The Children and Teens Online Privacy Protection Act (known as COPPA 2.0) was passed on July 30, 2024. It aims to protect the privacy of children and teens online.
This law updates the original Children and Teens Online Privacy Protection Act (COPPA) with increased protections and requirements for websites whose users are reasonably likely to be minors or children.
In particular, COPPA 2.0 expands the requirement from COPPA to ask for consent from children under 12, to requiring permission from anyone under 17.
If your website is likely to be used by children or teens, you’ll need to make sure that you comply with COPPA 2.0. This article will cover what COPPA 2.0 is, who it applies to, what it requires, how to comply, and the penalties for not complying.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
- 2. Who Does the Children and Teens' Online Privacy Protection Act (COPPA 2.0) Apply to?
- 3. What Does the Children and Teens' Online Privacy Protection Act (COPPA 2.0) Require?
- 4. How Do You Comply with the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
- 4.1. Privacy Policy Section on Children and Minors
- 4.2. Write Using Clear and Simple Language
- 4.3. Obtain Valid Consent for Data Collection
- 4.4. Include an "Eraser" Button to Delete Data
- 5. What are the Penalties for Not Complying with the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
- 6. Summary
What is the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
The Children and Teens' Online Privacy Protection Act is also known as COPPA 2.0. It is an update to the Children’s Online Privacy Protection Act (COPPA).
COPPA 2.0 takes a stricter approach to protecting the rights of children, with higher standards of care for website owners.
Websites whose users are teenagers or children need to ensure that their users are safe, protected from privacy violations, and safeguarded from online advertising practices. This is what both COPPA, and its update, COPPA 2.0, intend to do.
The Children and Teens' Online Privacy Protection Act (COPPA 2.0) has a number of key features. COPPA 2.0 increases the requirements of COPPA by:
- Expanding the entities that must comply from just websites or online services, to web apps, mobile apps, and Internet of Things (IoT) devices.
- Expanding the age range from anyone under 12, to anyone under 17 years old. This means that data cannot be collected on children under 17 without their consent.
- Prohibiting advertising that is targeted at children and teens.
- Requiring websites to comply if they are "reasonably likely" to be used by children or minors, rather than the previous standard in COPPA, which required "actually knowing" that a website would be used by minors.
- Requiring an "Eraser Button" on websites so that the personal information of children or teens can be easily deleted.
- Updating the "personal information" categories to include biometric indicators such as fingerprints, audio of voices, iris scans, images of faces, DNA information, or gait patterns.
You can see the differences in the following table:
Main Features | COPPA 1.0 | COPPA 2.0 |
Applies to: | Websites, online services | Websites, online services, web apps, mobile apps, and IoT |
Age range: | Anyone under 12 | Anyone under 17 |
Advertising prohibited: | No | Yes |
Standard of care: | Website "actually known" to be used by children | Website "reasonably likely" to be used by children or teens |
Eraser button required: | No | Yes |
Personal information covered: | Does not include biometric information | Includes biometric information |
Next, we"ll consider who COPPA 2.0 applies to.
Who Does the Children and Teens' Online Privacy Protection Act (COPPA 2.0) Apply to?
The Children and Teens' Online Privacy Protection Act (COPPA 2.0) applies to any websites or platforms if they are:
- Aimed at children and minors with content that is "reasonably likely" to be used by people under 17, and you collect personal data from them, or
- Aimed at a general audience but has users that are "reasonably likely" to be under 17, and you collect personal data from them
This idea of users being "reasonably likely" to be children or minors is a much stricter standard than COPPA. COPPA only required "actual knowledge," while the Children and Teens' Online Privacy Protection Act (COPPA 2.0) casts a broader net.
The Future of Privacy Forum explains that "actual knowledge" referred to websites in which the operator knew the user"s age, such as through age verification questions, or other information such as knowing the user"s grade in school. COPPA does not require website operators to ask the age of users.
TinyCo, a mobile app developer, was fined $300,000 however, because it knew that some of its users were children (after complaints from parents), did not ask for consent, and ignored parents' complaints for the data to be deleted.
COPPA 2.0, on the other hand, only requires it to be "reasonably likely" that a user is a child. If a website or app is child-directed, e.g. made for children, it will be likely that users are children and you must comply with COPPA 2.0.
For general audience websites or mixed-audience websites, this determination will be much harder to make. Age verification questions can be used for website operators or app developers who want to be on the safe side.
Any website operators, including commercial and non-commercial websites, online services, apps, and Internet of Things (IoT) devices, or any other process of collecting personal data (plug-ins, online games) from minors or children must comply.
