Children's Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act of 1998 (COPPA) is a law that protects children’s personal information. It was created to protect children from websites that try to collect information about them.  

The law requires that websites and other services that may collect information about children under 13 years of age get permission from their parents first.   

The law also requires that the websites and services tell parents how they collect and use that information.   

The law applies to all websites and other services that collect information from children under 13 years of age, no matter where they are located.   

COPPA’s Goals  

The Rule was made to protect children and teens when they’re online. It was made to stop websites and apps from collecting your information and tracking you on the internet. Your parents have to agree to this and say it’s okay for you to be tracked.   

How has COPPA changed since it was first enacted? 

In 2011, the Federal Trade Commission added new rules to the Children’s Online Privacy Protection Act. The new rules said that developers must delete children’s personal information every time they achieve their original purpose for collecting that information.    

They also said that developers must ensure that the information they collect about children cannot be used for anything other than the original purpose.  

For example, if you collect a child’s age to provide age-appropriate content, you must delete that information when the purpose is served.   

In 2022, the FTC voted unanimously to release a new COPPA policy statement with some significant amendments. Their comprehensive proposal covers platform liability, tags and virtual influencers, and even fake reviews.   

Most notably, they are taking a look at limitations.   

This means that all businesses who collect the data of minors, even lawfully, must only keep it for the bare minimum amount of time that is necessary. The FTC has stated that they will specifically be looking into EdTech companies, including schools, for keeping children’s data longer than was needed.   

New data privacy laws like the Virginia Consumer Data Protection Act (VCDPA) and the California Privacy Rights Act (CPRA) take COPPA very seriously. These states have written some of the principles of COPPA into their bills, making it impossible for businesses to stay in compliance if they do not follow the necessary steps to ensure children’s data privacy rights are honored. In fact, some of their rules are even more strict than COPPA itself!   

Is COPPA affecting you?  

COPPA applies to anyone who runs a website or online service directed at children and collects, uses, or discloses personally identifiable details from children.  

COPPA also applies to general websites and online services that collect information from anyone less than 13 years of age. In some cases, it also applies to children between the ages of 13 and 16 – but the rules are less strict.  

If a child is under 13 years old and you collect, use, or disclose personally identifiable details from that child, you must remove those details as soon as you find out the child is under 13 years old.    

You also must do your due diligence to ensure that children under 13 are not accessing your website without explicit parental consent. How would you know if someone puts in a false date of birth? Well, this is where compliance by design comes in handy. By making the process simple and inviting, you’ll encourage the correct information to be shared and parental/guardian consent is easily gathered.   

How does COPPA work?  

COPPA is a law that protects children’s privacy. It applies to any business globally that collects information from children under 13 who live in the United States. The law applies to many different information and services, so it’s important to know exactly how it applies.     

Requirements For Business Owners and Operators of Websites    

The FTC looks at many things when it decides if a business targets children. Some of the questions they ask include:    

• What are the advertisement models’ ages?  

• Does your site provide audio and visual content geared towards young children?  

• Do you use animated or cartoon characters? 

• Do you use celebrities or child celebrities who are popular with children? This includes influencers, gamer tags, and more.  

• Will that age group will be drawn to the business’ subject matter? 

If your website is for kids under 13 or you have a website that kids under 13 might use, you need to follow the Children’s Online Privacy Protection Act rules. This includes things like educational material, pediatric healthcare, games, videos, or other literature that is aimed at young children.   

How does Verifiable Parental Consent work?  

To collect information from children, you need to have the permission of their parent or guardian. You can get permission by asking the parent or guardian to fill out a form.   

You can use the form to ask the parent or guardian if they permit you to collect the information. Below are acceptable methods for obtaining dependable adult’s consent and authenticating their identity:    

• Form of consent signed by the participant  

• Identification with a photograph  

• Making a phone call  

• The questions should be difficult for anyone but the parent to answer  

• Video conferencing  

• A credit or debit card is required when a monetary transaction is conducted   

If you want to collect personal information from parents, you can send them an email and ask for permission. It will help if you put a means for the parent to reply to you in the email. You should put a footnote and link to your privacy policy at the bottom.    

If my website or application doesn’t comply with COPPA, what should I do?  

First, before you become compliant with COPPA regulations, you must stop collecting or processing children’s information until you have their parent’s permission or are deemed compliant by the FTC.    

Second, read your information practices and privacy policy carefully. In doing so, look closely at what you collect, what you do with it, and if it’s necessary for your site or online service.    

If not, make sure parents know exactly how their children’s information is being used and whether there are alternatives to deleting such data altogether.  

This way, parents will truly know what to expect when they sign up or log in to their children using your site or online service.    

Additionally, your privacy policy should be concise and easy to understand. It is considered a violation if you purposefully put tricky or difficult language in your privacy policy in order to fool children (or their parents) into making agreements they cannot possibly understand.     

For COPPA violations, what are the civil and criminal remedies?  

If a company  violates the COPPA guidelines, it can be fined up to $40,654 per incident. We encourage users to report possible violations of the law and make sure that you protect their data from them. In the past, the maximum penalty was $16,000 per violation, but in 2016, that fine was increased to $40,654.     

Therefore, if you have info on minors, like 10 kids on your site and they’re underage, then you need to make sure that you’ve followed COPPA guidelines which are stricter than FTC regulations regarding customers of any age because children under the age of 12 can’t make purchases online at all.     

The fines range from $4 million to 8 million, depending on how many were offended. In most cases, the severity of a business’s violation depends on how much it profited from it.    

Conclusion  

Online privacy is an important matter, especially when it comes to children. COPPA sets forth rules regulating how information can be collected on children under 13 and limiting what advertisers are allowed to do with that information.  

It also prevents vendors and website operators from collecting data by legal loopholes (i.e., hacking or cookie dropping). Vendors must make their privacy policies accessible via easy-to-understand language online before starting any collection efforts.    

In order to stay compliant, it’s important you have an organized, verifiable method of consent. A cookie banner isn’t good enough if your site does specifically market products to children. You’ll need to take the extra steps outlined above to make sure you don’t land in hot water.    

Talk to one of our data privacy experts today to get more information.  

Schedule a Demo