The Children's Online Privacy Protection Act of 1998 or simply, COPPA, was enacted in 1998 to protect the privacy of children under the age of 13. It's a US federal law and it first became effective on April 21st, 2000.
This law is applicable to US businesses, but it can apply to any foreign businesses if they collect personal information from children under 13 who are residing in the US.
COPPA is applicable if your website or mobile app is:
Operating under US jurisdiction
Running on servers that are hosted in US
Operated by businesses with headquarters located in the US territory
What is Personal Information
The term "Personal information" ("PI") is broadly defined, but it means every kind of data that you can use to identify an individual, and in the case of COPPA, any kind of data that can identify a child under 13. Here are a few examples:
First and last name
Physical address, like street name or city
Instant message or social media usernames
Personal data can also mean any kind of information that when combined can identify an individual, e.g. anonymous identifiers.
What is Personal Information Collected
Collecting personal information, even from kids under 13, can be done in many ways. Regardless of how you collect this kind of data, here is what the COPPA Compliance guidelines state about what "collecting" means:
Requesting, prompting, or encouraging the submission of information, even if it's optional
Letting information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records
Passively tracking a child online
Note the optional keyword in this section: COPPA applies to you if you know you're collecting personal information from kids under 13, even if the information you are requesting is optional, not mandatory.
The general recommendation is not to collect personal information unless it is required for a legitimate business purpose.
Does COPPA Apply to You
COPPA doesn't apply unless you collect personal information from kids under 13. If any of the following cases apply to you, you must become compliant with COPPA:
Your website/app content is aimed at kids under 13 and you collect personal information from them
Your website/app is aimed at kids under 13, but you let other parties collect personal information from them
Your website/app targets a general audience, but you have knowledge that kids under 13 are using your service and that you are collecting personal information from them
The FTC defines "website or online service" in its Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business document:
Mobile apps that send or receive information online
Internet-enabled gaming platforms
Internet-enabled location-based services
Voice-over internet protocol services
Schools don't fall under COPPA, but third parties do.
When it comes to interactions with schools, COPPA takes on a unique function.
According to the FTC, schools do not fall under COPPA because this act does not apply to information collected by nonprofits serving educational purposes or to information collected by state governments.
COPPA applies to commercial entities. A school is considered to be part of the local government and is not functioning for commercial purposes.
However, many third-party commercial businesses, websites and mobile apps may provide services to schools and the students, and COPPA would extend to these third parties.
In cases such as these, the school can act as an intermediary between the third party and the parent, allowing the third party to obtain consent from the school district or the school rather than needing to obtain it directly from the parent.
Requirements for Third Party Websites or Mobile Apps Used By Schools
If your website or mobile app is used by students at the direction or implementation of a school, and for non-commercial, educational purposes only, your burden for meeting the requirements of COPPA is lessened.
You don't have to obtain direct verifiable parental consent before data is collected so long as 3 conditions are met:
The school must have previously obtained permission from parents to act on their behalf in such matters,
The website or mobile app operator must comply with all other COPPA requirements, and
The website or mobile app service must be provided solely for the educational benefit of the students and/or the school, and not for commercial purposes.
For example, an online homework help service, or web-based testing modules would be acceptable, but a website or mobile app that tries to sell school supplies to students would not be.
Other COPPA requirements mentioned in point 2 above include the following:
The website or mobile app operator must give all of the required notices to the school
The website or mobile app operator must make options and information available to the parents of the students with regard to how the collected data will be used, disclosed, and retained
The first statement under the introduction references parental verifiable consent on the website by stating that, "We will NOT knowingly collect, use or distribute personal information from children under the age of 13 without prior verifiable consent from a parent or guardian."
In this case, Edutopia.com doesn't collect any data from children under the age of 13 and therefore doesn't seek verifiable parental consent.
Including language like this is a great option if your website or mobile app has no reason to collect data from users, or specifically from users who are determined to be under 13.
Here's the company's simple and definitive clause:
Some websites or mobile apps take it a step further and actually require direct parental consent before a child can use the service, regardless of whether the school has obtained parental consent.
How to Comply with COPPA
You need to comply with COPPA regardless of what type of online business you operate. The FTC made a video available on YouTube, called Protecting Children's Privacy Under COPPA, that briefly discusses children's privacy:
It also discloses a list of requirements in its COPPA FAQ document:
These requirements are as follows:
Provide notice to parents directly and obtain verifiable parental consent before collecting personal information from children (with limited exceptions)
Allow parents to limit the disclosing of information to third parties (unless necessary)
Give parents access to their child's personal informaiton so they can review, edit or delete it
Allow parents to restrict the use or further collection of personal information from their children
Take reasonable steps towards security, confidentiality and maintenance of personal information
Only retain collected informatoin for as long as necessary to complete the purpose which it was collected for
The link to this legal agreement must be placed on all your webpages and it's recommended to make it more prominently visible than other links.
