COPPA: Complete Guide to the Children’s Online Privacy Protection Act

Since 1998, the Children’s Online Privacy Protection Act has been the primary protection for young internet users against unauthorised data collection. COPPA is a federal law that specifically protects children under 13 from the unauthorised collection of personal information by websites and online services. The act requires operators to obtain verifiable parental consent before collecting, using, or disclosing any personal information from children under 13 years old.

The challenge facing website operators today is balancing compliance requirements against user-friendly experiences. Many operators underestimate the scope of COPPA or fail to implement adequate safeguards, resulting in costly enforcement actions. Understanding these requirements is necessary for any online service that might reach children under 13.

Key Takeaways

• Websites and online platforms must secure verified parental approval before gathering or using any personal data from users under 13 years old.

• Operators should implement strong privacy policies and data protection measures tailored to children’s online safety requirements.

• Compliance involves continuous monitoring, accurate age verification, and transparent communication with guardians to prevent unauthorised data access.

Who must comply with COPPA?

COPPA applies to a broader range of operators than many realise. The primary targets include any website or online service directed to children under 13 years old. This includes educational sites, gaming platforms, entertainment content, and social media platforms specifically designed for young users.

The law’s secondary scope applies to operators who have actual knowledge that they’re collecting personal information from children under 13, even if their platform isn’t specifically child-oriented. This means general audience sites can still fall under COPPA jurisdiction if they knowingly collect data from underage users.

What are COPPA’s core requirements?

COPPA compliance requires operators to implement specific protections when handling children’s personal information. Understanding these core requirements helps operators build effective compliance programmes.

What is verifiable parental consent under COPPA?

Before collecting any personal information from a child, operators must obtain verifiable consent from a parent or guardian. This requirement goes beyond simple checkbox confirmations. The Federal Trade Commission requires operators to use reasonable efforts to confirm that the person providing consent is actually the child’s parent or guardian.

Acceptable methods for obtaining verifiable consent include:

• Signed consent forms returned via mail or fax

• Credit card verification systems

• Digital signatures with additional verification steps

• Video conferencing with parents

• Telephone calls to parents with follow-up confirmations

Operators must maintain reasonable procedures to verify parental identity and document the consent process. The available technology and resources affect what constitutes “reasonable efforts” for different types of operators.

What rights do parents have under COPPA?

Parents have extensive rights under COPPA to control their child’s information. Operators must maintain reasonable procedures to allow parents to:

• Review the personal information collected from their child

• Delete their child’s personal information

• Refuse to permit further use or collection of their child’s information

• Receive notification of material changes to information practices

These rights remain active throughout the child’s use of the service. Operators cannot require parents to repeatedly consent to previously consented practices unless there are material changes to their information practices.

What data security measures does COPPA require?

COPPA requires operators to maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information. This includes implementing appropriate technical and administrative safeguards against unauthorised access, use, or disclosure.

Security measures should be proportionate to the sensitivity of the information collected and the resources available to the operator. While COPPA doesn’t mandate specific security technologies, operators must demonstrate good faith efforts to protect children’s data through reasonable measures.

What are COPPA’s data collection limits?

Operators may only collect personal information that is reasonably necessary for the child’s participation in the website or online service. This principle prevents excessive data collection that serves commercial purposes rather than functional necessities.

The sole purpose restriction means operators cannot collect additional information solely for marketing or advertising purposes without specific parental consent. Any collection beyond what is necessary for operational purposes requires clear disclosure and consent.

How do you achieve COPPA compliance?

Implementing effective COPPA compliance requires systematic planning and ongoing attention to regulatory requirements. Operators can follow these practical steps to build compliant systems.

How do you determine if COPPA applies to your website?

Start by determining whether your website or online service is subject to COPPA. Analyse your content, advertising, and user interface to determine if they target children under 13. Consider factors like:

• Visual design elements that appeal to children

• Use of animated characters or child-friendly graphics

• Subject matter oriented toward children’s interests

• Music or other audio content appealing to children

• Language appropriate for children under 13

• Advertising that targets children

Operators should also examine reliable empirical evidence about their actual user base. Analytics data showing a significant number of users under 13 may trigger COPPA obligations, even for general audience sites.

How do you implement age verification for COPPA?

Develop systems to identify users under 13 before collecting any personal information. Age verification methods range from simple self-reporting mechanisms to more sophisticated technical solutions.

Common age verification approaches include:

• Age screening questions before account creation

• Date of birth collection with automated age calculation

• Parent email verification for suspected underage users

• Technical measures to detect child users through behavioural analysis

Remember that age verification serves as a gateway to parental consent requirements. Operators with actual knowledge of underage users must comply with COPPA regardless of whether their service primarily targets children.

How do you build a parental consent system for COPPA?

Creating an effective parental consent system requires striking a balance between security and user experience. The consent mechanism must be reliable enough to satisfy FTC requirements while remaining accessible to parents.

Key elements of effective consent systems include:

Clear explanations of what information will be collected
Specific descriptions of how the information will be used
Easy-to-understand consent form
Reliable methods for verifying parental identity
Systems for documenting and storing consent records
Mechanisms for parents to withdraw consent

Consider implementing multiple consent options to accommodate different parent preferences and technical capabilities.

What must a COPPA-compliant privacy policy include?

Privacy policies for services covered by COPPA must include specific language addressing the collection, use, and disclosure of children’s information. Collaborate with legal counsel to ensure your privacy policy complies with all relevant regulatory requirements.

Important privacy policy components include:

• Clear identification of information collected from children

• Detailed descriptions of how children’s information is used

• Disclosure of any third-party access to children’s data

• Explanation of parental rights and how to exercise them

• Contact information for privacy-related questions

• Procedures for parents to review and delete children’s information

Test your privacy policy with actual parents to ensure it’s understandable and actionable.

