In response to concerns in the 1990s about how websites collected and protected personal data and to ensure the privacy of users - particularly children - Congress enacted The Children's Online Privacy Protection Act (COPPA) in 1998.
The primary goal of COPPA is to place parents in control of the information that websites or other online services collect online from children under the age of 13.
The Act also lists those circumstances which require a site or service to give direct notice to parents and seek their verifiable consent whenever a site or service collects, uses, or discloses their child's personal information.
- 1. What Was Congress Thinking?
- 2. Who Does COPPA Affect?
- 3. What Does COPPA Consider "Personal Information"?
- 4. What Does COPPA Consider "Collecting" Personal Information?
- 5. Complying With COPPA
- 5.2. Give Parents Direct Notice
- 5.3. Obtain Parents' Verifiable Consent
- 5.4. Recognize Parents' Ongoing Rights
- 5.5. Protect Children's Personal Information
- 6. Exceptions to COPPA
- 7. Summary
An operator of a website or online service directed to children, or any operator that actually knows it is collecting personal information from a child, may not collect personal information from a child in any way that violates COPPA.
The Act's definition of a "website or online service directed to children" means just about any internet service that markets products or services to children:
- A commercial website or online service that is targeted to children, or
- That portion of a commercial website or online service that is targeted to children
What Was Congress Thinking?
In 1998, the FTC surveyed over 1,400 websites, 212 of which were commercial websites that targeted children and 89% of which were sites that collected personal information from children.
The results of the survey revealed that only 24% posted privacy policies and only 1% required parental consent to how children's personal data was gathered and managed.
Because of these findings, the FTC urged Congress to pass legislation protecting children's online privacy. Congress responded and passed COPPA in 1998, effective April 21, 2000. At the time, Congress believed that the Act would be flexible enough to accommodate diverse business methods and technological change.
However, not unexpectedly, Congress amended COPPA in 2013 to consider the increased use of children using mobile devices and social networking. As a result, it expanded the definition of children's personal information to include persistent identifiers such as cookies, geolocation information, and files that contain an audio recording, video, or photo.
Who Does COPPA Affect?
COPPA applies to any person who operates a website or online service for commercial purposes, including any person offering products or services for sale through that website or online service, that collects personal information online from a child under 13.
In determining whether a website or online service is "directed" to children, the FTC considers any reliable evidence about the age of the website service's actual or targeted audience.
You must comply with COPPA if your commercial web enterprise is directed to:
- Children under the age of 13 and you collect personal information from them
- Children under the age of 13 and you let others collect personal information from them
- A general audience, but you have actual knowledge that you collect personal information from children under the age of 13.
The following are some examples of internet-based services covered by COPPA:
- Social networking apps
- Network-connected games
- Advertising networks and apps that generate behaviorally-targeted content
- Mobile apps that send or receive information online
- Internet-enabled location-based services
- Voice-over internet protocol services
- Connected toys or other similar devices
What Does COPPA Consider "Personal Information"?
If your web-based site or service is collecting any of the following information, especially if used as online contact information like an email address or other identifier that permits someone to contact a person directly, it is considered "personal information" under COPPA:
- First and last name
- Home or other physical address including street name and name of a city or town;
- Telephone number
- Social Security number
- Online contact information, including a screen name or user name where it functions as online contact information
- A persistent identifier that may be used to recognize a user over time and across different sites, examples of this include an IP address or unique device identifier
- Geolocation information allowing the name of the child's street, city or town to be identified
- A photograph, video, or audio file containing the image or voice of a child
- Other child- or parent-related information collected from the child that is combined with any of the above identifiers
- Any other identifier that the Federal Trade Commission determines allows a specific individual to be contacted in person or online
What Does COPPA Consider "Collecting" Personal Information?
As the owner of a website or other online service, COPPA considers you to be collecting information if you:
- Request, prompt, or encourage the submission of information, even if optional,
- Allow information to be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records, or
- Passively track a child online
Complying With COPPA
Now that you know you must comply with COPPA if you own or operate a website or online service that markets its products and/or services to children, how do you comply?
As a business owner, you have to protect your brand and investment. If you don't meet all of the legal requirements to comply, your business faces costly civil penalties and bad publicity because you're not protecting young users of your site or service.