Do not try to hide your link to the agreement or make the link less visible or hard to find.
Personal Information Collection and Use
You need to include what type of information you collect from kids: name, address, email, hobbies etc. and how, such as directly from the kids (via forms) or passively (via cookies).
Next, you need to describe how you are going to use that information. You may use it for marketing purposes or notifying kids about some certain competitions that match their hobbies or interests or letting them know about winners of a contest and awards, etc.
Then you need to state if personal data from kids are being disclosed to any third parties. You need to list all third parties that your website or mobile app is using and how they use that information, like ad networks.
Parent Rights Section
You don't disclose information about kids under 13 more than it is necessary to participate in a certain activity
That they can review the already submitted information about their kids and how to contact you to delete it or to refuse to allow any future collection and use of their kids' information
That they (the parents) can agree to collection and use of kids' information, but they can refuse the collection and use of it to third parties that your business might be using
The instructions on how to do the above
Here's an example from Funbrain. The clause includes multiple contact methods for parents to reach out to request information or actions to be taken with their childrens' data:
COPPA requires that a company gives "direct notice" to parents before it starts to collect information from kids under 13.
This means that you should not gather information from children until parents give their approval for the collection and use of it.
In some circumstances, COPPA allows a very narrow personal information category to be collected without giving direct notice to parents, but the data collected under these exceptions can not be disclosed to third parties.
COPPA's Six-Step Compliance Plan explains these circumstances:
To get verifiable parental consent
To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information
To respond directly to a child's specific one-time request (for example, if the child wants to enter a contest)
To protect the security or integrity of your website or mobile app
To provide support for internal operations
To protect a child's safety
COPPA requires that verifiable parental consent is obtained from a website or mobile app before you can collect any personal information about a child and that notice of data collection practices is provided.
It defines certain methods of how you can get a verifiable consent from parents:
Sign a form and send it back to the company's address via fax, mail or electronic scan
Call a toll-free number operated by the company
Connect with trained personnel via video conference
Provide the company with copy of a form of government issued ID that the company can check against a database (but the identification pictures must be deleted from the company's records after the verification process is done)
Verifiable parental consent is typically somewhat complicated to obtain.
A parent may have to submit a government-issued ID and have the data run against a database for verification, or sign a consent form returned to the consent seeker by standard postal mail. Verifying the identity of the parent, as well as verifying that the person is actually the parent of the child can be a process in itself.
Below is an example of a pop-up window that when used on a website is a great way to try to screen out children under the age of 13 and know that consent is needed.
"Email Plus" method
If you only collect information from kids for internal usage, you can use a less complicated method to get parent consent called the "email plus" method. This method works like this:
The company sends out an email to the parent
The parent must respond to that email with their consent
The company confirms the consent by sending a confirmation (which can be done via email, letter or a phone call)
Under the "email plus" method you need to let parents know that they can revoke their consent for the collecting and use of their kid's personal information.
However, note that this method can only be used when limited information is collected for purposes of internal marketing. "Limited information" normally refers to a child's first name or child's and parent's e-mail address etc.
Exceptions for Parental Consent
If your business must comply with COPPA and the "Email Plus" method isn't an option for you, here is a checklist of common scenarios where you may be allowed to collect certain personal information without needing to first obtain parental consent.
This checklist can also help you tell what information you are allowed to collect and how you are allowed to use it.
Remember: You cannot collect anything more than what is listed, and you can only use the information in an exact way and for the exact purpose described.
Exception 1: To get parental consent
If you're trying to reach out to a parent to get their consent to collect their child's personal information, you are only allowed to collect the child's and parent's name and online contact information and nothing else.
This information can only be used to try to get the parent's consent.
If you don't hear back from the parent within a reasonable time, you must fully delete your records of the contact information.
Exception 2: To inform a parent that a child uses a site/app but no personal information is collected
You may only get the parent's online contact information and can only use it to communicate that one bit of information to the parent.
Make sure you include the following information in your message to the parent to stay compliant with COPPA:
You got their online contact information so you could let him/her know about their child's participation on your site/mobile app
Your site/mobile app doesn't collect personal information
Their email address that you now have won't be used for any other purpose
Let the parent know that he/she can email you back and refuse that you allow their child to use your site/mobile app and request to have the contact information deleted
Exception 3: For a one-time request made by a child
If a child is able to contact you for something such as entering a contest or asking a question, you are only allowed to collect the online contact information for the child (such as an email address.)
Remember: You cannot use this online contact information for anything other than responding to that one-time request, and you must delete the online contact information after the request has been addressed.
Exception 4: For multiple requests by a child
If a child wants to communicate with you multiple times, such as by signing up for your monthly newsletter, you can collect both the child's and parent's online contact information, but nothing more.
You have to contact the parent and let them know the following:
You collected their online contact information so you could let them know that their child has asked you for multiple online communications
You collected the child's online contact information to use for these communications
The child's online contact information won't be used for any other purpose and won't be given to anyone else
That, as the parent, they have the ability to not allow the child to receive the communication
Exception 5: To protect the safety of a child
If there's a situation where a child's safety may be at risk, such as an abduction in your area of a child who was known to frequently visit a certain website, you may collect a child's name, the parent's name, and both of their online contact information.
You have to contact the parent and let them know the following:
You collected this information in order to protect the safety of a child
The information won't be used in any other way or disclosed for any other purpose
Give the parent the right to not allow you to use the contact information and request that you delete it
Exception 6: To protect the security, integrity, and liability of your service or respond to legal proceedings
You are allowed to collect the name and online contact information of a child who uses your site if you are legally required to, or must do so for judicial, security, or liability issues. Remember, you are not allowed to collect any other piece of information from the child for this exception aside from the name and contact information.
You are very limited in how you can use this information. You cannot use the information to contact the person, to create a profile, or for advertising purposes.
Exception 7: To help with your internal operations
A cookie number, IP address, or another persistent identifier can be collected from visitors to a site, even children under 13, when the information is used for things such as authentication of users to a site, personalizing content, legal or regulatory compliance, etc.
This information is impersonal to the child and is solely related to there being a visitor to the site or service, regardless of age.
Absolutely no other information may be collected for these purposes aside from the persistent identifier. You cannot use this information to directly contact the child in any way.
Exception 8: If you know someone misrepresented age on registration, claiming to be over 13 when not
This exception only applies if the following three requirements are met:
Only a persistent identifier was collected from the child. No personal information, such as name or email address was collected
The child was actually using your site or service, which was why the persistent identifier was collected
In a previously-conducted age-screening of the child, he/she indicated being 13 or older
If this happens, you can keep the persistent identifier collected, but cannot collect other personal information without consent from a parent.
How to Comply with COPPA
There are no separate rules of how to comply with COPPA for websites than those that apply to a mobile app. All operators that are collecting data from kids under 13 must follow the same rules as mentioned above and to adapt the privacy functionalities to the medium they operate in.
However, there are slight differences in how to comply depending on which platform you're on.
Websites must comply with COPPA just as any mobile app is required to do so. That applies even if your website is an online game for kids.
"In compliance with COPPA (Children's Online Privacy Protection Act) and all European legislation currently in force, only the parents and legal guardians are permitted to give personally identifiable information concerning of child 12 and under: To comply with these laws, we have created the UpToTen User Account.
Through the UpToTen User Account, the child's parent or legal guardian can send all the information concerning their child(ren) that is necessary for the subscription process. The information we ask for allows us to deliver a personalized and fulfilling experience for club members.
Through the UpToTen User Account, the child's parent or legal guardian has immediate access to and complete control over the personally identifiable information UpToTen holds concerning them. The parent / guardian can modify or delete that information at any time through the UpToTen User Account."
UpToTen's agreement continues with specific sections that are guiding the parents to learn what personal information is collected, how and so on:
What sort of information is collected by this site ?
Concerning children (who therefore have the legal status of minor)
Concerning people who have reached the age of majority
Mattel's Privacy Statement details all the important information a parent needs to know about the data collected:
Avokiddo includes a cute heart icon with a note that the apps the company offers are compliant with both COPPA and the GDPR, which helps let parents know right away that the company cares about privacy:
To recap, if you have a website that collects data from kids under 13:
Provide direct notice to parents about your collection and use of kids' under 13 personal information
Get a parent verifiable consent before you start collecting the information
Include a parents' right section where parents can find instruction on their rights over their kids' collected data, how they can contact you to delete or refuse your collection and use of data
For iOS Apps
There are some other requirements here from Apple when it comes to kid's apps:
Apps intended for kids can't include third-party advertising or use third-party analytics
These apps can only ask for a birthdate and parental contact information to comply with laws and must include some sort of functionality and entertainment when asking