COPPA Compliance: What Your Privacy Policy Must Address
The Children's Online Privacy Protection Act (COPPA) imposes strict requirements on websites, apps, and online services that collect personal information from children under the age of 13. COPPA compliance is not optional — the FTC actively enforces the law with substantial penalties. If your service interacts with children in any way, your privacy policy must meet COPPA's specific requirements.
Does COPPA Apply to You?
COPPA applies if your website, app, or online service:
- Is directed to children under 13 — Based on factors like subject matter, visual content, age of models, music, language, character appeal, and advertising
- Has actual knowledge that it collects personal information from children under 13 — Even if the service is not directed at children
- Operates an ad network or plug-in that collects information from users of child-directed sites
A general audience website can trigger COPPA obligations if it has actual knowledge that specific users are under 13 — for example, if a user enters a birth date indicating they are under 13 during registration.
The FTC looks at the totality of circumstances to determine whether a site is "directed to children." Even if you do not intend your product for children, factors like animated characters, game-like features, or content that appeals to young audiences could make COPPA applicable.
What COPPA Considers "Personal Information"
COPPA defines personal information broadly to include:
- Full name
- Home or physical address
- Email address
- Telephone number
- Social Security number
- Screen name or username (when it functions as online contact information)
- Persistent identifiers (cookies, IP addresses, device serial numbers) when used to recognize a user over time and across different sites
- Photographs, videos, or audio files containing a child's image or voice
- Geolocation information sufficient to identify a street or city
- Any combination of information that could identify a specific child
Privacy Policy Requirements Under COPPA
COPPA requires operators to post a clear, comprehensive, and prominently placed privacy policy. This policy must include specific disclosures.
Operator Contact Information
Provide the name, address, telephone number, and email address of every operator that collects or maintains personal information from children through the site or service. If multiple companies collect data, each must be identified.
Description of Data Collection
Describe in detail:
- What types of personal information are collected from children
- How the information is collected (directly from the child, passively through tracking, from third parties)
- Whether the information is collected actively (forms) or passively (cookies, device identifiers)
How Data Is Used
Explain every purpose for which children's personal information is used:
- Providing the service or product
- Enabling features or functionality
- Personalization
- Internal analytics
- Advertising (if applicable)
Data Sharing Practices
Disclose whether personal information is shared with third parties and, if so:
- The types of third parties receiving the data
- The purposes for sharing
- Whether third parties have agreed to maintain confidentiality and security
Parental Rights
Inform parents of their rights under COPPA:
- Right to review the personal information collected from their child
- Right to direct the operator to delete their child's information
- Right to refuse further collection or use of their child's information
- How to exercise these rights (contact methods and procedures)
Data Retention and Deletion
Explain your data retention practices:
- Personal information should not be retained longer than reasonably necessary
- Describe the criteria for determining retention periods
- Explain the process for securely deleting children's data
Parental Consent Requirements
COPPA requires verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
Acceptable Consent Methods
The FTC has approved several methods for obtaining verifiable parental consent:
- Signed consent form — A physical form signed by the parent and returned by mail, fax, or electronic scan
- Credit card verification — Using a credit card transaction as verification of parental identity
- Government ID verification — Checking a government-issued ID against a database
- Video conference — Speaking with the parent through video call
- Knowledge-based authentication — Asking questions that only the parent could answer
- Email plus — Email consent combined with a follow-up confirmation (for internal use only, not disclosure to third parties)
When Consent Is Required
Parental consent must be obtained before:
- Collecting personal information from a child
- Using personal information for purposes beyond the initial collection
- Disclosing personal information to third parties
- Creating persistent identifiers for behavioral advertising
Exceptions to Consent
Limited exceptions allow collection without prior consent:
- Collecting a parent's email to obtain parental consent (with the email deleted if consent is not obtained)
- Collecting a child's email to respond to a one-time request (deleted after response)
- Collecting information to protect the safety of a child
- Collecting persistent identifiers for site support purposes (not behavioral advertising)
If your service is not intended for children but you discover that children are using it, you must either obtain parental consent or delete the children's data. Implementing an age gate during registration can help prevent unintentional collection of children's data.
COPPA Safe Harbor Programs
The FTC has approved several self-regulatory safe harbor programs that provide guidelines for COPPA compliance:
- CARU (Children's Advertising Review Unit) — Self-regulatory program for advertisers
- ESRB Privacy Certified — Privacy certification for digital entertainment
- kidSAFE Seal Program — Certification for child-directed websites and apps
- TRUSTe/TrustArc — General privacy certification with COPPA compliance component
Participation in a safe harbor program provides a presumption of compliance and may offer some protection during FTC enforcement proceedings.
Enforcement and Penalties
The FTC takes COPPA enforcement seriously:
- Civil penalties of up to $50,120 per violation (adjusted periodically for inflation)
- Penalties are assessed per child, per violation
- High-profile enforcement actions have resulted in multimillion-dollar settlements
- The FTC also seeks injunctive relief requiring changes to business practices
Recent enforcement trends show increased focus on:
- Ed-tech platforms and educational services
- Social media platforms with young users
- Gaming apps and services
- Advertising technology companies collecting children's data
Practical Steps for COPPA Compliance
- Assess applicability — Determine whether your service is directed at children or collects data from children
- Conduct a data audit — Map all personal information collected from users who may be children
- Implement age screening — Use age verification to identify users under 13
- Obtain parental consent — Implement a verifiable consent mechanism
- Update your privacy policy — Include all COPPA-required disclosures
- Minimize data collection — Collect only what is necessary for the child's participation
- Secure children's data — Implement appropriate security measures
- Train your team — Ensure staff understand COPPA requirements
- Monitor compliance — Regularly review and audit your practices
- Consider safe harbor participation — Evaluate whether a self-regulatory program is appropriate
COPPA compliance requires ongoing attention as your service evolves. Every new feature, third-party integration, or data collection practice must be evaluated for its impact on children's privacy. Building COPPA considerations into your product development process ensures that compliance is maintained as your service grows.