COPPA – The Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act was passed in 1998 by the FTC to protect the personal information of children. It specifically applies to websites that target children and provides guidelines for the collection, use and disclosure of personally identifiable information of children under the age of 13 who may not understand the dangers of disclosing personal information on the Internet.

A website operator must be concerned with COPPA compliance if:

  • The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
  • The website targets a general audience but has a separate child oriented section.
  • The website targets a general audience and children under the age of 13 are known to access the site.
  • The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
  • The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

  1. Legitimate contact information for the website operator/data owner
  2. The type of information that is collected
  3. How the information will be use
  4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

  • The information is obtained in order to provide notice to the parent or obtain parental consent
  • The information is collected to respond once to a specific inquiry by the child and not used for further communications
  • The information is used to ensure the safety of a child and is not used for any other purposes
  • The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

  • A printable form that can be signed then mailed or faxed back to the website operator
  • Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
  • Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
  • Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

  • Any of the methods used for public disclosure
  • The Email Plus option in which:
    • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
    • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.


COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>