COPPA is a U.S. law that requires you to obtain parental consent for collection and use of personal information from children below 13 years of age.


What is COPPA

The COPPA law (Children's Online Privacy Protection Act), which operates under the Federal Trade Commission (FTC), was passed by the US Congress in 1998 and enacted in 2000.

The act also specifies what must be included in your Privacy Policy agreement, and when and how to seek verifiable consent from guardian or parent of children. Moreover, it defines your responsibility in upholding children's privacy and safety.

In addition, you have to provide full access to all user records, profiles, and log-in information when a parent requests it. Parents should be allowed to delete information about their children. However, they are not allowed to alter them.

COPPA was legislated because children did not really understand the negative implications of providing their personal information online.

Who must comply with COPPA

You have to comply with COPPA if you operate a commercial website or online service directed to children below 13 years old and you collect info from these children. Or if you operate a general audience website and you know you collect information from children.

All websites that collects, use and disclose info from children below 13 years of age have to meet the specified standards of this law.

What constitutes personal information?

COPPA requires that websites put up a Privacy Policy agreement wherever they collect personal information such as such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.

Other types of personal information include hobbies, interests, and information obtained through tracking mechanisms such as cookies as long as they are individually identifiable.

How to obtain parental consent

While there is no specific guideline on how to obtain parental consent, the FTC has outlined several suggestions to ensure compliance:

  • Conspicuous downloadable consent forms that could be emailed or faxed to the operator
  • Use of parent's credit card to authenticate age and identity
  • Requiring parents to call a toll-free number
  • Consent form with digital signature

Basic provision and placement

There has to be a link to your legal agreement on your website's Home Page and the agreement must outline what information is collected.

The link to the legal agreement has to be made prominent through the use of larger font size or different font color or in the string of similar method.

Fines for violating COPPA

Logo of TinyCo

In September 2014, the FTC fined mobile game developer TinyCo $300,000 for collecting personal information from children such as email address in exchange for virtual currency.

The FTC claims that the company didn't notify parents that they were collecting information and ignored parents' complaints about it.

On top of the fine, TinyCo has also agreed to delete all information it has collected from children below 13 years old.

"As people – especially children – move more of their lives onto mobile devices, it's important that they have the same consumer protections when they're using an app that they have when they're on a website." said Jessica Rich, director of the F.T.C.'s Bureau of Consumer Protection. "Companies should take steps as they build and test their apps to make sure that children's information won't be collected without a parent's consent."

Companies should take steps as they build and test their apps to make sure that children's information won't be collected without a parent's consent.

TinyCo released a statement that said all its games now comply with COPPA:

TinyCo fully supports Coppa and the FTC's effort to protect the privacy and data of children online. We apologize to anyone affected by this issue, and want to be unequivocal in stating that TinyCo is fully committed to protecting user privacy, particularly when children are involved.

Logo of Yelp

Yelp, on the other hand, got in trouble with COPPA because even though several thousands of its users were identified as under 13 years of age based on the birth date they provided during registration, the company still collected their info including name, email address, location and the like.

The FTC fined Yelp fined $450,000 and ordered it to take down all info collected from its users younger than 13 years old from the time they registered to the service.

Difference between TinyCo and Yelp violations

TinyCo was clearly aimed at children.

Screenshot of Family Guy game

Those brightly colored animated characters and the simple language are tell-tale signs that their demographic is below 13 years old. Their violation was that they failed to notify the parents of users that they are collecting information in exchange for virtual currency.

Yelp, on the other hand, is a review website whose demographic isn't children. However, they had thousands of underage registrants based on birthdates provided yet those registrants were never blocked during the registration process.

Screenshot of Yelp San Francisco

To determine whether a website is aimed at children, the FTC will review factors such as subject matter, visual and audio content, the language and age of the model on the website, as well as the advertisements on the website.

To determine if a website is an "operator" the FTC will look into who owns and controls the info, who pays for the collection and maintenance of the info, and how the website collects and maintains the info.

Ensure compliance with COPPA

Ask for age

The very reason why COPPA exists in the first place is to protect the safety and privacy of children under 13 years of age. If you don't collect information from them or prevent them from registering to your service, you don't have to worry about COPPA.

Get parental consent

You must ensure that you're getting meaningful parental consent.

Collect as little information is possible

Ask yourself, "Do I need this information?".

If you collect information that is not crucial to your business' function and improvement, it's better to lay off the collection.

Know where you data is

One of COPPA provisions is to allow parents to access and delete their child's personal information when they request it so make sure you know where your data is at all times.

Don't share PII with the third party if you don't have to

You shouldn't share PII with third parties unless you really have to. To ensure that no vendor has access to the info you're collecting, run an audit from time to time.

Make you Privacy Policy as transparent as possible

You have to state every minute detail of what info you collect, how you use the info that you collect, where you store the info and who you share it with.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy