Guide to

Children’s Online Privacy Protection Rule (COPPA)

What Is Children’s Online Privacy Protection Rule (COPPA)?

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. The primary purpose of COPPA is to place parents in control of what information is collected from their children online.

How Does COPPA Define “Personal Information”?

Personal information is defined to include:

First and last name;
A home or other physical address including street name and name of a city or town;
Online contact information;
A screen or user name that functions as online contact information;
A telephone number;
A social security number;
A persistent identifier that can be used to recognize a user over time and across different websites or online services;
A photograph, video, or audio file, where such file contains a child’s image or voice;
Geolocation information sufficient to identify street name and name of a city or town; or
Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

What Types of Businesses Need to Comply With COPPA?

COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Nonprofit entities generally are not subject to COPPA.

Key COPPA Requirements For Covered Entities

According to the FTC, covered entities must:

Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
Provide direct notice to parents and obtain parental consent before collecting personal information online from children;
Give parents the choice of consenting to the entity’s collection and internal use of a child’s information but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
Provide parental access to their child’s personal information to review and/or have the information deleted;
Give parents the opportunity to prevent further use or online collection of a child’s personal information;
Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Who Enforces the Regulation and What Are the Penalties For Non-Compliance?

The Federal Trade Commission enforces COPPA. Anyone that believes an operator is violating COPPA may submit complaints to the FTC. A court can hold operators who violate COPPA liable for civil penalties of up to $43,280 per violation. The amount of the fine is based on factors including the egregiousness of the violations, whether the operator has previously violated the rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. COPPA also gives states authority to enforce compliance with respect to entities over which they have jurisdiction.

For details about the COPPA rule, check out the FAQ guide on COPPA from The FTC.