Children’s Online Privacy Protection Act

The COPPA⁷ passed in November 1998 and first went into effect in April 2000. COPPA governs how websites collect information from children under the age of 13. The FTC oversees COPPA compliance and has the power to make rules for COPPA compliance. The FTC rule governing COPPA, called the COPPA Rule, was first drafted in 1999 and most recently revised in 2013. In 2019 the FTC began the process of revising the COPPA Rule because of the fast pace of technology change. However, it may take years before an updated rule is finalized and released.

Websites must follow specific rules under COPPA to collect and use information from children. There are several important definitions in the COPPA Rule:

• Child—Any person under the age of 13
• Parent—The legal guardian of a child
• Operator—A website operator, or operator of an online service, who collects or maintains personal information about users

Purpose of COPPA

The primary purpose of COPPA is to protect children’s privacy on the internet, as well as protect them from age-inappropriate content and online marketing. Websites must follow specific rules if they collect or use a child’s personal information. For example, they must obtain a parent’s consent before doing so. They must also post a privacy policy explaining their practices.

Personal information includes:

• A child’s first and last name
• A child’s email address or other online contact information such as an Instant Messaging username or voice over Internet Protocol (VOIP) identifier
• A child’s screen name or username
• A child’s physical address, such as his or her home address
• A child’s telephone number
• A child’s Social Security number (SSN)
• Photographs, video, or audio files that contain a child’s image or voice
• Geolocation data that identifies a physical address
• Any persistent identifier, such as an internet cookie or Internet Protocol (IP) address, that is used to recognize a user over time and across different websites
• Any other information concerning a child or the child’s parents that a website operator collects from a child and combines with any other data about a child⁸

Any personal information that is collected must be protected. This means that the website operator must protect the confidentiality, security, and integrity of this data. Website operators must ensure the information is not made publicly available to others. This includes making sure it is not displayed on a home page of a website, on a message board, or in a chatroom. The law allows website operators to share this kind of data only for specific reasons. However, when website operators share this information, they must share it only with third parties who can properly protect it.⁹

Scope of the Regulation

COPPA applies to anyone operating online services that collect or use information about children under the age of 13. This includes situations where the website operator directly collects the information, as well as situations where the website operator lets third parties collect the information. Even general-audience websites might have to follow the COPPA Rule. If operators of general-audience sites know they are collecting data from children, then they must comply with COPPA. For example, an operator might know that its site is collecting data from children if it asks users to share their birth date. An operator that collects demographic data such as school attendance and grade completion might also know that children are using its website. Website operators are also required to protect the security of any information that they do properly collect from children.

The definition of website or online service is broad. In addition to websites, it also includes:

• Mobile apps
• Internet gaming platforms
• Advertising networks
• Connected toys and other internet-connected devices
• Internet-enabled location services¹⁰

Main Requirements

COPPA has two main rules that websites must follow in order to comply with the rule. Operators must:

• Post a privacy policy
• Get verifiable parental consent before collecting information from children

Privacy Policy

Under COPPA, websites must post a privacy policy.¹¹ The privacy policy states the kind of information the site collects about children. It also states how the site will use the information. The COPPA Rule tells operators the terms that must be included in the privacy policy.

COPPA requires that a website privacy policy should be easily visible and accessible. The rule requires that a link to the privacy policy should be included on the home page of the website. The rule also requires that the link should be posted on every area of the website where a child’s personal information is collected.¹² A COPPA-compliant privacy policy must be accessible from a clear and prominent link. This means the link needs to stand out and be noticeable to users of the website. A website designer can achieve this in a variety of ways. For example, the designer can use different type sizes, fonts, colors, or contrasting backgrounds to highlight the link. In addition, the privacy policy must be clearly labeled to indicate it is a privacy policy. The most common label is “Privacy Policy.” Other examples of clear labels are “Privacy Statement” and “Information Practices Statement.”

