Children’s Online Privacy Protection Act

Like CIPA, the Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law designed to protect children. COPPA is maintained and enforced by the FTC. COPPA requires websites and other online services aimed at children less than 13 years of age to comply with specific requirements of the law.

In 2013, the FTC implemented new provisions that provide additional protections to keep pace with the changes in technology. The FTC also introduced a six-step plan to understand if an organization is required to comply with COPPA, and if so, how to be compliant. The six steps are as follows:

1. Determine if your company is a website or online service that collects personal information from children under 13.

2. Post a privacy policy that complies with COPPA.

3. Notify parents directly before collecting personal information from their children.

4. Get parents’ verifiable consent before collecting information from their children.

5. Honor parents’ ongoing rights with respect to information collected from their children.

6. Implement exceptions to COPPA’s verifiable parental consent requirement.

With Step 1, an organization will likely need to consult the law and to understand precisely how terms are defined. For example, what does it mean to collect, or what exactly is considered personal information? Online services are obliged to comply with COPPA if asking for information that would even imply a child is less than 13 years of age—for example, “Do you now attend elementary school?”

After it is determined that COPPA applies, the next step requires the creation of a privacy policy. COPPA requires that the privacy policy list all operators who are collecting information. In addition, it must list an operator who will respond to any and all queries from parents. Next, the privacy policy must contain a complete description of the personal information that is collected and for what purposes. Finally, the policy must state the rights afforded to parents. For example, this must include a notice that parents have the right to review the information collected on their child and even provide direction that the collected data be deleted.

Except under limited classes of information, COPPA requires that parents be notified before data is collected from their children. The rule provides for very specific requirements that must be met with regard to such notice. Once notification requirements are met in Step 3, Step 4 requires verifiable consent. While the means of providing such consent is left up to the requesting organization, the rule does provide several examples of acceptable methods. One simple example is a signed consent form via fax, mail, or electronic scan. Another is the entry of a credit or debit card number when coupled with a financial transaction.

The final two steps require continual obligations upon the entity complying with COPPA. With Step 5, parents may ask to review, revoke, or delete the child’s information at any time. Such requests must be honored by the complying organization. At the same time, the organization must take necessary precautions, such as taking reasonable measures to ensure that parents are in fact who they say they are. The final step provides rules around the need to protect the confidentiality and integrity of the information collected as well as ensure that adequate retention and disposal practices are maintained.