Business owners whose websites or online platforms collect information from children under the age of 13 need to ask themselves an important question:
“Am I compliant with the Children’s Online Privacy Protection Act (COPPA)?”
COPPA, a federal U.S. law, protects the privacy of minors, and the consequences of violating it are severe.
If you’re unsure if this act applies to you or don’t know how to comply, keep reading — our COPPA compliance guide will answer your questions and help protect your business and the children using your platform.
Key Takeaways
COPPA is a federal U.S. law that establishes a strict set of guidelines online businesses must follow to protect the privacy of children under the age of 13.
Designed to limit the amount of information businesses collect from young children, COPPA applies to any company worldwide that processes children’s data in the U.S.
COPPA was signed into law in 1998 and took effect in April 2000.
The Federal Trade Commission (FTC) manages the law and updated it in 2013 to include stronger provisions.
To understand how the FTC enforces COPPA and what it means for online businesses, let’s look at how COPPA defines some key terms.
The FTC considers any website or online service that collects or controls personal information or pays for the collection or maintenance of this information to be an “operator.”
Read the entire definition of operator (as it appears in COPPA) below:
“Any person who operates a Web site located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such Web site or online service, or on whose behalf such information is collected or maintained, or offers products or services for sale through that Web site or online service, where such Web site or online service is operated for commercial purposes involving commerce among the several States or with 1 or more foreign nations; in any territory of the United States or in the District of Columbia, or between any such territory and another such territory or any State or foreign nation; or between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45). Personal information is collected or maintained on behalf of an operator when:
(1) It is collected or maintained by an agent or service provider of the operator; or
(2) The operator benefits by allowing another person to collect personal information directly from users of such Web site or online service.”
COPPA’s definition of personal information includes “persistent” identifiers, which include details that may identify a person over time, like IP addresses.
Read exactly how COPPA defines personal information below:
“Individually identifiable information about an individual collected online, including:
If your website collects personal information using cookies, you must publish a cookie policy to detail those activities.
According to COPPA, “collecting” includes:
Below, you can read exactly how COPPA defines collects or collection in its entirety:
“The gathering of any personal information from a child by any means, including but not limited to:
(1) Requesting, prompting, or encouraging a child to submit personal information online;
(2) Enabling a child to make personal information publicly available in identifiable form. An operator shall not be considered to have collected personal information under this paragraph if it takes reasonable measures to delete all or virtually all personal information from a child’s postings before they are made public and also to delete such information from its records; or
(3) Passive tracking of a child online.”
COPPA uses a broad definition for the term disclose or disclosure, which encompasses everything from making the data publicly available to releasing it for any purpose.
Read the entire definition as it appears in the text of the law below:
“… with respect to personal information:
(1) The release of personal information collected by an operator from a child in identifiable form for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the Web site or online service; and
(2) Making personal information collected by an operator from a child publicly available in identifiable form by any means, including but not limited to a public posting through the Internet, or through a personal home page or screen posted on a Web site or online service; a pen pal service; an electronic mail service; a message board; or a chat room.”
To collect or process personal data from children under COPPA, you must make every reasonable effort to obtain verifiable consent from a legal guardian.
Read exactly how the law defines this term below:
“Making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child:
(1) Receives notice of the operator’s personal information collection, use, and disclosure practices; and
(2) Authorizes any collection, use, and/or disclosure of the personal information.”
Now that you know the essentials of COPPA and its purpose, let’s examine whether your business is subject to this law and how you can comply.
The Children’s Online Privacy Protection Act covers the information of children in the U.S. under 13 years old by ensuring websites, mobile apps, plugins, and toys with online features process their data properly.
Not only does COPPA establish guidelines for how online businesses should treat children’s information, but it also penalizes companies that fail to follow these guidelines.
For example, in 2019, the FTC hit YouTube with a COPPA fine of $170 million for illegally harvesting children’s data and targeting ads at kids without their parents’ consent.
We’ve broken down the COPPA compliance requirements businesses must implement in the following sections.
Businesses must publish a privacy policy that meets the law’s strict requirements.
Even if you already have a privacy policy on your website or app, it may not satisfy COPPA’s specific guidelines.
