In response to concerns in the 1990s about how websites collected and protected personal data and to ensure the privacy of users - particularly children - Congress enacted The Children's Online Privacy Protection Act (COPPA) in 1998.

The primary goal of COPPA is to place parents in control of the information that websites or other online services collect online from children under the age of 13.

COPPA specifies the responsibilities of internet-based services in protecting children's privacy and safety online. It provides that a commercial website or online service targeting children under 13 must have a Privacy Policy, and, more importantly, what must be included in this policy.

The Act also lists those circumstances which require a site or service to give direct notice to parents and seek their verifiable consent whenever a site or service collects, uses, or discloses their child's personal information.

An operator of a website or online service directed to children, or any operator that actually knows it is collecting personal information from a child, may not collect personal information from a child in any way that violates COPPA.

The Act's definition of a "website or online service directed to children" means just about any internet service that markets products or services to children:

  • A commercial website or online service that is targeted to children, or
  • That portion of a commercial website or online service that is targeted to children

What Was Congress Thinking?

In 1998, the FTC surveyed over 1,400 websites, 212 of which were commercial websites that targeted children and 89% of which were sites that collected personal information from children.

The results of the survey revealed that only 24% posted privacy policies and only 1% required parental consent to how children's personal data was gathered and managed.

Because of these findings, the FTC urged Congress to pass legislation protecting children's online privacy. Congress responded and passed COPPA in 1998, effective April 21, 2000. At the time, Congress believed that the Act would be flexible enough to accommodate diverse business methods and technological change.

However, not unexpectedly, Congress amended COPPA in 2013 to consider the increased use of children using mobile devices and social networking. As a result, it expanded the definition of children's personal information to include persistent identifiers such as cookies, geolocation information, and files that contain an audio recording, video, or photo.

Who Does COPPA Affect?

Who Does COPPA Affect?

COPPA applies to any person who operates a website or online service for commercial purposes, including any person offering products or services for sale through that website or online service, that collects personal information online from a child under 13.

In determining whether a website or online service is "directed" to children, the FTC considers any reliable evidence about the age of the website service's actual or targeted audience.

You must comply with COPPA if your commercial web enterprise is directed to:

  • Children under the age of 13 and you collect personal information from them
  • Children under the age of 13 and you let others collect personal information from them
  • A general audience, but you have actual knowledge that you collect personal information from children under the age of 13.

The following are some examples of internet-based services covered by COPPA:

  • Social networking apps
  • Network-connected games
  • Advertising networks and apps that generate behaviorally-targeted content
  • Mobile apps that send or receive information online
  • Internet-enabled location-based services
  • Plug-ins
  • Voice-over internet protocol services
  • Connected toys or other similar devices

What Does COPPA Consider "Personal Information"?

What Does COPPA Consider

If your web-based site or service is collecting any of the following information, especially if used as online contact information like an email address or other identifier that permits someone to contact a person directly, it is considered "personal information" under COPPA:

  • First and last name
  • Home or other physical address including street name and name of a city or town;
  • Telephone number
  • Social Security number
  • Online contact information, including a screen name or user name where it functions as online contact information
  • A persistent identifier that may be used to recognize a user over time and across different sites, examples of this include an IP address or unique device identifier
  • Geolocation information allowing the name of the child's street, city or town to be identified
  • A photograph, video, or audio file containing the image or voice of a child
  • Other child- or parent-related information collected from the child that is combined with any of the above identifiers
  • Any other identifier that the Federal Trade Commission determines allows a specific individual to be contacted in person or online

What Does COPPA Consider "Collecting" Personal Information?

What Does COPPA Consider

As the owner of a website or other online service, COPPA considers you to be collecting information if you:

  • Request, prompt, or encourage the submission of information, even if optional,
  • Allow information to be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records, or
  • Passively track a child online

Complying With COPPA

Complying With COPPA

Now that you know you must comply with COPPA if you own or operate a website or online service that markets its products and/or services to children, how do you comply?

As a business owner, you have to protect your brand and investment. If you don't meet all of the legal requirements to comply, your business faces costly civil penalties and bad publicity because you're not protecting young users of your site or service.

If you're unsure about whether COPPA applies to you, for whatever reason, it may simply be a wise decision to take all of the necessary steps to ensure that your website or online service is COPPA-compliant.

To comply with COPPA, you must:

  • Create and post a Privacy Policy on your website
  • Give parents direct notice when you collect personal information from their child
  • Obtain parents' verifiable consent to collecting personal information from their child
  • Recognize parents' ongoing rights related to their child's personal information
  • Protect children's personal information

When a site or service offers a child some type of activity, it may only request the child's personal information that is necessary to engage in the activity. COPPA specifically prohibits any site or service from conditioning a child's participation in a game or offering a child a prize based on the disclosure of more personal information than is reasonably necessary for the child's participation.

Create and Post a Privacy Policy

Once you've determined that you must or simply have decided to comply with COPPA, create a Privacy Policy that is extensive, yet easy to understand.

Your Privacy Policy must inform parents that their child will only be asked to disclose personal information that is absolutely necessary to participate in the online activity. It must also inform parents that they have important rights.

COPPA requires that a Privacy Policy contains the following details stated completely, clearly and concisely:

  • The personal information actually collected from children by your website or online service
  • How your business uses any personal information collected from children
  • Your disclosure practices including a list of third parties to which you disclose personal information collected from children and how these third parties use this information
  • Parental rights related the collection, use, and disclosure of a child's personal information
  • Notice of the procedures parents must follow to exercise their rights

Your Privacy Policy must disclose any third parties that are affiliated in any way with your website or online service that collect and store, through your business, personal information collected from children.

