Guide to

Children’s Online Privacy Protection Rule (COPPA)

What is the Children’s Online Privacy Protection Rule (COPPA)?

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The primary purpose of COPPA is to place parents in control of what information is collected from their children online.

How does COPPA define “personal information”?

Personal information is defined to include:

Decorative - Woman working on laptop

Personal Information as defined by COPPA

  • First and last name
  • A home or other physical address including street name and name of a city or town
  • Online contact information
  • A screen or user name that functions as online contact information
  • A telephone number
  • A social security number
  • A persistent identifier that can be used to recognize a user over time and across different websites or online services
  • A photograph, video, or audio file, where such file contains a child’s image or voice
  • Geolocation information sufficient to identify street name and name of a city or town
  • Any information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

What types of businesses need to comply with COPPA?

Decorative - group of colleagues working on laptop

COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. 

The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Nonprofit entities generally are not subject to COPPA.

Key COPPA requirements for covered entities

According to the FTC, covered entities must:

  • Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children
  • Provide direct notice to parents and obtain parental consent before collecting personal information online from children
  • Give parents the choice of consenting to the entity’s collection and internal use of a child’s information but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)
  • Provide parental access to their child’s personal information to review and/or have the information deleted
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information
  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use

Ready to see Hyperproof in action?

Get started quickly with 110+ framework templates.

Who enforces the regulation and what are the penalties for non-compliance?

The Federal Trade Commission enforces COPPA. Anyone who believes an operator is violating COPPA may submit complaints to the FTC. A court can hold operators who violate COPPA liable for civil penalties of up to $43,280 per violation. The amount of the fine is based on factors including the egregiousness of the violations, whether the operator has previously violated the rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties and the size of the company. COPPA also gives states the authority to enforce compliance with respect to entities over which they have jurisdiction.

For details about the COPPA rule, check out the FAQ guide on COPPA from The FTC.

COPPA: Frequently Asked Questions

The Children’s Online Privacy Protection Act (COPPA) is designed to protect the privacy of children under the age of 13. COPPA applies to operators of commercial websites and online services, including mobile apps, that collect, use, or disclose personal information from children under 13. 

This includes general audience websites or services that knowingly collect personal information from children. In addition, third parties (such as advertising networks or plug-ins) that collect personal information through websites or online services covered by COPPA must also comply with the rule. Essentially, if your digital service is directed towards children under 13 or knowingly collects information from this age group, you are covered by COPPA.

Personal information under COPPA includes a wide array of data that could be used to identify, contact, or locate an individual child. This includes:

  • Full name
  • Home or other physical address
  • Online contact information (such as an email address)
  • Screen name or user name that functions as online contact information
  • Telephone number
  • Social Security number
  • Persistent identifiers (such as a customer number held in a cookie, an IP address, a processor or device serial number, or unique device identifier)
  • A photograph, video, or audio file containing a child’s image or voice
  • Geolocation information sufficient to identify street name and name of a city or town
  • Information concerning the child or parents that the operator collects online from the child and combines with an identifier described above

COPPA applies to operators of websites and online services that are directed to children under 13 and collect personal information from them, or that have actual knowledge that they are collecting personal information from children under 13, including:

  • Websites and online services
  • Mobile apps
  • Online games
  • Social networking services
  • Plug-ins or ad networks that collect personal information through child-directed sites or services, or that have actual knowledge they are collecting personal information from users under 13

Violating COPPA can lead to significant penalties. The FTC enforces COPPA, and violations can result in civil penalties of up to $51,744 per violation. The total amount of penalties can vary based on several factors, including the company’s financial condition and the severity of the violation. Beyond financial penalties, companies may also face damage to their reputation and loss of consumer trust, which can have long-term negative impacts on their business.

COPPA is enforced by the FTC. The FTC investigates complaints and conducts investigations into potential violations. When the FTC finds that a company has violated COPPA, it can file a lawsuit against the company in federal court. In many cases, the FTC and the company reach a settlement, which often includes the payment of civil penalties and requirements to adhere to strict compliance measures going forward. Additionally, states’ attorneys general can also bring actions under COPPA.

Compliance with COPPA is required for operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children. This includes a broad range of entities such as:

  • Website operators
  • Mobile app developers
  • Online game companies
  • Social networking services
  • Advertising networks and plug-ins that are aware they are collecting information from users of child-directed sites or services

Additionally, even if a site is not directed at children, if it knowingly collects personal information from users under 13, it must comply with COPPA. Companies must also ensure that third parties that they work with, such as advertisers and service providers, comply with COPPA when collecting or handling personal information from children.

Hyperproof makes COPPA compliance simple

  • Get started quickly with an out-of-the-box COPPA framework template
  • Map controls to other relevant privacy frameworks like PCI DSS and GDPR for comprehensive compliance
  • Minimize the time and resources needed to achieve COPPA compliance
  • Integrate smoothly with your current project management tools, like ServiceNow, Jira, and Asana
  • Collect and document evidence effectively and continuously
  • Monitor progress toward COPPA compliance with a robust, exportable dashboard

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader