Children’s Online Privacy Protection Rule [COPPA]: Everything That You Need to Know

Introduction

Have you ever wondered how websites & apps collect data from children or whether they have strict rules around getting parental consent? With children spending more & more time online using websites, mobile apps & internet-connected devices, protecting their privacy is more important than ever. 

That’s where the Children’s Online Privacy Protection Act comes in. It is a US federal law passed in 1998 that imposes certain requirements on website & online service operators to protect the privacy & safety of children under thirteen (13) years old. Understanding COPPA is crucial for any business that collects personal data from children.

In this comprehensive Journal, we will cover everything you need to know about COPPA, including:

• What is COPPA & what does it do? 
• Who does COPPA apply to? 
• What information is covered under COPPA?
• What parental consent requirements exist under COPPA?  
• How can companies comply with COPPA regulations?
• What are the penalties for COPPA violations?
• Recent COPPA updates & future outlook

Let’s dive in & explore the key aspects of this important online privacy law.

What is COPPA & What Does it Do?

It stands for the Children’s Online Privacy Protection Act. It is a federal law that was passed by the US Congress in 1998 & put into effect by the Federal Trade Commission [FTC] in 2000.  

The goal of this act is to grant parents control over what information websites & online services can collect from children under thirteen (13) years old. It aims to protect children’s personal details, such as name, address, location, photos, videos & more, from being shared online without the proper consent.

Specifically, COPPA imposes certain privacy requirements on:

• Website & online service operators that collect, use or disclose personal information from children under thirteen (13).
• Website or online service operators of general audience sites that knowingly collect personal data from children under thirteen (13).

Essentially, COPPA shifts the burden onto website & app operators to obtain verifiable parental consent before collecting, using or disclosing any personal information from children.

This includes getting consent from parents before:

• Collecting a child’s name, address, email, location, photos, videos, audio recordings
• Requiring the child to submit personal details to register on the site 
• Allowing children under thirteen (13) to publicly post or share personal information
• Using tracking technologies like cookies, advertising IDs, location data, camera/microphone access on the device that could identify a visitor under thirteen (13)

COPPA ensures parents & legal guardians can control their child’s data sharing while also prohibiting websites from requiring children under thirteen (13) to provide more information than necessary to access content or features.

Who Does COPPA Apply To? 

COPPA applies to any website, app, online service or third parties that are directed to children under thirteen (13) years old or have actual knowledge they are collecting information from users under thirteen (13).

The FTC considers a variety of factors when determining if a website or online service is “directed to children”, including:

• Subject matter, visual content, characters, music, language
• Presence of child celebrities, toys, animated characters 
• Advertising content directed to children
• Look & feel of the site that appeals to children under thirteen (13) 
• Empirical evidence regarding intended audience

Even if a website or app is meant for a general teen or adult audience, COPPA rules still apply if the operator knows it is collecting personal data from children under the age of thirteen (13).  

Here are some examples of websites, services & data practices covered by COPPA regulations:

• Kids gaming & entertainment sites, apps, YouTube channels
• Educational websites & apps for homework help  
• Social media apps like Facebook or TikTok 
• Mobile app developers who collect location data, photos, audio/video recordings
• Ad networks & data brokers monitoring sites to serve targeted ads
• Marketing companies building profiles on underage users  
• Apps requiring registration & submitting personal info to create an account or profile
• Smart toys with cameras, microphones & voice recorder functions
• Websites using cookies, advertising IDs, location data to track site behavior

Essentially any digital activity where children under thirteen (13) are supplying or had their data collected falls under COPPA compliance rules.

What Information is Covered By COPPA?

COPPA covers “personal information” collected from children under the age of thirteen (13). This includes:

• First & last name 
• Home or other physical address
• Online contact information – email address, social media handle, user name, screen name
• Telephone number  
• Social Security Number [SSN]
• Photo, video or audio file containing a child’s image or voice
• Geolocation information sufficient to identify street name or name of city/town
• Persistent identifiers like IP address, cookies, advertising IDs that can recognize user over time 
• Any other info that permits contact with the child outside the site 

General audience websites & services only fall under COPPA if they have actual knowledge they are collecting data from users under thirteen (13). Actual knowledge could include:

• A child directly discloses his/her age as under thirteen (13) 
• Having a user select their age from a drop-down menu
• Collecting date of birth showing the user is under thirteen (13)
• A parent informs the operator their child is using the service  
• Using age-screening mechanism based on neutral factors (not aimed to maximize underage collection)
• An operator recognizes child-oriented keywords, usernames, look & feel indicating users likely under thirteen (13)

If any personal information as described above is knowingly collected from children, COPPA rules require action to gain verified parental consent.

