Skip to main content

The Children’s Online Privacy Protection Act (COPPA)

Congress passed the Children’s Privacy Protection Act (COPPA) in 1998. The law, which took effect in 2000, directs the Federal Trade Commission (FTC) to create and enforce regulations having to do with the online privacy of children. In December of 2012, the FTC made some changes to the COPPA rules, which went into effect on July 1, 2013.

Who does COPPA apply to?
COPPA applies to the operators of websites and online services that are:

  • Directed at children under the age of 13 and collect personal information from the visitor.
  • Directed at a general audience when the operator has “actual knowledge” that the personal information from a child under the age of 13 has been collected.

It is important to point out that COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users of another site or online service directed to kids under 13, which means, in certain circumstances, COPPA may apply to advertising networks, plug-ins, and other third parties.

What is the definition of “personal information?”
COPPA’s definition of personal information is individually identifiable information about an individual collected online, including:

  • a first and last name;
  • a home or other physical address including street name and name of a city or town;
  • an e-mail address;
  • a telephone number;
  • a Social Security number;
  • any other identifier that the Commission determines permits the physical or online contacting of a specific individual;
  • information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

The amended rule significantly broadened and strengthened COPPA to better reflect evolving technology and changes in the way children use and access the internet, including increased usage of smartphones and mobile devices.

COPPA’s definition of “personal information” is broad. It includes a child’s name, home or email address, telephone number, social security number, geolocation data, photos, videos, or audio of a child, any unique device identifier, or an IP address.

What must an operator do to be COPPA compliant?
Since the revisions to COPPA, some of the regulations have been altered. Below are the mandates an operator must follow to be COPPA compliant:

  • Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  • Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  • Provide parents access to their child’s personal information to review and/or have the information deleted;
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information;
  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  • Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Because COPPA is very complex, the FTC has issued a guide, which can be found at: https://business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions.

To read more about the recent changes to COPPA, go to: https://business.ftc.gov/blog/2012/12/ftcs-revised-coppa-rule-five-need-know-changes-your-business.

Don’t Confuse COPPA With The Now-Defunct Child Online Protection Act

Passed by Congress is 1998, the Child Online Protection Act (COPA) aimed to stop Internet access to material vaguely characterized as harmful to minors. However, since it was signed, the law has been challenged in court on numerous occasions. On January 21, 2009, COPA was struck down when the United States Supreme Court upheld a lower court ruling that the law was unconstitutional.

Selected Privacy Rights Clearinghouse Resources On Child Privacy

  • The GetNetWise website is a comprehensive resource for parents, sponsored by Internet industry companies and public interest organizations. It also provides a useful glossary of online terms.
  • The National Conference of State Legislatures lists cyber-stalking laws.
  • The National Center for Missing and Exploited Children offers its guide in paper form and online: Child Safety on the Information Highway.
  •  The SafeKids website is a service of syndicated newspaper columnist Larry Magid.
  • www.wiredsafety.org offers a variety of resources for parents, children and law enforcement.