A fast-growing population online, children represent a significant data privacy concern because they cannot provide legal consent for the use of their data, which is why COPPA enforces strict strict consent before collecting personal information.
Consequently, lawmakers have developed or introduced regulations to safeguard young people from potential abuse and privacy violations. The European Union’s General Data Protection Regulation (GDPR) also includes specific provisions for children’s data protection.
However, the Children’s Online Privacy Protection Act (COPPA) is specifically designed with underage users in mind to protect the privacy of children.
What is COPPA?
COPPA is a U.S. Federal privacy law enforced by the Federal Trade Commission (FTC). It imposes rules on collecting personal information from children under 13 years of age from online and digital services such as websites, ads, and apps.
The Privacy Protection Act of 1998 includes COPPA as a significant component of consumer protection. Initially, COPPA focused on basic information collected online by websites targeting children. However, as technology advanced, COPPA was amended in 2013 to include newer forms of data and technologies such as geolocation, photos, videos, mobile apps, and social networks, thereby broadening and strengthening the protection of the online privacy of children.
Who Needs to Comply With COPPA?
Any online businesses, online activities, or marketing campaigns with online collection of data and directed to children under 13 are subject to COPPA guidelines. This includes child-directed sites, mixed-audience platforms that knowingly attract children, and services using third-party tools like ads or analytics. If your content, features, or promotions are likely to appeal to children, you may be required to comply with the law.
Key Provisions of COPPA
The law imposes certain requirements on operators of websites and online services directed to children, as well as on operators of other websites or online services that knowingly collect personal information from children. Here are its key provisions.
Operators must obtain parental consent before collecting, using, or disclosing personal information online from a child. This means that before any data collection can occur, operators need to take specific steps to ensure that they have received permission from a child’s parent or guardian.
The knowledge that they are collecting must demonstrably be with the parents’ express approval. This can involve methods such as sending consent forms to parents, requiring a credit card transaction for verification, or using government-issued identification to confirm the identity of the parent.
This process ensures that parents are aware of and agree to the collection and use of their child’s personal information, thereby protecting children’s privacy and giving parents control over their child’s online presence.
Privacy Policy
Websites and online services must post a clear and comprehensive COPPA privacy policy detailing their information practices for children’s personal data. This policy should be easily accessible and written in plain language that parents and children can understand. It should outline what personal information is collected, how it is used, who it is shared with, and how parents can control the collection and use of their child’s information.
By providing this transparency, operators help parents make informed decisions about whether to allow their children to use a particular service or website.
Data Collection Restrictions
Collecting information from children under the age of 13 should be limited to what is reasonably necessary for participation in the website or service. This means operators should only collect the minimum amount of data needed to provide the service or feature that a child is using.
For example, if a game requires a username and password to play, the operator should not request additional details such as home address or social security number. This limitation helps protect children’s privacy by reducing the amount of their personal information that is exposed.
Right to Review and Delete
Parents can access their child’s collected personal information and request its removal. This right allows parents to see what data is collected about their child and to take action if they are not comfortable with it being stored or used.
This ensures that parents have control over their child’s digital footprint and can protect their child’s privacy by managing their personal information.
Security Measures
Online services that collect personal data from children online must implement reasonable procedures to protect the integrity, privacy, and security of the personal information collected, especially when collected online from a child. They must have technical, administrative, and physical safeguards to prevent unauthorized access, disclosure, or misuse of the data.
Examples include encryption, secure servers, access controls, and regular security audits. With robust security measures in place, operators can protect children’s personal information from data breaches, identity theft, and other cyber threats and comply with COPPA.
How to Comply with COPPA Rules: COPPA Compliance Checklist
Data collection from children under 13 isn’t prohibited, but organizations must follow specific COPPA procedures to ensure compliance. As stated by the FTC, “The law requires the operators of sites or online services directed at children under 13 to obtain “verifiable parental consent” before collecting data, with exceptions for activities that support “internal operations,” such as frequency capping, contextual advertising, site analysis, and network communications.”