What Are the Parental Consent Requirements Under COPPA?

Valid parental consent is mandatory under COPPA before: 

• Collecting, using or disclosing personal data from a child under thirteen (13)
• Allowing a child to publicly post personal data, such as their name, on a site or app
• Passively tracking activity using persistent identifiers without notifying parents first

Verifiable parental consent requires website & app operators to:

• Make reasonable efforts (taking into account available technology) to give parents notice & choice regarding data collection & use practices that pertain to their child.
• Give the parent “full & complete” information about what data is collected, who it’s shared with, how it’s used & any rights they have over their child’s personal details  
• Make consent requests direct parents’ attention, written in clear language easily understandable by the wide audiences
• Receive consent directly from the parent allowing collection, use & disclosure of the child’s data

The most common COPPA-compliant parental consent methods include:

• Collecting a signed permission slip scanned or faxed from the parent 
• Requiring the parent to use a print-and-send form giving their consent
• Having the parent call a toll-free phone number staffed by trained personnel to provide consent orally
• Email coupled with additional steps to provide assurance it’s the parent responding 
• Video conference with trained personnel capable of making credibility determinations  

Exceptions: Verifiable parental consent under COPPA is not required when:

• An operator collects a parent’s online contact information only to obtain parental consent. 
• Collecting a child’s online contact information to directly respond once on a one-time basis to a specific information request from the child, as long as it’s not published, publicly posted or otherwise shared.
• An operator collects persistent identifiers used for support to provide internal operations, unlike tracking or profiling
• An operator uses a child’s personal information to protect the security & integrity of a site or app, take precautions against liability or respond to a judicial process.

How can Companies Comply with COPPA Regulations?

Website, app & online service operators have a few options when it comes to complying with COPPA regulations surrounding children’s data collection & privacy:

Do Not Collect Data from Children Under thirteen (13)

The simplest way to comply is to avoid knowingly collecting any personal information from children under thirteen (13) altogether.  Operators can:

• Block under thirteen (13) registration with tools like age gates 
• Implement an age-screening system upfront backed by neutral factors indicating audience over thirteen (13)
• Install mechanisms that automatically delete or flag profiles appearing to be children under thirteen (13)

Collect Data Only with Parental Consent

Alternatively, operators can put systems in place to get proper vetted parental consent before collecting, using or disclosing kids’ personal information covered under COPPA. This includes: 

• Email coupled with additional identity checks 
• Credit card verification
• Toll-free phone call verification  
• Digital signature containing qualities establishing identity
• Video conferencing to make credibility determinations  

Consent systems must provide the means for parents to review their children’s personal details, revoke consent & have their data deleted at any time.

Collect & Delete Data Immediately After Single Interaction

Operators can also choose to communicate directly with a child on a one-time basis in order to respond to their request – but must delete data immediately after. This includes:

• Receiving & promptly responding to one-time requests from a child for information like homework help or contest entry
• As long as contact information is not shared publicly or used to re-contact child again
• No persistent identifiers used for future tracking or data merges

Collect Non-Personal Information for Internal Operations

Less sensitive data like IP addresses, cookies, advertising IDs can be collected from child users to support internal ops like site safety, security, debugging, customization, analytics. However, operators cannot use them for profiling or behavioral advertising without consent.

Age-Screen Users 

Operators not directed at children but who want to allow under thirteen (13) users can employ an age-screen as long as it’s neutral (not aimed to maximize collection from children). This puts the burden on users to confirm if they are over thirteen (13) if any data collection or tracking tools are enabled on the site/app.

What are the Penalties for COPPA Violations? 