According to the FTC’s rules, your privacy policy must include the following information:
It must also feature an explanation of legal guardian’s rights, including the rights to:
You can meet some of these guidelines by adding a COPPA disclosure to your website, which the Education software Classkick does in their privacy policy, pictured below.
When creating your COPPA privacy policy, remember to contact any third parties you work with and ask about their data collection methods, which you must include in your privacy policy.
Finally, you must feature your privacy policy on the homepage of your website and anywhere you collect information from children.
You can download and edit a privacy policy template to meet COPPA’s guidelines and accurately reflect your website’s data-handling practices.
Before collecting information from children, COPPA requires that you present a direct notice to parents requesting their consent.
The following is what must be in your direct notice to the parent required under COPPA:
Additionally, you should provide a direct notice to parents and legal guardians any time you change what information you collect or modify how it is collected.
Verifiable parental consent is consent given by a parent or guardian in which you’ve reasonably confirmed the identity of said parent or guardian.
Under COPPA, you must obtain this consent before collecting information from children.
These are acceptable methods for obtaining consent from parents and authenticating their identity:
If the information you collect is only for your business’s internal use, then you may use what’s known as the “email plus” method to collect parents’ consent:
If you are using the “email plus” method, you must ensure that you do not disclose any personal information of children during the process of verifying consent.
For a COPPA compliance checklist, the FTC offers a 6-Step Plan that walks you through the entire process.
COPPA outlines several scenarios where you don’t need to obtain parental consent before collecting personal information from users under the age of 13, including:
The Children’s Online Privacy Protection Act is a federal law in the U.S., but several states also have data privacy laws in place or entering into action over the next few years, including the:
You can compare some of the requirements of COPPA to the U.S. state laws in the table below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
| COPPA | ✓ | ✓ | |||||
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FDBR | ✓ | ✓ | ✓ | ✓ | |||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| ODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
Stay up to date on US state privacy laws with our US data privacy laws tracker.
COPPA impacts consumers by protecting the privacy of children under 13, allowing for a safer internet for minors.
The law gives rights to legal guardians regarding how and if their children’s data gets collected and used.
That choice, control, and transparency means parents and guardians can make more informed choices to keep their kids safer online.
The Children’s Online Privacy Protection Act applies to children under 13 in the United States.
It does not protect anyone older than 13 or who is located outside of the U.S.
Even though COPPA is a U.S. law, it impacts businesses around the globe — even those that don’t necessarily target children under 13.
COPPA heavily impacts all businesses’ privacy policies.
For businesses subject to complying with COPPA, you must follow particular requirements in your privacy policy, which include:
Additionally, you must place a link to your policy wherever data collection of a child occurs.
Even if COPPA doesn’t apply to you, you must include a clause in your privacy policy stating that you don’t target children or knowingly collect their personal information.
You also must explain how parents or guardians can contact you if they believe you’ve accidentally collected data about their child.
Your business must comply with COPPA if you’re for-profit and collect personal information from children under 13 who reside in the U.S.
Many people assume this privacy law only affects websites, but COPPA’s compliance requirements apply to the majority of online services, including the following:
Even if your online business is located outside the United States, the FTC could come after you if you market to American consumers, as was the case with China’s app maker, BabyBus.
If your business falls into any of the categories above, you need to assess whether you meet the FTC’s definition of “targeting children” — the FTC considers factors like:
If your business or website covers any subject matter that appeals to children 13 and under — or your service is used by sites that do — then you must fully comply with the law.
In addition to COPPA, if you collect personal info from EU citizens, you’ll need to ensure your business complies with the General Data Protection Regulation (GDPR).
Nonprofit organizations that don’t need to follow Section 5 of the FTC Act are exempt from following COPPA.
Or, if your services aren’t available in the U.S. and you don’t target minors, you don’t need to follow COPPA requirements.
Regardless, don’t forget that you still must include a clause in your privacy stating that you aren’t subject to the specific COPPA requirements.
Businesses can comply with COPPA by ensuring they have a compliant privacy policy that meets all obligations described by the law.
You should also implement a process for verifying and obtaining appropriate consent from parents or legal guardians before collecting any personal information from minors.
The FTC and state Attorney General offices enforce COPPA and impose high penalties on companies that fail to comply.