Nickelodeon includes a brief, to the point synopsis of its Privacy Policy at the beginning that addresses each of these points in a simple way. Here's an excerpt of the summary:

Nickelodeon Privacy Policy: excerpt of Summary section

Links are added to the end of each summarized point. There's also a Quick Links section right after the Summary that links to more detailed information with descriptive titles for each link:

Nickelodeon Privacy Policy: excerpt of Quick Links section

The Walt Disney Company's Privacy Policy features pull-down menus that help organize the content and make it easy to find specific information:

Walt Disney Company Privacy Policy: Excerpt of menu

The Walt Disney Company displays its badge of COPPA safe harbor certification on the home page of its Children's Privacy Policy:

Walt Disney Company Children's Privacy Policy: Introduction section with COPPA Safe Harbor Certification

Mattel's Privacy Statement page includes links to all of the relevant sections of its Privacy Policy, as well as a distinctive highlighted box with the boldface heading "Children's Privacy" and the link to its Children's Privacy Statement:

Mattel Privacy Statement with Children's Privacy link

No one, including children, should have any difficulty finding the link to your Privacy Policy. It should stand out on any page because of distinctive characteristics such as a larger font, different color or contrasting background.

Give Parents Direct Notice

COPPA contains exceptions to collecting some personal information from children without parental consent. Nonetheless, obtaining parents' consent to collecting, using, and disclosing their child's online personal information is the cornerstone of the FTC policy of giving parents control over their kids' online personal information.

For parents to consent, they must have notice.

Before you collect any information from children, your website or online service must inform parents of your procedures and practices in collecting information from children. The notice must be clear and its contents must be simply stated. Include only what's necessary.

This notice must inform parents:

  • That your website or online service actually collected their online contact information for the purpose of obtaining their consent
  • That your website or online service wants to collect personal information from their child
  • That parental consent is required for the collection, use, and disclosure of their child's personal information
  • The specific personal information your website or online service wants to collect and how it may be disclosed to third parties
  • A link to the privacy policy of your website or online service
  • How the parent may consent
  • That if the parent doesn't consent within a reasonable time, your website or online service will delete the parent's online contact information from its records

Here is how Mattel discloses information about direct notice and verifiable consent in its Children's Privacy Statement:

Mattel Children's Privacy Statement: Excerpt of clause about direct notice and parental consent

Providing parents with notice that your website or online service is collecting their child's personal information is not enough. Parents must also give their verifiable consent.

It's important that you use reasonable methods to make sure you're communicating with the child's actual parent and not his or her friend or older sibling. These reasonable methods include requiring a parent to:

  • Sign a consent form and return it by mail, electronic scan, or even fax
  • Use an online payment process such as a credit or debit card that provides notification of each transaction to the account holder
  • Connect to trained staff through a toll-free phone number or video conference
  • Provide a copy of a form of government issued identification that may be corroborated using a database (this copy of identification must be deleted from your site or service's records after the verification process is completed)
  • Answer knowledge-based challenge questions that would be difficult for someone other than the parent to answer
  • Verify a picture, using facial recognition technology, of a driver's license of other photo ID submitted by the parent by comparison to another photo already submitted by the parent

The Walt Disney Company informs parents about its methods for obtaining verifiable parental consent in a clause in its Children's Privacy Policy:

Walt Disney Company Children's Privacy Policy: Verifiable Parental Consent clause excerpt

Recognize Parents' Ongoing Rights

Once you receive and verify a parent's consent, your duties regarding your site or online service's database of personal information do not end. Their rights are ongoing which means that you have continuing responsibilities.

Of course, you must inform parents in your Privacy Policy that they may review their child's personal information at any time. Parents must be given the right to request that you delete a child's information, as well as refuse any further collection or use of it. Parents must also be given the right to disallow disclosure of their child's personal information to third parties.

The Walt Disney Company allows parents to access, change or delete their child's personal information in a number of different ways and discloses them in a Privacy Policy section titled "Parental Choices and Controls":

Walt Disney Company Children's Privacy Policy: Parental Choices and Controls clause excerpt

Here's how Nickelodeon describes parents rights and how they can exert them on its website in a simple, easy to follow way:

Nickelodeon Privacy Policy: Reviewing Your Information - Parental rights clause

Protect Children's Personal Information

Your internet business enterprise must institute a system that manages and protects the personal information that you have collected from children.

COPPA requires the operator of a website or online service "to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children."

Exceptions to COPPA

There are some limited exceptions to the requirement that you must obtain a parent's verifiable consent before collecting personal information from their child. The type of information you may collect under each of these exceptions is narrow.

Any information collected under an exception can't be used or disclosed for any other purpose.

The following is that part of Mattel's Children's Privacy Statement that explains when an email address may be collected from a child without parental consent:

Mattel Children's Privacy Statement: Information collected without consent clause

Summary

If you run an internet business that targets children under the age of 13, you must comply with COPPA. This means that you must:

  • Formulate a Privacy Policy that meets COPPA requirements. A Privacy Policy must provide notice on your website or service of what information you collect from children, how you use it, and your disclosure practices for this information.
  • Give parents direct notice and obtain their verifiable consent before collecting, using, or disclosing their child's personal information.
  • Grant and enforce parents' ongoing rights related to the use, collection and disclosure of their child's personal information. You must give parents the right to refuse to further allow the use or maintenance of their child's information. You must also provide, upon a parent's request, a description of the information actually collected from their child.
  • Take reasonable actions to protect all personal information.

Once you've devised a comprehensive Privacy Policy, post it in a highly visible place, linking to it on your homepage and anywhere else online where you collect personal information from children. If your site or online service is targeted to both adults and children, with a special section for children, post the link to your Privacy Policy on this homepage as well.