Show pageBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== The Ultimate Guide to the Children's Online Privacy Protection Act (COPPA) ====== **LEGAL DISCLAIMER:** This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation. ===== What is COPPA? A 30-Second Summary ===== Imagine the internet is a vast, public playground. Most areas are for adults, but some are clearly designed for kids—full of bright colors, fun games, and cartoon characters. Now, imagine that every swing set, slide, and sandbox in that kids' area was secretly collecting information: your child's name, their picture, where they live, and what they like to do. That's what the early internet was like, and it worried parents and lawmakers. The **Children's Online Privacy Protection Act (COPPA)** is the federal law that acts as the rulebook for this digital playground. It doesn't tell kids they can't play; instead, it puts the adults in charge. It tells the companies running these online spaces that before they can collect any personal information from a child under the age of 13, they must first get a parent's permission. In short, COPPA puts parents back in the driver's seat of their children's online lives. * **Key Takeaways At-a-Glance:** * **Parental Control is Central:** The **Children's Online Privacy Protection Act** is a U.S. federal law that requires websites and online services to obtain [[verifiable_parental_consent]] before collecting, using, or disclosing personal information from children under 13. * **It Affects Businesses and Creators:** If you run a website, app, YouTube channel, or any online service that is either directed at children under 13 or you know is collecting data from them, **COPPA compliance** is not optional; it is a legal requirement enforced by the [[federal_trade_commission]]. * **Broad Definition of "Personal Info":** The **Children's Online Privacy Protection Act** protects more than just a name and address; it covers photos, videos, audio files, geolocation data, and even "persistent identifiers" like [[ip_address]]es and cookies that can be used to track a child's activity across the web. ===== Part 1: The Legal Foundations of COPPA ===== ==== The Story of COPPA: A Historical Journey ==== In the late 1990s, the internet was a digital "Wild West." Commercial use of the web was exploding, and companies quickly realized that children were a lucrative new market. Websites designed for kids popped up everywhere, offering games, cartoons, and chat rooms. To participate, children were often encouraged to register using their full names, home addresses, email addresses, and even their parents' income levels, all without any parental oversight. Alarm bells began to ring. Consumer protection groups and parents grew increasingly concerned about the safety and privacy of children online. They feared that this data could be used for invasive marketing or, worse, fall into the hands of predators. Congress responded to this public outcry. After a series of hearings and a landmark report from the [[federal_trade_commission]] (FTC) highlighting these risky practices, the **Children's Online Privacy Protection Act** was passed in 1998 and took effect in 2000. It was a pioneering piece of legislation, one of the first major attempts to regulate data privacy in the digital age, specifically for the most vulnerable members of society. In 2013, the FTC updated the COPPA Rule to account for the rise of smartphones, social media, and new technologies, expanding the definition of "personal information" to keep pace with a changing digital landscape. ==== The Law on the Books: The COPPA Rule ==== COPPA is not just an idea; it's codified federal law and a detailed regulatory rule. * **The Statute:** The law itself is found in the U.S. Code at [[15_usc_6501]]. A key passage, 15 U.S.C. § 6502(b)(1), states that it is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information... in a manner that violates the regulations. * **The Regulation (The "COPPA Rule"):** The real "how-to" guide for compliance is the FTC's implementing regulation, officially known as the **COPPA Rule**, found at [[16_cfr_part_312]]. This rule is what most lawyers and businesses refer to when discussing COPPA. It defines all the key terms (like "operator" and "personal information") and lays out the specific requirements for privacy policies, parental notice, and methods for obtaining [[verifiable_parental_consent]]. In plain English, the law and the rule work together. The Act sets the broad policy: **protect kids' data**. The Rule provides the specific, detailed instructions that website and app operators must follow to achieve that protection. ==== A Nation of Contrasts: Federal vs. State-Level Protections ==== COPPA is a federal law, meaning it sets a minimum standard for the entire country. However, states are free to pass their own laws that provide even greater protection. In recent years, several states have done just that, creating a complex compliance landscape. ^ **Feature** ^ **COPPA (Federal)** ^ **California (CAADCA)** ^ **New York (NY Child Data Privacy Act - Proposed)** ^ **Florida (Social Media Law - Contested)** ^ | **Age of Protection** | Under 13 | Under 18 | Under 18 | Under 16 | | **Core Requirement** | Parental consent to **collect** data. | Businesses must consider the best interests of the child in service design. Prohibits "dark patterns" that manipulate children. | Fiduciary duty to act in a child's best interests. Prohibits sale of child data without explicit consent. | Requires age verification and parental consent for minors to have social media accounts. | | **Applies To** | Websites/services directed at children or with actual knowledge of collecting from them. | Businesses that provide online services, products, or features likely to be accessed by children. | Any legal entity that collects data from or targets services to children in New York. | Social media platforms. | | **What this means for you** | **If your audience includes kids under 13 anywhere in the U.S., you must comply with COPPA's consent rules.** | **If you have users in California, you have a broader duty of care for all minors, not just data collection.** | **If passed, this would create a very high standard of care for any business with users in New York.** | **These laws show a trend toward stricter age verification, impacting how platforms onboard users.** | ===== Part 2: Deconstructing the Core Elements of COPPA ===== To comply with COPPA, you must understand its five key components. Think of it as the "who, what, when, why, and how" of children's online privacy. ==== Who is Covered? The Definition of an "Operator" ==== COPPA applies to "operators" of commercial websites and online services. This is a very broad category. * **Directed to Children:** An operator is covered if their website or service (or a portion of it) is "directed to children under 13." The FTC considers several factors to determine this, including: * The subject matter (e.g., kids' games, cartoons). * Visual and audio content. * The use of animated characters or child-oriented activities. * The age of models used. * Advertising directed to children. * **Example:** A YouTube channel that exclusively reviews toys for preschoolers is clearly "directed to children." * **Actual Knowledge:** An operator is also covered if they run a general-audience site but have **"actual knowledge"** they are collecting personal information from a child under 13. * **Example:** A social media platform is for a general audience. However, if a user signs up and enters a birthdate indicating they are 11 years old, the platform now has "actual knowledge" and must either get parental consent for that user's data or delete their account. This is why many platforms set their minimum age to 13. ==== What is Protected? "Personal Information" Under COPPA ==== This is one of the most misunderstood parts of the law. "Personal information" goes far beyond a child's name. The COPPA Rule protects: * **Full name, home or physical address, and email address.** * **Telephone number.** * **A photograph, video, or audio file where the child's image or voice is present.** * **Geolocation information** sufficient to identify a street name and city. * **A "persistent identifier"** that can be used to recognize a user over time and across different websites or online services. This includes a [[cookie]] ID, an [[ip_address]], a device serial number, or any unique identifier. This is the 2013 update's most significant change, as it means tracking a child for advertising purposes is covered by COPPA. * Any other information that is collected and combined with one of the identifiers above. ==== The Cornerstone: Verifiable Parental Consent (VPC) ==== This is the heart of COPPA. Before collecting, using, or disclosing a child's personal information, an operator must obtain **verifiable parental consent**. This means you must make reasonable efforts to ensure that the person giving consent is actually the child's parent. A simple checkbox saying "I am a parent" is not enough. Acceptable VPC methods include: * A signed consent form sent by mail, fax, or electronic scan. * Having the parent use a credit card, debit card, or other online payment system (which provides notification of a transaction). * Having the parent call a toll-free telephone number staffed by trained personnel. * A video conference with trained personnel. * Verifying a parent's identity by checking it against a government-issued ID. ==== The Privacy Policy Mandate: Clear and Conspicuous Notice ==== You can't get proper consent if parents don't know what they're consenting to. COPPA requires operators to post a clear, comprehensive, and easy-to-find privacy policy. It must describe: * What information is collected from children. * How that information is used. * The operator's disclosure practices (i.e., whether they share it with third parties). * A link to the privacy policy must be placed on the homepage and anywhere personal information is collected from children. ==== Parental Rights: Access, Deletion, and Control ==== COPPA grants parents ongoing rights. Even after giving consent, a parent has the right to: * **Review** the personal information collected from their child. * **Revoke** their consent and refuse further use or collection of their child's information. * **Request deletion** of their child's personal information. Operators must provide a reasonable means for parents to exercise these rights. ===== Part 3: Your Practical Playbook ===== Whether you're a business owner or a parent, COPPA has direct implications for you. Here's how to navigate it. ==== For Website & App Operators: A COPPA Compliance Checklist ==== If your online service might be used by children, failing to comply with COPPA can lead to massive fines. Here is a step-by-step guide to compliance. === Step 1: Determine if COPPA Applies to You === - Honestly assess your service. Is it "directed to children under 13"? Review the FTC's factors: subject matter, visuals, music, and marketing. - If your service is for a general audience, do you have any features that would lead you to have "actual knowledge" of users under 13? Do you have an age-gate or ask for a birthdate during registration? If so, you must have a plan for what to do when you identify a child user. === Step 2: Craft a COPPA-Compliant Privacy Policy === - Your privacy policy is a legal document. It must be clear, complete, and conspicuous. - Create a specific section detailing your practices regarding children's data. - List the types of personal information you collect, how you use it, and if you disclose it to third parties. - Provide the contact information for the person at your company responsible for handling inquiries about your children's privacy practices. - Place a prominent link to this policy on your homepage and everywhere you collect data. === Step 3: Provide Direct Notice to Parents === - Before you collect any personal information, you must send a "direct notice" to the parent. - This notice must state that you wish to collect information from their child, what specific information you want to collect, and how you will use it. - It must also link to your full privacy policy and explain how the parent can provide their verifiable consent. === Step 4: Implement a Verifiable Parental Consent (VPC) Method === - Choose one of the FTC-approved VPC methods listed in the section above. - The "credit card transaction" method is popular for its ease of automation, but you must choose what's best for your business and users. - Remember, the goal is to be reasonably sure you are dealing with the parent, not the child. === Step 5: Honor Ongoing Parental Rights === - You must have procedures in place to handle parental requests. - When a parent asks to review their child's data, you must be able to provide it. - When a parent asks to delete data or revoke consent, you must comply promptly. ==== For Parents: Protecting Your Child's Online Privacy ==== COPPA gives you the tools to be your child's digital guardian. Here's how to use them. === Step 1: Look for the Privacy Policy === - Before letting your child use a new app or website, find and read the privacy policy. If you can't find it easily, that's a major red flag. - Look for a section on "Children's Privacy" or "COPPA." It should clearly explain what data they collect and why. === Step 2: Understand What You Are Consenting To === - When a service asks for your consent, don't just click "yes." Read the direct notice. - Are they asking to collect your child's location? Their photo? The right to share it with advertisers? You have the right to say no. === Step 3: Teach Your Child to Be Privacy-Smart === - Explain to your child, in age-appropriate terms, why they should never give out their full name, address, school, or phone number online without your permission. - Encourage them to come to you immediately if a website or another user makes them feel uncomfortable. === Step 4: Use Your Rights === - Remember, you have the right to see what information a company has about your child and to order them to delete it. - If you believe a company has violated COPPA, you can file a complaint directly with the [[federal_trade_commission]] through their website. ===== Part 4: Landmark Enforcement Actions That Shaped Today's Law ===== The FTC enforces COPPA, and its actions against major companies have sent powerful messages and shaped how the law is applied today. ==== Case Study: Google / YouTube (2019) ==== * **The Backstory:** For years, YouTube maintained it was a general-audience platform. However, it was widely known that millions of children used it to watch cartoons and toy reviews. YouTube's parent company, Google, was collecting persistent identifiers (cookies) from viewers of these channels to serve them targeted ads, without parental consent. * **The Legal Question:** Could Google be held liable under COPPA for collecting data on channels it didn't own but knew were directed at children? * **The Holding:** Yes. The FTC and the New York Attorney General hit Google with a **record $170 million settlement**. The FTC ruled that by curating child-focused content into playlists and promoting it, YouTube had actual knowledge that it was collecting data from children. * **Impact on You Today:** This is why every YouTube creator must now designate whether their videos are "made for kids." If they are, YouTube disables targeted ads and other features (like comments) on those videos to comply with COPPA. ==== Case Study: Epic Games / Fortnite (2022) ==== * **The Backstory:** The wildly popular game Fortnite was accused of multiple violations. The FTC alleged that Epic Games used manipulative settings ("dark patterns") to trick players, including children, into making unintentional purchases. Crucially, the FTC also charged that the game's default voice and text chat settings were on, illegally collecting children's personal information (their voices) without parental notice or consent. * **The Legal Question:** Do in-game features like voice chat fall under COPPA's definition of personal information, and can a company's interface design be considered an unfair practice? * **The Holding:** Absolutely. Epic Games agreed to a massive **$520 million settlement**, with $275 million specifically for the COPPA violation—the largest penalty in COPPA history. * **Impact on You Today:** This case confirmed that audio files of a child's voice are protected information. It also put the entire tech industry on notice that using confusing or deceptive design to bypass privacy protections is illegal. ==== Case Study: TikTok / Musical.ly (2019) ==== * **The Backstory:** The social media app Musical.ly (which later became TikTok) required users to provide an email address, phone number, name, and bio to create an account. The app was widely used by children under 13, and the company was aware of this, yet it failed to seek parental consent before collecting this data. * **The Legal Question:** Was a social media app with a large, known child user base required to obtain parental consent under COPPA? * **The Holding:** Yes. The FTC issued a **$5.7 million civil penalty**, which at the time was the largest COPPA penalty ever obtained. * **Impact on You Today:** This case established that the COPPA rules apply forcefully to social media platforms. It's the reason why apps like TikTok and Instagram now have a "13-and-over" rule and will remove accounts they know belong to younger children. ===== Part 5: The Future of COPPA ===== ==== Today's Battlegrounds: The Push for COPPA 2.0 ==== While revolutionary for its time, many advocates argue that COPPA is now dated. The original law was designed for a world of desktop websites, not a world of ubiquitous smartphones, AI, and the Internet of Things (IoT). In response, bipartisan legislation known as **"COPPA 2.0"** has been proposed in Congress. Key changes would include: * **Raising the Age of Protection:** It would raise the age of consent from under 13 to under 17, providing protections for teenagers. * **Banning Targeted Advertising:** It would completely ban targeted advertising directed at children and teens. * **Creating an "Eraser Button":** It would give parents and teens a right to demand the deletion of personal information. Opponents argue these changes could stifle innovation and place undue burdens on businesses. The debate over COPPA 2.0 represents the central battleground for the future of children's privacy in the U.S. ==== On the Horizon: How Technology is Changing the Law ==== New technologies are constantly testing the boundaries of COPPA. The next wave of legal challenges will likely involve: * **Artificial Intelligence (AI):** How does COPPA apply when an AI-powered educational tool creates a detailed learning profile of a child? Who is responsible for the data an AI collects? * **Internet of Things (IoT):** "Smart" toys, speakers, and even clothes can collect a child's voice, location, and biometric data 24/7. These devices present a massive compliance challenge, as the "operator" and the "notice" are not always clear. * **Virtual and Augmented Reality (VR/AR):** In the "metaverse," companies can track a child's eye movements, physical gestures, and social interactions. This deeply personal data will force a re-evaluation of what "personal information" means and how to obtain meaningful consent for its collection. As technology evolves, so will the interpretation and enforcement of COPPA, ensuring the debate over how best to protect children in the digital world is far from over. ===== Glossary of Related Terms ===== * **Actual Knowledge:** The standard by which an operator of a general-audience site is held responsible under COPPA if they know they are collecting data from a child under 13. [[actual_knowledge]] * **COPPA Rule:** The regulation issued by the FTC, found at 16 C.F.R. Part 312, that implements the Children's Online Privacy Protection Act. [[16_cfr_part_312]] * **Dark Patterns:** User interface designs crafted to trick users into doing things they might not want to do, such as making a purchase or giving up privacy. [[dark_patterns]] * **Directed to Children:** A standard used to determine if a website or online service falls under COPPA's jurisdiction based on its subject matter, content, and marketing. [[directed_to_children_standard]] * **Federal Trade Commission (FTC):** The U.S. federal agency responsible for consumer protection and enforcing the COPPA Rule. [[federal_trade_commission]] * **Operator:** Any person who operates a commercial website or online service and collects or maintains personal information from or about the users of that site. [[operator_(coppa)]] * **Persistent Identifier:** Data that can be used to recognize a user over time and across different sites, such as a cookie, IP address, or unique device ID. [[persistent_identifier]] * **Personal Information:** The broad category of data protected under COPPA, including name, address, photos, videos, audio, and persistent identifiers. [[personal_information]] * **Privacy Policy:** A legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. [[privacy_policy]] * **Safe Harbor Program:** An FTC-approved program offered by industry groups that provides a framework for member companies to self-regulate and ensure COPPA compliance. [[coppa_safe_harbor]] * **Verifiable Parental Consent (VPC):** The core COPPA requirement that operators make reasonable efforts to ensure the person giving consent is the child's parent. [[verifiable_parental_consent]] ===== See Also ===== * [[california_consumer_privacy_act_(ccpa)]] * [[general_data_protection_regulation_(gdpr)]] * [[ftc_act]] * [[data_breach]] * [[california_age-appropriate_design_code_act_(caadca)]] * [[internet_law]] * [[consumer_protection_law]]