Failure to abide by COPPA regulations can lead to substantial penalties enforced by the US Federal Trade Commission. Violations may include:

• Failing to post a privacy policy about children’s data collection practices  
• Neglecting to provide direct parental notice & obtain consent prior to collecting personal info from kids under thirteen (13)
• Asking children under thirteen (13) overly burdensome questions worse than what an adult would face to access content  
• Collecting more data than necessary from children under thirteen (13) just to participate on the site or app
• Retaining children’s data longer than reasonably necessary
• Failing to establish procedures for parental access, review of data collected from their child
• Lacking safeguards for confidentiality, security, integrity of children’s data stored
• Using persistent identifiers to track children online without first obtaining parental consent
• Illegally conditioning a child’s participation on them submitting more personal details than needed  

First time violations of COPPA can possibly lead to civil penalties up to $44,000 USD per violation. But some recent COPPA cases have ended in multi-million dollar settlements, like the FTC’s $170 USD million penalty against YouTube.

Beyond hefty fines, additional consequences of COPPA violations include:

• Reputational damage & eroded consumer trust 
• Legal costs defending against investigations & lawsuits
• Lost revenue having to delete ill-begotten children’s data after violations surface
• Competitive disadvantage if FTC legally prohibits specific data collection practices found illegal compared to industry norms

Simply put – no website or online service operator wants to end up facing penalties over COPPA non-compliance. It pays to be informed & proactive when it comes to protecting children’s privacy.

Recent COPPA Updates & Future Outlook

COPPA is not a static regulation. It continues to evolve as technology provides more ways for companies to monitor, profile & communicate with children under thirteen (13) online. 

Some notable recent updates to COPPA laws include:

• 2013: Expanded the law to cover persistent identifiers like IP addresses, cookies & device IDs used for tracking
• 2019: Explicitly added geolocation information, photos/videos & voice recordings to definition of personal information
• 2020: Further expanded COPPA to cover video games & educational software using student data 

In the future, expect tighter consent requirements for connected toys, smart assistants & other IoT devices targeting children. There will also likely be stronger enforcement around mobile apps aimed at or collecting location data from kids under thirteen (13).  

The FTC reviews & requests public comment on COPPA periodically to address emerging technologies. But the core principles remain unchanged – giving parents transparency & control over private information websites & apps gather on their young children.  

While COPPA originated over twenty five (25) years ago, its central goal of granting parents authority over their children’s data collection carries into current online privacy conversations. Laws modeled after COPPA have now passed internationally in countries like the UK & China as well.

As digital footprints grow from earlier ages, COPPA will continue evolving to meet the child privacy challenges of tomorrow. But it remains one of the strongest protections keeping children’s personal details safe as they embrace technology’s opportunities.

Conclusion

From gaming networks to educational apps to smart toys, the range of digital technologies collecting children’s data continues to grow. COPPA remains the best defense preventing websites & operators from gathering protected details on users under thirteen (13) without parental oversight. 

By centralizing consent obligations upon operators instead of parents, COPPA has returned control over children’s privacy back to guardians for over twenty (20) years. Renewed consideration as more kids go online via sites or connected devices show COPPA still going strong decades later.

While fines & violations demonstrate no law perfectly prevents improper data use, COPPA offers warning & accountability when companies cross clearly-defined boundaries. Its requirements protect kids exploring online worlds from having their personal details misused or spread without their parents’ say.

In the future, expect COPPA to expand further – covering more websites, apps & devices as technology intersects with youth. But at its core COPPA ensures someone cares about children’s informational rights at vulnerable ages. Rather than a restrictive measure, view COPPA guidelines as establishing an ethical standard for respecting privacy during tender developmental years. When Sites adhere to COPPA, the internet becomes a safer, more welcoming playground.

Key Takeaways

Here are the core tips to keep in mind regarding the Children’s Online Privacy Protection Rule:

• COPPA applies to websites, apps & services directed at children under thirteen (13) or knowingly collecting data on users under thirteen (13).
• Personal details like name, address, photos, voice recordings, location data, persistent identifiers all require compliance .
• Advance, verifiable parental consent is mandatory before collecting, using or sharing kids’ protected data.
• Violations can incur severe civil penalties up to $44,000 USD per violation, legal costs & lost revenue.
• Stay compliant by not collecting children’s data, safely collecting with consent, anonymizing data or age screening users.
• As technology evolves, expect COPPA updates like 2013’s inclusion of persistent tracking IDs under protection.