The federal law clearly states businesses’ responsibilities when protecting children’s online data privacy. Here are some suggested standards from the FTC to help with COPPA compliance:
- COPPA defines “personal information” as any information that can be used to identify a person, such as a name, address, email address, phone number, or Social Security number.
- COPPA applies to information collected from children through websites, apps, and other online services. It includes any website or online service that knowingly collects personal information from children, including social networks, online gaming sites, websites that focus on topics of interest to children, and even websites that contain advertising directed at children.
- Any website, app, microsite, a section of a website, or any kind of online service that appeals to children is considered child-directed.
- COPPA requires that businesses must display privacy policies to state how personal information is used.
- Organizations must seek verifiable consent from parents before collecting any personal information. Additionally, parents should be able to review their children’s personal information. That means full access to profiles, records, and login information upon request.
- It is advised only to retain personal information that fulfills the purpose of its original collection and then discard the data to protect the child’s rights and safety.
Use this checklist to ensure your organization meets COPPA requirements:
1. Determine Applicability
The first step is to assess whether your website, app, or online service, is directed at children under 13, or whether it’s likely to attract children even if it’s not specifically marketed to them. This extends to third-party content on your site too, such as are there any ads, games, or videos that may appeal to minors?
2. Identify Personal Information
Following COPPA’s definition of the term, do you have any “personal information” on your platform? Remember, this doesn’t just include obvious things like names and contact details, but also extends to identifiers like geolocation data, cookies, device IDs, and also any photos, videos, or audio content that feature a child’s image or voice. You need to have a thorough idea of which of this data is being collected directly by you, and also indirectly via third-party integrations.
3. Create and Display a Clear Privacy Policy
To be transparent, you must have a clear and easily accessible privacy policy, which states what personal information you collect, how it’s used, and where it’s shared with any third parties. If your service is child-directed, consider presenting it in plain, age-appropriate language as well.
4. Obtain Explicit Parental Consent
Before collecting personal data, organizations must secure verifiable consent from parents. Approved methods include:
- Signed consent form
- Credit/debit card usage and confirmation
- Telephone or video call
- ID checks with facial recognition matching
- Knowledge-based challenge questions
Once granted, parents must also have the ability to review, modify, or delete their child’s data at any time.
5. Data Minimization
While important to comply with any data privacy law, limiting data collection and retention is particularly imperative for COPPA compliance. You should collect only the information necessary for the service you’re offering and no more. In fact, data shouldn’t be collected for any unrelated purposes (such as behavioral advertising), and once any necessary data has served its purpose, you should securely discard of it immediately to reduce the risk of its misuse.
6. Provide Parental Rights and Access
Parents are entitled to know exactly what information has been collected from their children. This means providing access to accounts, profiles, and records upon request. Organizations must also give parents the option to withdraw consent and request permanent deletion of their child’s information.
7. Monitor Third Party Partners
As mentioned, COPPA compliance goes beyond merely your own activities. If you use external services (such as advertisers, analytics providers, or plugins), you remain responsible for ensuring they comply too. Vet your partners thoroughly, include compliance obligations in contracts, and conduct regular audits to confirm that third-party data practices meet COPPA standards.
8. Implement Robust Security Measures
Children’s data must be protected with strong security protocols, as robust technical and organizational safeguards reduce the risk of data breaches. For example, encrypt sensitive information, restrict access to only authorized personnel, establish staff training to reinforce data protection responsibilities, etc.
How Is COPPA Enforced? Fines & Penalties
Online operators must comply with COPPA or face severe penalties. For example, the Federal Trade Commission can enforce COPPA by fining companies up to $42,530 per violation. Companies can also face civil penalties, lawsuits, criminal proceedings, and state attorney general investigations.
The largest fine was in 2022; Epic Games agreed to pay a $275 million penalty for COPPA violations. The complaint stated that Epic collected personal information illegally from children under 13 and made it hard for parents to get information deleted.
Beyond fines, non-compliance can result in significant reputational damage and loss of consumer trust, highlighting the importance of adhering to COPPA regulations.
Why is COPPA Compliance Important?
Preserving Trust and Safety
Following COPPA regulations is crucial for maintaining parental trust and ensuring children’s safety online. Businesses that demonstrate dedication to protecting children’s privacy show their deep ethical responsibility to shield them from the dangers of unchecked data collection and exploitation.
Empowering Parents
COPPA gives parents the tools and assurances they need to manage their children’s online interactions. It provides transparency and control over personal information, allowing parents to make informed decisions about their child’s digital presence, fostering digital literacy and responsible online behavior within families.
Fostering a Secure Digital Environment
Creating a secure digital environment for children is crucial. COPPA acts as a defense against various digital threats, such as data breaches, identity theft, online predators, and harmful content. Following COPPA standards ensures that children’s online experiences are safe, respectful, and privacy-focused.
Pioneering Ethical Standards
COPPA is not just a legal obligation but a framework for ethical innovation and responsible digital stewardship. The standards set by this privacy act help companies innovate responsibly and ensure that business advancements respect and protect children’s rights.
This commitment to ethical behavior fosters public trust and encourages the development of technologies and practices that prioritize user well-being. In doing so, COPPA serves as a model for integrating ethical considerations into business strategies, influencing global standards for children’s online privacy and safety.
Stakeholders and Regulations
Stakeholders in COPPA include website operators, app developers, advertisers, parents, and children. Each plays a role in upholding these standards and promoting responsible online practices, ensuring a safer digital space for young users.
COPPA Safe Harbor Program
COPPA Safe Harbor is a provision within the children’s online privacy protection rule that allows industry groups or other entities to develop their own self-regulatory guidelines to comply with the Act. These guidelines must be approved by the Federal Trade Commission. Organizations that adhere to an FTC-approved Safe Harbor program are deemed to be in compliance with COPPA, provided they follow the guidelines accurately.
Key aspects of COPPA Safe Harbor include:
- Approval by the FTC: The self-regulatory guidelines must be submitted to the FTC for review and approval, who evaluates whether these guidelines effectively address COPPA’s requirements.
- Compliance and Enforcement: Entities participating in a Safe Harbor program must comply with the approved guidelines. The organization administering the Safe Harbor program is responsible for ensuring adherence and enforcing the guidelines among its participants.
- Reduced Liability: If a business participating in a Safe Harbor program is found to have violated COPPA, the FTC may consider the business’s participation in the program. This could lead to reduced penalties compared to those imposed on businesses not taking part in a Safe Harbor program and found to be in violation of COPPA.
- Consumer Trust: Displaying a Safe Harbor certification can enhance consumer trust, signaling that the operator is committed to protecting children’s privacy online.
Some examples of FTC-approved Safe Harbor programs include those run by organizations like the Entertainment Software Rating Board (ESRB), the Children’s Advertising Review Unit (CARU), and TrustArc.
Achieve COPPA Compliance Requirements with BigID
Companies must understand their obligations and enforce COPPA compliance requirements. If your business is covered by COPPA, you have a duty to ensure parental consent and data protection requirements are achieved. With BigID, you can:
- Discover and classify all data of children under 13
- Map and inventory all children’s data
- Streamline data flow mapping to monitor privacy risk
- Capture consent and preferences across web, mobile, and third-party systems
- Automate end-to-end data rights fulfillment, from access to deletion
- Execute data minimization safeguards aligned with retention policies based on a legal purpose
- Conduct privacy risk assessments to safeguard the data of children
- Demonstrate compliance with insightful reporting highlighting risk reduction
Organizations should reevaluate their approach to children’s data. We have a responsibility to our most vulnerable group of online citizens. See how BigID helps organizations manage compliance requirements for COPPA – Get a demo.
Author