For example, in 2016, New York’s Attorney General found that Viacom, Mattel, JumpStart, and Hasbro violated COPPA because one of their advertising partners used cookies to track the personal information of their users.
To find violators, the FTC encourages internet users to submit a complaint for a site that they think is violating the guidelines.
Part of the FTC’s enforcement process for COPPA is determining if an operator has “actual knowledge” that they’re targeting and collecting information from children under 13.
If the FTC discovers that an operator has “actual knowledge” of such data processing but is not compliant with COPPA, a judge will likely enforce a steeper penalty for blatant disregard of the legislation.
COPPA violations can now reach a maximum penalty of up to $50,120 per violation, according to the FTC.
If you collect personal information from only ten children but violate COPPA, you could be fined up to $501,200.
In the past, the maximum penalty was $16,000, which was increased to $40,654 in 2016.
Generally, the penalty amount a business receives depends on how flagrant the violation is and how much the company gained from the personal information.
As you can see in the chart below, several prominent companies have been penalized.
| Name (Click for FTC fine details) | Date | Fine | Reach | Cost Per |
| Ms. Fields Famous Brands | 2/27/2003 | $100,000 | 84,000 | $1.19 |
| Xanga.com | 9/7/2006 | $1,000 | 1,7000,000 | $0.59 |
| Imbee.com | 1/30/2008 | $130,000 | 10,500 | $12.38 |
| Sony BMG Music Entertainment | 10/11/2008 | $1,000,000 | 30,000 | $33.33 |
| Iconix Brand Group | 10/20/2009 | $250,000 | 1,000 | $250 |
| Playdom, Inc. | 5/13/2011 | $3,000,000 | 1,244,000 | $2.45 |
| W3 Innovations LLC | 9/8/2011 | $50,000 | 50,000 | $1 |
| Skidekids.com | 11/8/2011 | $100,000 | 56,000 | $17.86 |
| RockYou, Inc. | 3/27/2012 | $250,000 | 79,000 | $1.40 |
| Artist Arena LLC | 10/4/2012 | $1,000,000 | 75,000 | $13.33 |
| Path, Inc. | 2/1/2013 | $800,000 | 3,000 | $266.67 |
| YouTube | 9/4/2019 | $170,000,000 | N/A | N/A |
While $170 million might not be much to a large company like YouTube, it could easily destroy a small or medium-sized business.
In season 4 of the HBO show Silicon Valley, there is a fictional story that represents an actual possibility, where an employee discovers that his company lacks a privacy policy but is already collecting user data, meaning they violated COPPA and are liable for upwards of $25 billion!
In 2019, YouTube received a $170 million fine for violating COPPA, which acts as a good example of how the FTC enforces COPPA violations.
Technically, YouTube’s parent company, Google, received the record-breaking penalty for using cookies to track children’s browsing habits on kids’ channels without obtaining parental consent.
The video-sharing service profited from the children’s information by delivering targeted ads on those channels.
As a result of the investigation, YouTube notifies channel owners that their content is subject to COPPA and allows them to identify “child-directed content.”
The new system means YouTube content creators are now fully responsible for their content and must correctly set their channel’s audience or face individual COPPA fines from the FTC.
Check out our list of the biggest GDPR fines for examples of more record-breaking penalties in data privacy.
Termly offers a Privacy Policy Generator and a Privacy Policy Template that complies with several privacy laws from around the world.
The generator asks basic questions about your business and data processing activities and makes a unique privacy policy you can embed directly on your website or app.
To use the template, you fill in blank sections of the document with details about how your website or app collects and processes data.
You can then edit the template or portions of the generator to meet the requirements of the COPPA.
We even offer a privacy policy writing guide if you want to take a crack at it yourself (not recommended).
While the U.S. does not currently have a federal consumer data privacy law, some privacy-related laws exist, including the following:
Each state also has a data breach notification law that outlines what entities must do and within what timeframe when a cyber or data breach occurs.
The American Digital Privacy & Protection Act (ADPPA) is a U.S. federal data privacy law that is currently in limbo.
Let’s recap the key points about what COPPA compliance looks like for online businesses:
If you’re looking for further COPPA guidance for your operations, start with the following resources:
If your business is subject to COPPA, build a privacy policy and customize it to meet the law’s requirements to avoid penalties.
Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
