifiers from children for behavioral advertising without parental consent
• Failing to provide adequate notice and obtain consent before data collection
• Operating child-directed apps while claiming general audience status
• Inadequate data security measures for children's information
• Sharing children's data with third-party advertising networks
• Failing to honor parental requests to delete children's data

Recent settlements have included requirements for companies to delete illegally collected data, implement full privacy programs, and submit to regular third-party audits for years following the enforcement action.

Safe Harbor Programs: Benefits and Requirements

The FTC has approved several industry self-regulatory programs as COPPA safe harbors. Participation in an approved safe harbor program provides important benefits, including a presumption of compliance with COPPA requirements and potential mitigation of enforcement consequences.

Safe Harbor Benefits

Joining an FTC-approved safe harbor program offers several advantages for COPPA compliance:

• Compliance guidance: Safe harbor programs provide detailed guidance on COPPA requirements and best practices
• Independent review: Programs conduct reviews to identify and address compliance issues before FTC enforcement
• Enforcement buffer: FTC must notify safe harbor programs before taking enforcement action against members
• Consumer trust: Safe harbor certification signals commitment to children's privacy
• Updated requirements: Programs adapt guidelines to address new technologies and regulatory changes

COPPA Compliance Checklist

Use this checklist to assess and improve your organization's COPPA compliance:

COPPA and International Considerations

While COPPA is a U.S. law, its reach extends to foreign-based websites and services that are directed at children in the United States or have actual knowledge of collecting personal information from U.S. children. Businesses also must consider how COPPA interacts with international children's privacy laws:

• GDPR (EU): Requires parental consent for children under 16 (or as low as 13 in some member states) for information society services
• UK Age Appropriate Design Code: Imposes design requirements for services likely accessed by children under 18
• LGPD (Brazil): Requires parental consent for processing children's data
• PIPEDA (Canada): Includes provisions for meaningful consent when dealing with minors

Organizations operating globally should develop thorough children's privacy programs that address the requirements of multiple jurisdictions.

Frequently Asked Questions

Does COPPA apply if my website isn't specifically for children?

COPPA applies to general audience websites if they have actual knowledge that they are collecting personal information from children under 13. If you know or have reason to know that users are children, you must comply with COPPA regardless of your target audience.

Can I just block children under 13 from using my service?

Yes, many operators choose to prohibit children under 13 from using their services and implement age-screening mechanisms. However, the age screen must be neutral and not encourage children to falsify their age. Simply asking for a birth date without follow-up verification may not be sufficient.

What's the difference between "actual knowledge" and "constructive knowledge"?

COPPA's knowledge standard is actual knowledge, meaning the operator must actually know that a specific user is under 13. However, operators cannot deliberately avoid learning user ages to evade COPPA. If circumstances clearly indicate child users, willful ignorance won't provide protection.

Do I need parental consent for every type of data collection?

While most personal information collection requires prior verifiable parental consent, COPPA provides limited exceptions for certain activities like responding to a one-time request, protecting safety, or internal operations. These exceptions are narrow and have specific requirements.

How do I verify that consent is coming from an actual parent?

The FTC has approved several verification methods including credit card transactions, government ID checks, signed consent forms, video conferencing, and knowledge-based questions. The appropriate method depends on how you plan to use the collected data.

What should I do if I discover I've collected children's data without consent?

If you discover unauthorized collection of children's data, you should immediately stop using the data, delete it using secure methods, and review your practices to prevent future incidents. Consider consulting legal counsel about potential disclosure obligations and remediation steps.