Privacy Policy Content

The privacy policy needs to contain specific information to be COPPA-compliant. For example, it must be clearly written and easy to read. The format is not as important as the content. At a minimum, the policy must contain:

• Operator contact information—This includes the name, mailing address, telephone number, and email address of all operators collecting or using the information collected on the website. If several operators are collecting information, the policy can list the contact details for only one operator under two conditions. First, the names of all operators must be listed in the privacy policy or in a link accessible from that policy. Second, the listed operator must respond to all questions about the policy. It also must answer questions about how data is collected and used on the site.
• Notice of what information is collected—The policy must be specific. A generic term such as “contact information” is not acceptable. Instead, the policy should specify the child’s name, address, telephone number, gender, age, and email address.
• Notice of how information is collected—A website can collect information actively or passively. A user entering information into a form is active collection. In contrast, a web cookie that collects personal information is passive collection. The privacy policy must clearly state how information is collected.
• Notice of how the information will be used—Websites must state how the information will be used. It must be specific. For example, a website could collect email addresses for newsletter subscriptions. It could collect mailing addresses for prizes. It could also collect the information for sales and marketing purposes. Each use must be clearly stated.
• Notice of whether the information is disclosed to third parties—The website must also state whether collected information is shared with a third party. These are any entities that are not the operator of the website. Third parties also include entities that do not provide internal support for the website. Parents may refuse to share the collected data with third parties.
• Assurance that participation is not conditioned on data collection—That is, a website cannot require children to submit contact details in order to be allowed to use the site. Websites are not allowed to collect more information than necessary for a child to participate in an activity. This prevents the website from collecting too much information about a child. For example, a website may collect an email address for an online newsletter subscription. Collecting a physical mailing address for an online newsletter is not reasonable. The privacy policy should clearly state that a website will not condition participation on information collection.
• Parental rights—The policy must state that a parent can review information collected on his or her child. Parents can also tell the website to delete any data it has collected, as well as refuse further data collection. They can also refuse to allow the website to share collected information with third parties.

Gaining Parental Consent

COPPA has specific rules about getting parental consent. This consent is required if a website wants to use and collect data from a child. Website operators must take reasonable steps to make sure that a parent receives direct notice of the operator’s data collection practices. This notice must include:

• That the operator has collected the parent’s online contact information from the child in order to obtain parental consent
• That the parent’s consent is required to collect, use, or disclose the child’s information. The notice must state that the operator will not collect, use, or disclose the child’s information without parental consent
• The specific items of data that the website operator wants to collect from the child
• A link to the website privacy policy
• How the parent can give verifiable consent to the collection, use, and disclosure of the child’s information
• That if the parent does not provide consent within a reasonable time, the operator will delete the parent’s online contact information from its records¹³

Under COPPA, parental consent must be verifiable. Only a parent can give consent. A website operator must verify the identity of the parents that it contacts. This becomes especially important if the parent requests to see the information held about his or her child. Website operators must have measures in place to prevent the information from being released to the wrong party.¹⁴

Parents have other rights under the COPPA Rule. The website must re-notify parents whenever it changes its data collection and use procedures. Parents must be allowed to review information collected from their children. They also must be allowed to revoke their consent. If a parent revokes his or her consent, website operators must stop collecting, using, or disclosing that data immediately. Parents also can request that a website operator delete data held on their children. Website operators must make parents aware of how to exercise these additional rights.

Consent is not required at all in some instances. Websites do not need parental consent if they are collecting an email address to respond to a one-time request from a child. Nor do they need consent to provide the initial notice to the parent. Consent is also not required to collect a child’s name and online contact information to protect the security of the website.

In some instances, upfront consent is not required. In these special circumstances, the website must still later tell parents that it collected data. For example, a website can collect a child’s name, parent’s name, and online contact information in order to protect a child’s safety. If a website collects this information, it must later tell parents that it collected the information and it must not use this information for any other purpose.¹⁵

Oversight

The FTC provides oversight for COPPA. The FTC investigates complaints of websites that violate COPPA. It can also bring enforcement actions and impose civil penalties for COPPA violations. The FTC provides many tools to help website operators comply with the law.