Children are a fast-growing population online, which is a huge data privacy concern because it’s essential to protect children who can’t provide legal consent for the use of their data. As a result, lawmakers have developed or introduced laws to protect children and teens from potential abuse and privacy violations, such as the Children’s Online Privacy Protection Act (COPPA) which has become the global standard.

What is COPPA?

COPPA is a U.S Federal Law that is enforced by the Federal Trade Commission (FTC). The law was passed in 1998 but enacted in April 2000, with substantial amendments in 2013. The law imposes requirements on collecting personal information of children under the age of 13 from online and digital services such as websites, ads, and apps.

How to Comply with COPPA

Data collection from children under 13 isn’t prohibited, but organizations must follow specific guidelines to comply with COPPA. As stated by the FTC, “The law requires the operators of sites or online services directed at children under 13 to obtain “verifiable parental consent” before collecting data, with exceptions for activities that support “internal operations,” such as frequency capping, contextual advertising, site analysis, and network communications.”

The law clearly states businesses’ responsibilities when protecting children’s online data privacy. Here are some suggested standards from the FTC to help with COPPA compliance:

  • COPPA defines “personal information” as any information that can be used to identify a person, such as a name, address, email address, phone number, or Social Security number.
  • COPPA applies to information collected from children through websites, apps, and other online services. It includes any website or online service that knowingly collects personal information from children, including social networks, online gaming sites, websites that focus on topics of interest to children, and even websites that contain advertising directed at children.
  • Any website, app, microsite, a section of a website, or any kind of online service that appeals to children is considered child-directed.
  • Businesses must display privacy policies to state how personal information is used.
  • Organizations must seek verifiable consent from a parent before collecting any personal information. Additionally, parents should be able to review children’s personal information, which means full access to profiles, records, and login information upon request.
  • It is advised only to retain personal information that fulfills the purpose of its original collection and then discard the data to protect the child’s rights and safety.

COPPA Fines & Penalties

Non-compliance with COPPA can lead to severe penalties. For example, the FTC can fine companies up to $42,530 per violation. In addition, companies can face civil lawsuits, criminal proceedings, and state attorney general investigations.

The largest fine was in 2022; Epic Games agreed to pay a $275 million penalty for COPPA violations. The complaint stated that Epic collected personal information illegally from children under 13 and made it hard for parents to get information deleted.

Achieve COPPA Compliance with BigID

COPPA is an important law that helps protect the privacy of children online. However, companies must understand their obligations and ensure compliance with the law. With BigID, organizations can:

Organizations should reevaluate their approach to children’s data. We have a responsibility to our most vulnerable group of online citizens. See how BigID helps organizations manage compliance requirements for COPPA – Get a demo