Guide to
Children’s Online Privacy Protection Rule (COPPA)
What is the Children’s Online Privacy Protection Rule (COPPA)?
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The primary purpose of COPPA is to place parents in control of what information is collected from their children online.
How does COPPA define “personal information”?
Personal information is defined to include:
Personal Information as defined by COPPA
What types of businesses need to comply with COPPA?
COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.
The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Nonprofit entities generally are not subject to COPPA.
Key COPPA requirements for covered entities
According to the FTC, covered entities must:
Ready to see Hyperproof in action?
Get started quickly with 110+ framework templates.
Who enforces the regulation and what are the penalties for non-compliance?
The Federal Trade Commission enforces COPPA. Anyone who believes an operator is violating COPPA may submit complaints to the FTC. A court can hold operators who violate COPPA liable for civil penalties of up to $43,280 per violation. The amount of the fine is based on factors including the egregiousness of the violations, whether the operator has previously violated the rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties and the size of the company. COPPA also gives states the authority to enforce compliance with respect to entities over which they have jurisdiction.
For details about the COPPA rule, check out the FAQ guide on COPPA from The FTC.