If you're unsure about whether COPPA applies to you, for whatever reason, it may simply be a wise decision to take all of the necessary steps to ensure that your website or online service is COPPA-compliant.
To comply with COPPA, you must:
- Give parents direct notice when you collect personal information from their child
- Obtain parents' verifiable consent to collecting personal information from their child
- Recognize parents' ongoing rights related to their child's personal information
- Protect children's personal information
When a site or service offers a child some type of activity, it may only request the child's personal information that is necessary to engage in the activity. COPPA specifically prohibits any site or service from conditioning a child's participation in a game or offering a child a prize based on the disclosure of more personal information than is reasonably necessary for the child's participation.
- The personal information actually collected from children by your website or online service
- How your business uses any personal information collected from children
- Your disclosure practices including a list of third parties to which you disclose personal information collected from children and how these third parties use this information
- Parental rights related the collection, use, and disclosure of a child's personal information
- Notice of the procedures parents must follow to exercise their rights
Links are added to the end of each summarized point. There's also a Quick Links section right after the Summary that links to more detailed information with descriptive titles for each link:
Give Parents Direct Notice
COPPA contains exceptions to collecting some personal information from children without parental consent. Nonetheless, obtaining parents' consent to collecting, using, and disclosing their child's online personal information is the cornerstone of the FTC policy of giving parents control over their kids' online personal information.
For parents to consent, they must have notice.
Before you collect any information from children, your website or online service must inform parents of your procedures and practices in collecting information from children. The notice must be clear and its contents must be simply stated. Include only what's necessary.
This notice must inform parents:
- That your website or online service actually collected their online contact information for the purpose of obtaining their consent
- That your website or online service wants to collect personal information from their child
- That parental consent is required for the collection, use, and disclosure of their child's personal information
- The specific personal information your website or online service wants to collect and how it may be disclosed to third parties
- How the parent may consent
- That if the parent doesn't consent within a reasonable time, your website or online service will delete the parent's online contact information from its records
Here is how Mattel discloses information about direct notice and verifiable consent in its Children's Privacy Statement:
Obtain Parents' Verifiable Consent
Providing parents with notice that your website or online service is collecting their child's personal information is not enough. Parents must also give their verifiable consent.
It's important that you use reasonable methods to make sure you're communicating with the child's actual parent and not his or her friend or older sibling. These reasonable methods include requiring a parent to:
- Sign a consent form and return it by mail, electronic scan, or even fax
- Use an online payment process such as a credit or debit card that provides notification of each transaction to the account holder
- Connect to trained staff through a toll-free phone number or video conference
- Provide a copy of a form of government issued identification that may be corroborated using a database (this copy of identification must be deleted from your site or service's records after the verification process is completed)
- Answer knowledge-based challenge questions that would be difficult for someone other than the parent to answer
- Verify a picture, using facial recognition technology, of a driver's license of other photo ID submitted by the parent by comparison to another photo already submitted by the parent
Recognize Parents' Ongoing Rights
Once you receive and verify a parent's consent, your duties regarding your site or online service's database of personal information do not end. Their rights are ongoing which means that you have continuing responsibilities.
Here's how Nickelodeon describes parents rights and how they can exert them on its website in a simple, easy to follow way:
Protect Children's Personal Information
Your internet business enterprise must institute a system that manages and protects the personal information that you have collected from children.
COPPA requires the operator of a website or online service "to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children."
Exceptions to COPPA
There are some limited exceptions to the requirement that you must obtain a parent's verifiable consent before collecting personal information from their child. The type of information you may collect under each of these exceptions is narrow.
Any information collected under an exception can't be used or disclosed for any other purpose.
The following is that part of Mattel's Children's Privacy Statement that explains when an email address may be collected from a child without parental consent:
If you run an internet business that targets children under the age of 13, you must comply with COPPA. This means that you must:
- Give parents direct notice and obtain their verifiable consent before collecting, using, or disclosing their child's personal information.
- Grant and enforce parents' ongoing rights related to the use, collection and disclosure of their child's personal information. You must give parents the right to refuse to further allow the use or maintenance of their child's information. You must also provide, upon a parent's request, a description of the information actually collected from their child.
- Take reasonable actions to protect all personal information.