Personal data includes things like:
- Name
- Address
- Telephone number
- IP address
- Birthdate
- Email address
- Photographs
- Geolocation data
- Social security number
Note that this is not a complete list. There are other things (such as biometric data) that can be personal data. If the data you are collecting can be used alone in combination to identify a person, it is likely to be personal data for legal purposes.
If your website is used by children and minors, and collects their personal data, you"ll need to be careful about complying with COPPA 2.0. Let's take a look at the requirements.
What Does the Children and Teens' Online Privacy Protection Act (COPPA 2.0) Require?
The Children and Teens' Online Privacy Protection Act (COPPA 2.0) requires you to:
- Get appropriate consent
- Provide notice of what personal data is used for
- Only collect personal data from children for limited purposes
- Make it easy for children and parents to request collected personal data is deleted
You must ask for consent from parents and teens to collect personal data if any of your website users are reasonably likely to be under 17.
It specifically requires that this consent must be "verifiable," as you can see in definition 9 of COPPA 2.0 here:
This means you have to use "reasonable effort" to request consent from a parent, or from a teen, and in that request you'll have to disclose what data you will be collecting, and for what purpose.
Consent can be obtained if you give "specific notice" of what personal information you will collect or use, as well as how you might disclose it to others.
You can see in the image below that you must also make sure that you provide this notice before any information is collected, and that the parent or teen "freely and unambiguously authorizes" the collection of that data:
You can do this by using a pop-up or a banner to notify users that you will be collecting data. We'll look at this in more detail below in the "How to Comply" section.
In addition, COPPA 2.0 only allows you to collect information on children and teens for limited purposes. This means that you cannot collect information in the same ways that you would for adults, such as for advertising and marketing:
You can see that you may only collect information on children and teens through your website for:
- Fulfilling the transaction or service of the website
- The website's functionality and internal operations
- Legal processes
Collecting information for marketing directed at children or teens, or devices belonging to children or teens is prohibited.
This is further emphasized in section 6, seen here:
Any other information that you want to collect, can also only be collected by consent from the parent or teen. Section 3 of COPPA 2.0 also states that you must ask for consent to collect data no later than the collection point, i.e. you cannot ask for consent after the fact.
Finally, section 7 says that you need to include a button on your website, as much as is "technologically feasible" to allow parents or teens to erase their data or the data of their child.
This is called an "Eraser button," and has also been used in other countries (such as in European countries to comply with the GDPR), when requests are made to delete a user's data. We'll look at some examples below of how this can look on your website.
In the next section we'll also look at some examples of banners that you can use to get appropriate consent from any parents or teens who are using your website. We'll also discuss how to make sure that the consent is valid.
How Do You Comply with the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
You can comply with COPPA 2.0 by keeping true to what most privacy laws require. This includes having a Privacy Policy, asking for consent, and letting users delete their data. Some things about COPPA 2.0 are new, such as including an Eraser Button.
Here's an overview of the requirements you'll need to comply with COPPA 2.0. We'll go into each of these in more detail below:
- Having a clear and comprehensive Privacy Policy, which includes a section on collecting information from children and minors
- Using simple and clear language to communicate
- Giving notice to parents (and for COPPA 2.0, to children and minors directly)
- Obtaining valid consent
- Providing a way of reviewing what personal information has been collected
- Providing a way of rejecting consent or withdrawing it (e.g. by including a "Decline" button on a consent banner)
- Providing a way of deleting data ("Eraser Button")
The FTC includes a list of compliance measures on its website that you can take for COPPA. Many of these measures still apply for COPPA 2.0. You can see these measures described by the FTC below:
Additional steps recommended by the FTC include:
- Keeping children's information secure and confidential
- Only keeping children's information as long as necessary and not longer
- Not requiring children or minors to provide any additional information than what is necessary to participate in the service
The FTC also provides additional resources, which you can read on its website.
Let's look now at how website components for consent might look, so that your website can be COPPA 2.0 compliant.
Privacy Policy Section on Children and Minors
You'll need to:
- Include a specific section in your Privacy Policy about collecting information from children and minors
- Only disclose childrens' information when strictly necessary
Let's look at each of these.
First, in your Privacy Policy you'll need a specific section about the collection of information from children and minors.
For example, the Walt Disney Company even has a specific Privacy Policy for children, to comply with COPPA. Policies like this can also be used for COPPA 2.0.
Here's an example of a section from Walt Disney's policy, where it discusses what information they collect from children and how it will be used:
You can also see in the below section that they only disclose the information of children when strictly necessary for service providers, or when required by law:
Write Using Clear and Simple Language
Your Privacy Policy should be written in clear, simple language, so that any teenagers reading it can easily understand it. A person between 13 and 16 may not understand complex language and cannot give valid consent if they do not understand.
