To access our COVID-19 related information, click here

Children’s Online Privacy Protection Act (COPPA)

Websites that collect information from children under the age of thirteen are required to comply with Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission (FTC) is generally responsible for ensuring compliance with COPPA.

By Alice Cheng

Earlier this year, the Federal Trade Commission (FTC) issued a staff report on the growing market for mobile apps for children and the disappointing privacy disclosures that accompanied them.

A survey of mobile apps for children showed that both app stores and app developers need to provide more information on online behavioral advertising and data collection that parents need in order to make informed decisions. The report also concluded that, in the interest of protecting children, the industry should provide greater transparency of their data practices.

In 1998, Congress addressed similar concerns when it enacted the Children’s Online Privacy Protection Act (COPPA) in order to provide parents with control over what information is collected online from their young children.

The Rule, which became effective on April 21, 2000, applies to persons or entities (such as operators of commercial website and online services) who operate sites that are either designed for children under 13 or collects information from this age group.

Those covered by the Rule must:

  1. Post a clear and prominent link to a privacy notice on the home page of the website or online service and at each area where it collects personal information from children. The notice must be clearly written and understandable, and include the name and contact info of all operators collecting or maintaining the information, the kinds of personal information collected, how the information is collected, how the information is used, and whether the information is disclosed to third parties.
  2. Provide a direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information from children. Operators must use reasonable procedures, such as obtaining a signed form or verifying a credit card number, to ensure that they are dealing with the parent.
  3. Obtain a more reliable method of consent if operators wish to disclose a child’s personal information to third parties or make it publicly available
  4. Allow parents to consent to the collection and internal use of a child’s information, but prohibit the third-party use of the information;
  5. Give parents access to the child’s personal information to review and/or delete. Parents must also be given the option of prohibiting further use or collection of a child’s personal information, providing them with the procedures to do so.

Operators may not require that a child provide more information than is reasonably necessary in order to participate in an activity on a site. The Federal Trade Commission enforces COPPA, and may bring actions and impose civil penalties of up to $11,000 per violation. Additionally, the States Attorneys General can sue for COPPA breaches as well.

In the mobile app staff report, the FTC makes several recommendations: allow parents easy access to basic information and data privacy practices; include privacy practices of third parties; and enforce agreements to display data collection practices and interactive features. Any app stores, developers, or web site operators who may fall under COPPA should stop collecting, disclosing, or using personal information from children under 13 until they can come under compliance. Conduct a careful review of information practices and of the privacy policy to determine whether the notification, consent, use, and opt out provisions are sufficient.