Children’s Online Privacy Protection Act (COPPA)

Any individual or organization (also known as “operator”) running a website or online service must comply with COPPA if they are:

• Directed at children, or
• Knowingly collect personal information from them

For example, this can be a commercial platform aimed at children under 13 that collects, uses, or shares their personal information. At the same time, it can be a site that has both children and adults on it, so platforms ned to be aware and have special policies regarding minors and their data collection separately. 

Personal information as per COPPA refers to:

• Any data collected online that can identify or be linked to an individual.
• Additional details, such as photos/videos, IP addresses, geolocation info, audio recording, and identifiers like cookies. 

Yes. COPPA also applies to businesses outside the U.S. if they target children located in the U.S.

Under COPPA, businesses must use appropriate safeguards to ensure the privacy, security, and integrity of any personal information collected from children.

This includes vital steps like:

• Only collecting necessary information.
• Ensuring that any third parties collecting data through your site follow the same standards.
• Keeping the information only as long as needed, and then securely deleting it.

These measures help protect children’s data and ensure compliance with COPPA.

Yes, the law has had several amendments and changes over the years:

• In 1998, COPPA was signed into law on October 21.
• In 2000, the Federal Trade Commission (FTC) issued the COPPA Rule, effective April 21, outlining how businesses must comply.
• In 2013, the FTC revised the rule to address new technologies and evolving data practices.
• In 2024, talks about the newly proposed Children and Teens’ Online Privacy Protection Act (COPPA 2.0) started in Congress. If passed, the new version would expand COPPA’s scope and strengthen its protections for children online. 

Operators collect personal information by requesting, prompting, or encouraging users to share their data, including cases where providing personal information is optional. COPPA also allows information to be publicly posted, such as in an open chat, or to passively track a child’s activity online.

COPPA requires businesses to obtain verifiable parental consent before collecting any personal information from children. 

In practice, this means providing parents with a notice where it’s explained why and how the data is collected, for example:

• That the business intends to collect personal information from their child.
• That if consent is not received within a reasonable time, the parent’s contact information will be deleted.
• That parental consent is required for the collection, use, and disclosure of the child’s information.
• How parents can provide their consent.
• The specific types of personal information being collected and how it may be shared.