When writing your Privacy Policy, make sure to do the following:
- Use clear and simple language
- Make sure it can be understood by a teenager or young person
- Use methods such as bullet points
- Use simplified explanations of terms, such as "IP address"
A good example of a clearly-written Privacy Policy for parents of children, as well as for teens is something like this, from the Cartoon Network:
You can see that the information is written in a very clear, simple form. It also lists the bullet points of what data might be collected.
Note that the policy doesn't use words like "IP address," which a child may not understand. Instead, it uses words like "numbers that identify your account or electronic device."
This is good practice to ensure that your Privacy Policy is written in an understandable way for young people.
Obtain Valid Consent for Data Collection
Once your Privacy Policy is compliant and includes relevant sections about collecting children's information and keeping it safe, you need to make sure that you get appropriate consent for this.
To obtain valid consent, you can do the following:
- First use an age verification step, to decide which information to present (e.g. simplified Privacy Policy)
- Use a pop-up or banner to grab attention
- Refer to parental consent (e.g. "You'll need your parents for this!") if you need to obtain the consent of an adult
- Use clear and obvious language
- Present equal-sized and equally-presented "Accept" and "Deny" buttons for cookies or your Privacy Policy on banners or pop-ups
If you want to be more careful about whether your website is being used by adults or children, you can also include an age verification step.
This can look something like this example from Jack Daniels, who want to prevent minors from using its website:
When you want to get the consent of a parent or a teen, you can also provide a pop-up banner, such as this example from the Cartoon Network:
You can see on the banner that it's specifically telling children to ask a parent or guardian for help with this consent banner. This is good practice to show that you are trying to ensure that parents receive appropriate notice and can give their consent.
Make sure that the language on the banner is clear and obvious. When you are creating interfaces intended for young people, they need to be simpler than for adults. This means that any buttons should be a clear "Accept" or "Deny," without complex additional information or settings.
Include an "Eraser" Button to Delete Data
Once your Privacy Policy, age verification, and consent banner are set up, you also need to include an "Eraser" button or Delete your data" button.
This button will need to:
- Be easily found by users
- Provide clear information that the Eraser button will delete all data
- Follow up with internal procedures to make sure data is actually deleted
This is already done by some other websites who are trying to comply with the GDPR. Here's an example from Google:
You can see that in Google's options, there is a choice to delete your Google account, which will delete all of your data. When you click on this option, you have the choice to remove any data that Google knows about you.
A similar approach can be used to create a COPPA 2.0 "Eraser button," in which parents, children and minors can delete their data easily from your website.
One of the complexities of COPPA 2.0 comes from the higher end of the age range: teenagers around 15, 16, or 17, may read content reasonably close to adult content, on the internet.
In particular, aside from appropriate consent processes, you will need to take extra care to ensure that you are not serving advertising or marketing content to teenagers in this age range.
One example of how to do this comes from Google's Ad-serving protections for teens. It states that when they know a user is below 18 but above the age of consent (13), Google restricts ads in certain ways. You can see this in the image below:
When COPPA 2.0 comes into force, you'll have to restrict advertising or marketing to anyone under 17.
What are the Penalties for Not Complying with the Children and Teens' Online Privacy Protection Act (COPPA 2.0)?
Specific penalties are not named in COPPA 2.0,but they will likely be in line with the penalties under COPPA.
The Federal Trade Commission (FTC) is in charge of penalties and enforcement, and has already fined companies penalties of millions of dollars for COPPA violations.
The amount that the FTC has stated is "up to $51,744 per violation," which can add up quickly if numerous children access your website without safeguards in place.
The penalties will also depend on how many children or minors had their data privacy breached, what type of personal information was collected and how it was used, as well as whether this data was shared with any other companies or sold.
If your company is larger, you are likely to face higher fines than a smaller company. In addition, if you have violated COPPA in the past, you are also likely to face higher fines.
Make sure that you bring your website into compliance before you continue operating, so that you aren't at risk of compliance issues and hefty penalties. With COPPA 2.0, fines are likely to be even higher than COPPA, as the FTC and other privacy enforcement agencies have been increasingly cracking down on privacy violations around the world.
Summary
COPPA 2.0 brings about a number of big changes in terms of children's and teens' privacy online. The penalties are likely to be higher for non-compliance, and the requirements are stricter. The expanded age range may also be a compliance risk for a wide range of websites, apps, and services.
If your website, app or platform is reasonably likely to be used by children or teens, make sure that you have a Privacy Policy that is compliant with COPPA 2.0, and provide an appropriate way that parents and teens can unambiguously consent before data is collected.
Don't forget to include an "Eraser Button" so parents and teens can easily delete any data. By following these steps, you'll be in good shape to meet your COPPA 2.0 compliance obligations.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.