The Children’s Online Privacy Protection Act of 1998 (COPPA) is a U.S. Federal Act that restricts how organizations collect, manage or share personal data when their websites or online services are accessed by children in the U.S. aged 13 and under.
COPPA was introduced to the U.S. Senate in July 1998, signed into law on October 21, 1998, and took effect in April 2000. It is managed by the U.S. Federal Trade Commission (FTC).
While COPPA focuses on restricting the collection and/or distribution of children’s personal data, it also sets rules for how organizations must get verifiable parental consent when children use online services.
In essence, COPPA protects children’s privacy by giving parents control over their children’s online activities.
The Code of Federal Regulations Part 312.1 scope notes:
“This part implements the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501), which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.”
The FTC revised COPPA in 2012 to strengthen children’s privacy and give parents more control over the collection of personal information from children. This revision expanded the coverage of COPPA to include apps, plugins, and devices that can connect to online services.
How to access the text of the COPPA
- Read the full text of the COPPA via the Code of Federal Regulations in the U.S. National Archives.
- Read the FTC’s explanation of COPPA.
Why was COPPA created?
Unauthorized access and misuses of personal information emerged as a major concern in the 1990s, as the internet became more popular.
Commercial websites began to be criticized for the way they targeted children with advertising, as well as for collecting children’s personal data without parental knowledge or consent.
In 1996, the Center for Media Education (CME) asked the FTC to investigate some high-profile websites aimed at children, amid claims some sites were using unfair and deceptive practices in their marketing to children.
The CME published research showing children did not understand privacy risks and were typically very naïve about the dangers of sharing personal information online.
In 1997, following the passing of the Driver’s Privacy Protection Act, the FTC reported that websites aimed at children could be regulated, and operators of these websites were told they need to inform parents about the privacy risks for children sharing personal information online.
The FTC’s guidelines for managing parental consent eventually became law with COPPA.
How is COPPA designed to protect children’s privacy?
Under COPPA, parents must be given control of their children’s online activities by the operators of a commercial website or online service.
- Parents have the right to be provided with a description of the types of personal information collected from children by the operator.
- Parents must be informed about the privacy policy.
- The privacy policy must be posted anywhere the operator intends to collect, retain and/or disclose personal information about children.
- Operators must get verifiable consent from the parents before collecting or using any personal information about their children.
- Parents have the right to monitor their children’s activities and review any personal information collected from their children.
- Parents have the right to request deletion of their children’s personal information.
- Parents have the right to withdraw permission at any time for the collection and/or use of their children’s personal information.
Does COPPA apply if children can voluntarily share information?
COPPA applies whether:
- A child is prompted or encouraged to share personal information to use a service or participate in an activity, or
- A child voluntarily posts personal information publicly.
In all cases, verifiable parental consent is required.
Does COPPA apply to personal information about children collected from parents?
While COPPA only applies to the collection of personal information from children, the FTC noted in its 1999 Statement of Basis and Purpose it also expects all operators to keep confidential any information collected from parents while:
- Obtaining parental consent
- Giving the parent access to review a child’s online activities.
Who is covered by COPPA?
COPPA applies to U.S. and international operators of commercial websites and online services that target children in the U.S. and collect personal information from them.
It also applies to organizations with ‘actual knowledge’ that they collect and/or retain personal information from users of websites or online services directed to children.
If the personal information of children in the U.S. can be or is collected by an operator of an online service, then COPPA applies – regardless of where the operator is based.
If a commercial organization wants to collect personal information about U.S.-based children, then informed and verifiable parental consent is required.
COPPA’s coverage includes:
- Commercial websites directed to children, including sites promoting and/or selling products or services aimed at children
- U.S. Federal Government websites and online services, along with any websites or online services operated by federal government contractors
- Internet-enabled gaming platforms
- Internet-connected mobile apps and software
- Internet-enabled devices, such as toys and smart home speakers
- Any technology that can be used to track location via the internet.
In some cases, where it’s clear children are the target audience, COPPA also applies to third-party providers of online services, such as ad networks and plugins that can collect, process and/or retain personal information (again, regardless of where these third parties are located).
Which kinds of websites and online services does COPPA not apply to?
COPPA does not apply to non-profit organizations operating websites or other online services. They are exempt under Section 5 of the FTC Act – unless they collect and use children’s personal information for any commercial purpose.
What are some signs a website or online service is ‘directed to children’?
COPPA outlines several factors to determine whether commercial websites or online services (including apps and internet-enabled toys and devices) are directed to (i.e. appeal to) children, including:
- Subject matter and language (i.e. lower reading-age vocabulary, or using phrases that engage children)
- Visual content: especially animated characters, young models or celebrities
- Child-oriented games, activities and incentives
- Music or audio, such as catchy tunes
- Advertisements for products or services aimed at children.
Additionally, a site or service can be considered as ‘directed to children’ if any competent and reliable empirical evidence shows:
- Children are the intended audience or a key segment
- Children regularly visit the website or service because it contains content that appeals to them.
What is considered ‘personal information’ of children under COPPA?
Personal information is any data, opinion or other information about an individual that could identify them.
Under COPPA, children’s personal information is defined as including any information provided by them, their parents or a third party, whether directly or by tracking their actions or participation in activities.
COPPA defines children’s personal information to include:
- First and last name
- Address of a child’s home or other physical location where they spend time, including names of streets, cities or towns
- Geolocation data sufficient to identify the name of a street and city or town where the child has spent time
- Telephone number/s
- Online contact information, such as an email address, username or screen name
- Persistent online identifiers, such as a profile, cookie, IP address, device serial number or other identifier to recognize a user over time and across different online locations, websites or services
- Any visual record (photo, video) or audio record containing a child’s image and/or voice
- Any personal information about the child’s parents, family members or friends.
- Any information about the child or the child’s parents that the operator collects from the child and combines with an identifier.
Decades of expertise in COPPA compliance
TrustArc has a long history of helping businesses comply with privacy regulations and verify compliance.
Our organization was founded in 1997 as a non-profit industry association called TRUSTe. Its mission was to guide businesses on privacy best practice and provide certification to businesses that demonstrated compliance with privacy standards. We have continued to build on this mission in the decades since then.