COPPA is a U.S. law that requires you to obtain parental consent for collection and use of personal information from children below 13 years of age.
What is COPPA
The COPPA law (Children's Online Privacy Protection Act), which operates under the Federal Trade Commission (FTC), was passed by the US Congress in 1998 and enacted in 2000.
The act also specifies what must be included in your Privacy Policy agreement, and when and how to seek verifiable consent from guardian or parent of children. Moreover, it defines your responsibility in upholding children's privacy and safety.
There are two main reasons why you need a Privacy Policy:
✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.
✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.
Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.
One of our many testimonials:
"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."
Stephanie P. generated a Privacy Policy
In addition, you have to provide full access to all user records, profiles, and log-in information when a parent requests it. Parents should be allowed to delete information about their children. However, they are not allowed to alter them.
COPPA was legislated because children did not really understand the negative implications of providing their personal information online.
Who must comply with COPPA
You have to comply with COPPA if you operate a commercial website or online service directed to children below 13 years old and you collect info from these children. Or if you operate a general audience website and you know you collect information from children.
All websites that collects, use and disclose info from children below 13 years of age have to meet the specified standards of this law.
What constitutes personal information?
COPPA requires that websites put up a Privacy Policy agreement wherever they collect personal information such as such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child.
Other types of personal information include hobbies, interests, and information obtained through tracking mechanisms such as cookies as long as they are individually identifiable.
How to obtain parental consent
While there is no specific guideline on how to obtain parental consent, the FTC has outlined several suggestions to ensure compliance:
- Conspicuous downloadable consent forms that could be emailed or faxed to the operator
- Use of parent's credit card to authenticate age and identity
- Requiring parents to call a toll-free number
- Consent form with digital signature
Basic provision and placement
There has to be a link to your legal agreement on your website's Home Page and the agreement must outline what information is collected.
The link to the legal agreement has to be made prominent through the use of larger font size or different font color or in the string of similar method.
Fines for violating COPPA
In September 2014, the FTC fined mobile game developer TinyCo $300,000 for collecting personal information from children such as email address in exchange for virtual currency.
The FTC claims that the company didn't notify parents that they were collecting information and ignored parents' complaints about it.
On top of the fine, TinyCo has also agreed to delete all information it has collected from children below 13 years old.
"As people "especially children" move more of their lives onto mobile devices, it's important that they have the same consumer protections when they're using an app that they have when they're on a website." said Jessica Rich, director of the F.T.C.'s Bureau of Consumer Protection.
Companies should take steps as they build and test their apps to make sure that children's information won't be collected without a parent's consent.
TinyCo released a statement that said all its games now comply with COPPA:
TinyCo fully supports Coppa and the FTC's effort to protect the privacy and data of children online. We apologize to anyone affected by this issue, and want to be unequivocal in stating that TinyCo is fully committed to protecting user privacy, particularly when children are involved.
Yelp, on the other hand, got in trouble with COPPA because even though several thousands of its users were identified as under 13 years of age based on the birth date they provided during registration, the company still collected their info including name, email address, location and the like.
The FTC fined Yelp fined $450,000 and ordered it to take down all info collected from its users younger than 13 years old from the time they registered to the service.
Difference between TinyCo and Yelp violations
TinyCo was clearly aimed at children.
Those brightly colored animated characters and the simple language are tell-tale signs that their demographic is below 13 years old. Their violation was that they failed to notify the parents of users that they are collecting information in exchange for virtual currency.
Yelp, on the other hand, is a review website whose demographic isn't children. However, they had thousands of underage registrants based on birthdates provided yet those registrants were never blocked during the registration process.
To determine whether a website is aimed at children, the FTC will review factors such as subject matter, visual and audio content, the language and age of the model on the website, as well as the advertisements on the website.
To determine if a website is an "operator" the FTC will look into who owns and controls the info, who pays for the collection and maintenance of the info, and how the website collects and maintains the info.
Ensure compliance with COPPA
Ask for age
The very reason why COPPA exists in the first place is to protect the safety and privacy of children under 13 years of age. If you don't collect information from them or prevent them from registering to your service, you don't have to worry about COPPA.
Get parental consent
You must ensure that you're getting meaningful parental consent.
Collect as little information is possible
Ask yourself, "Do I need this information?".
If you collect information that is not crucial to your business' function and improvement, it's better to lay off the collection.
Know where you data is
One of COPPA provisions is to allow parents to access and delete their child's personal information when they request it so make sure you know where your data is at all times.
Don't share PII with the third party if you don't have to
You shouldn't share PII with third parties unless you really have to. To ensure that no vendor has access to the info you're collecting, run an audit from time to time.
Make you Privacy Policy as transparent as possible
You have to state every minute detail of what info you collect, how you use the info that you collect, where you store the info and who you share it with.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.