If you run a website or online service aimed at U.S. minors under 13 years of age, then you need to comply with the Children's Online Privacy Protection Act (COPPA). The Act is designed to protect children's personal data when they use the internet or play mobile apps and games.
- 1. COPPA Explained
- 2. Why COPPA Matters
- 3. Who Needs to Comply With COPPA
- 4. COPPA Compliance
- 5.3. Children's Clause
- 5.4. The Information You Collect
- 5.5. Cookies and Third Parties
- 5.6. Contact Details
- 5.7. Parental Rights
- 9. Protecting Personal Information
- 10. Penalties for Non-Compliance
- 11. Conclusion
Technically, COPPA refers to two privacy laws:
- Children's Online Privacy Protection Act
- Children's Online Privacy Protection Rule
The general rule, though, is pretty simple: If you collect personal data from US children, you need parental consent first. By "collecting" data, we're referring to activities like:
- Using tracking cookies
- Showing someone's personal data to the public e.g. on a public profile page
- Asking users to submit information to create an account or profile, or make a purchase
You also need to take extra precautions to keep the data safe and secure.
But what actually is "personal data"? It's basically any data you can use to identify a specific child. It's defined in Section 6501(8) of the Act as:
"The term "personal information" means individually identifiable information about an individual collected online, including-
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph."
It applies if you're handling personal data belonging to a U.S. child, wherever you're based. You may also need to comply with stricter rules depending on your location, but we're only concerned with COPPA in this article.
What services are included in the rules? There's no comprehensive list, but here are some examples:
- "Smart" toys connected to the internet
- Gaming platforms
The service needs to be commercial. In other words, if you're a charity, you're not bound by COPPA. But if your service is commercial in nature at all, even if it's free to use, it's covered in section 6501(10).
Why COPPA Matters
We know that complying with COPPA means you need to:
- Get parental permission before collecting minor data (under-13s)
- Take steps to protect this data
But why do we need the Act? There are a few reasons:
- Parents have a right to control access to their child's personal information
- They also want to know what services their child uses, and they want to know you take privacy seriously
- It's important to help children stay safe and protected online
COPPA goes some way to keeping minors safe while allowing them access to the digital world.
Who Needs to Comply With COPPA
You only need to comply with COPPA if you handle personal data belonging to under-13s, or you know children use your website, even if they're not your target audience.
This is confirmed by the Federal Trade Commission:
How do you confirm if your website or service is directed at children, though? It all depends on factors like:
- Tone, speech patterns and language used
- Type of music, slogans, and logos
- The site content and how easy it is to use
- Age of the models you use to market your products
- Use of animated or cartoon characters around the website
Let's take a look at two examples.
The first is Sesame Street. The website is colorful and you can see various cartoon characters. The graphics are fun, and the game avatars are obviously aimed at children:
On the other hand, here's Parker Pen. It's stylish and sophisticated, but based on the colors, the product, and the language, it's not likely to appeal to children:
What happens if someone lies about their age? Don't worry. You don't need to ask someone to confirm their age to use your service. And if you do ask people to enter their age before accessing your website, you're allowed to rely on the information they provide.
The FTC confirms this:
In other words, you're allowed to assume any age information you're provided is accurate until you're told otherwise.
If you don't collect any personal information at all, and you're sure COPPA doesn't apply, you should put up a brief notice confirming this. Here's an example from Starfall:
To comply, you should do four things:
- Post a Direct Notice telling parents about your data policies
- Get parental consent before capturing a child's personal information
- Tell parents how you protect a child's data
- Explain what rights parents have over this information
- Explain what information you collect, how you get it, and why you need it
- Tell people where they can contact you for more information
- Explain that users can opt out of data collection at any time
- An explanation of how you handle a child's personal data
- Details of what rights parents have over this data
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Let's look at real clauses from COPPA-compliant Privacy Policies.
National Geographic Kids has a section titled "Children":
The company also makes a few child-specific statements explaining how it handles data from a child. Namely, it only collects it for very specific purposes, and consent is obtained before the data is collected:
Sesame Street also has a clear section dedicated to kids. Helpfully, COPPA is referred to specifically, and the fundamental ways in which data from minors is protected is set out:
The Information You Collect
Specify the type of data you collect and why it's necessary. You can keep the clause a little broad so you can collect as much data as possible, but keep this in mind: You shouldn't ever collect more data than necessary for a set purpose.
Sesame Street uses the phrase "examples of personal information." By keeping the clause general, the company isn't limited to these specific parameters. However, the language is clear enough for parents and kids to understand what data will probably be collected, and why:
There's no need for a long, complex clause. It should be easy to understand by children themselves.
You should also clearly set out how you use the data, like National Geographic Kids does here:
Cookies and Third Parties
Here's a short but excellent clause from Sesame Street for this purpose:
Again, using broad language like "such as" means there will not be restrictions to using data for analytics purposes. It's all about striking a balance between giving enough information without being so specific that you're restricting your legitimate interests.
Parents have rights over what happens to their child's data online. Namely, they can tell you to stop collecting data or delete what you already have.
There's also a right for parents to:
- Review what data you hold
- Amend the data
- Request a copy
Again, National Geographic Kids sets out these rights in a clear, concise way, highlighting how parents can exercise them:
Funbrain posts an obvious link on the homepage that's separate from the other links:
In both cases, they're really obvious and distinguishable from other links.
- Ask kids to provide a parent's email address. That way, you can assume it's the parent consenting rather than the child.
Here's an example from Hamleys:
National Geographic Kids requests that those under 16 years of age provide a parent's email address before they can open an account. While National Geographic can't prove the email address belongs to a parent, they're taking reasonable steps to get verifiable consent:
All you can do is take reasonable steps. If you don't want to ask for an email address, you can also:
- Ask for a contact number to call the parent
- Confirm a parent's credit or debit card before it's used for payment
By material, we mean changing the clauses around the data you collect and where it's shared. But if you're unsure whether it's a material change or not, send parents an email or notice telling them about the change anyway.
Protecting Personal Information
There's one final thing you should do to comply with COPPA, and that's take reasonable steps to protect the personal data in your care. But what's classed as reasonable?
There's no "right" answer to this, but here are some suggestions:
- Limit who can access the data
- Ensure you encrypt data, where possible
- Keep antivirus and antimalware tools up-to-date
Remember, what's reasonable for a large company isn't proportionate for an independent website, so the FTC considers this on a case-by-case basis.
Penalties for Non-Compliance
Complying with COPPA isn't optional. If you don't follow the Act:
- Parents can submit a complaint to the FTC
- You may be fined up to $42,530 for each infraction
COPPA non-compliance damages your reputation and costs money. So it's always best to comply even if you're not 100% sure the Act applies.
- Why you collect data, and who you share it with
- What methods you use to collect and store information
- The rights parents have over their child's data
- Any special steps you're taking to protect sensitive information
Aside from this, you must also do the following:
- Tell parents you're collecting their child's personal data
- Get verifiable permission to collect data beforehand