How should operators handle children’s data securely?

Develop comprehensive procedures for managing children’s personal information throughout its lifecycle. These procedures should address collection, storage, use, disclosure, and deletion of such personal information.

Important procedural elements include:

• Secure data storage systems with appropriate access controls

• Regular security audits and vulnerability assessments

• Staff training on COPPA requirements and data handling

• Incident response procedures for potential data breaches

• Record-keeping systems for consent documentation

• Procedures for responding to parental requests

Document all procedures clearly and train relevant staff on proper implementation.

How does the FTC enforce COPPA and what changes are coming?

The Federal Trade Commission continues to actively enforce COPPA against violators, with enforcement actions becoming more frequent and penalties increasing in severity. Understanding the enforcement landscape helps operators gauge what non-compliance costs.

What are the major COPPA enforcement actions and penalties?

Recent enforcement cases demonstrate the FTC’s commitment to protecting children’s online privacy. The Google and YouTube settlement remains the largest COPPA penalty to date; however, other significant cases demonstrate the breadth of enforcement activity.

Major enforcement cases include:

Google and YouTube ($170 million, 2019): The companies collected personal information from children via cookies and mobile device identifiers without parental consent and then used it for targeted advertising.

ByteDance/TikTok ($5.7 million, 2019): Musical.ly collected personal information from users the company knew were under 13, including full names, email addresses, and other contact information.

Epic Games (multiple actions): The video game Fortnite faced scrutiny over various practices, including voice chat features that could expose children to inappropriate contact.

These cases demonstrate that both data collection methods and disclosure practices can lead to COPPA violations. The commission approval process for settlements often includes ongoing monitoring requirements for operators.

How is the FTC’s approach to COPPA enforcement changing?

The Federal Trade Commission has signalled increased attention to emerging technologies and platforms that may affect children. FTC staff regularly review new apps, websites, and digital services for potential COPPA violations.

Current enforcement priorities include:

• Connected toys and Internet of Things devices

• Voice assistants and smart speakers in children’s environments

• Educational technology platforms, especially those used in schools

• Social media features that may inadvertently collect children’s data

• Mobile apps with unclear age targeting

The commission continues to issue guidance documents and policy statements to help operators understand their obligations as technology evolves.

What are COPPA’s safe harbour programmes?

COPPA includes provisions for safe harbour programmes that allow industry groups to develop self-regulatory guidelines for commission approval. These programmes can provide additional certainty for operators while maintaining strong privacy protections.

Approved safe harbour programmes offer several benefits:

• Detailed guidance tailored to specific industries

• Safe harbour protection for operators following approved guidelines

• Ongoing industry expertise in compliance interpretation

• Regular updates to address technological changes

Current safe harbour programmes cover various sectors, and additional industry groups continue to develop proposals for FTC review.

What legislative changes to COPPA are being proposed?

Congress and privacy advocates continue to discuss potential expansions to the scope and requirements of COPPA. Proposed changes include:

• Raising the protected age from 13 to 16 years old

• Expanding the definition of personal information to include biometric data

• Strengthening penalties for violations

• Addressing algorithmic decision-making affecting children

• Creating specialised enforcement mechanisms for educational technology

The FTC regularly reviews the COPPA rule and may propose updates to address technological changes and enforcement experience. Operators should monitor regulatory developments and be prepared to adapt their practices as requirements evolve.

What steps should operators take now for COPPA compliance?

Any website or online service that potentially reaches children under 13 should conduct an immediate compliance assessment. The cost of implementing proper safeguards is significantly lower than the financial and reputational damage from enforcement actions.

Begin your compliance review by examining your current data collection practices, user demographics, and existing privacy policies. If your analysis reveals potential COPPA obligations, prioritise implementing appropriate safeguards before continuing operations involving children’s personal information.

Consider consulting with legal counsel experienced in COPPA compliance to ensure your implementation meets current regulatory standards. The Federal Trade Commission provides extensive guidance documents and resources to help operators understand their obligations under this critical privacy law.

The core principle is constant: children deserve special protection in digital environments, and operators must take reasonable steps to provide that protection by carefully complying with COPPA requirements.

Frequently Asked Questions

What does COPPA stand for and what does it cover?

COPPA stands for the Children’s Online Privacy Protection Act. It is a US federal law enacted in 1998 that prohibits websites and online services from collecting personal information from children under 13 without verifiable parental consent. It covers operators of websites, apps, and online services directed at children, as well as general audience services with actual knowledge of underage users.

Does COPPA apply to businesses outside the United States?

Yes. COPPA applies to any website or online service that collects personal information from children in the United States, regardless of where the operator is based. A company headquartered in Europe must still comply with COPPA if its service is directed at or knowingly collects data from children under 13 in the US.

What counts as personal information under COPPA?

Personal information under COPPA includes names, home addresses, email addresses, telephone numbers, and Social Security numbers. It also covers persistent identifiers such as cookies, device IDs, and IP addresses when used to track children across websites or online services, as well as geolocation data and photos or videos of a child.

What are the penalties for violating COPPA?

The FTC can impose civil penalties of up to $51,744 per violation per day. Penalties are calculated per affected child, meaning a single action against a platform with many underage users can reach multi-million-dollar totals. The Google and YouTube settlement in 2019 reached $170 million; TikTok (then Musical.ly) paid $5.7 million the same year.

How does COPPA compare to GDPR rules on children’s data?

COPPA protects children under 13 and is enforced by the US Federal Trade Commission. GDPR and UK GDPR protect children under 16 in most EU and UK contexts (though member states can lower this to 13) and apply to any organisation processing the personal data of EU or UK residents. Both require parental consent for children’s data, but GDPR applies more broadly across all data processing, not just online services.