E-Commerce, Privacy Policy, Small Business, Terms of Use

Children's Online Privacy Protection Act (COPPA): The Basics

March 26, 2019March 26, 2019
Children's Online Privacy Protection Act (COPPA): The Basics

Almost 20 years ago, congress passed a bill to protect young internet-users from companies that collect, maintain, or sell personal data.  Drafted and enforced by the Federal Trade Commission (FTC), these laws were incredibly prescient, as internet use in the U.S. has grown over 200% since the turn of the century and children today are beginning to explore the world wide web at increasingly younger ages.  So why does this matter for today’s business owners?

When COPPA was first proposed in 1998, it aimed to address a new type of cyber-marketing technique where marketing agencies specifically targeted young internet-users.  Somewhat unexpectedly, today’s COPPA regulations cover any type of business that hosts a website, app, or other online-based service that: 1) collects personal information, and 2) might be used by children under the age of 13.  In other words, while COPPA was conceived to control aggressive marketing companies, the proliferation of the internet has rendered COPPA applicable to all types of U.S. retailers and a surprisingly large amount of small businesses.  

As a business owner, understanding COPPA and other U.S. privacy laws is critical.  Ensuring that your business is complying with privacy guidelines begins with a keen understanding of the relevant regulations and a strongly-written privacy policy.  In terms of recognizing pertinent regulations and drafting a policy, it’s highly recommended that a legal team be consulted.  

Get Help With Your Privacy Policy

The Privacy Policy: Your First—and Strongest—Line of Defense

Companies that fully or partially operate online—that is, maintain a website, app, or other web-based service that’s meant for consumer interaction—should have a privacy policy.  Whether this legally-binding policy must contain COPPA-related language depends if your business collects or stores personal information. It also depends if this information could come from a child under the age of 13.  

Clearly there is a bit of ambiguity here; how do you know who will use your web-based services?  In a general sense, if your targeted audience is kids under the age of 13 and you are collecting personal data, you are subject to the privacy protection regulations of COPPA.  Additionally, if a third-party service is collecting data through your site, you must remain compliant with COPPA (even though you aren’t directly collecting/storing the data yourself.  Importantly, even if children aren’t the target audience but you know they are likely using your service, you are subject to COPPA regulations.  These “grey-area” situations can be clarified by a well-written privacy policy.  

The privacy policy should be concise and free of jargon.  Remember, it’s meant to be read by consumers; a 30+ page document that requires a lawyers-expertise to understand may leave you liable to a lawsuit.  

Get Help With Your Privacy Policy

COPPA Compliance: the FTC’s 6-Step Plan

Today’s COPPA regulations are unexpectedly applicable to a wide-range of U.S. businesses.  For this reason, the agency has recently released a 6-step compliance plan for any company that may be subject to child privacy-protection regulations:

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13

The first step is to identify exactly which regulations apply to your business.  This may seem obvious, but a sizable amount of consumer lawsuits stem from unawareness or simple misinterpretation of the privacy laws.  If your website collects personal data (or allows a 3rd party to collect data) and may be used by children under the age of 13, it must be COPPA compliant.  

Step 2: Post a Privacy Policy that Complies with COPPA

We’ve mentioned how important it is to have a clear and accessible privacy policy, however the policy is only as strong as it’s language.  For companies that collect or store kids’ personal data, it must be COPPA-compliant, meaning that it has to include the following:

  • Which Information is Being Collected
  • How this Information is Collected
  • How this Information is being Used
  • If it’s being Released/Sold to 3rd Parties 
  • Names of 3rd Parties Involved


Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids

This can be done with a few clauses in the privacy policy.  Again, the parental notification—along it the rest of the privacy policy—should be clear and jargon-free. 

Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids

Obtaining verifiable parental consent is among the most controversial aspects of COPPA, simply because it’s many-times unrealistic.  How can your remotely verify that a parent gave consent for their child to use your site?  According to the FTC, “COPPA leaves it up to you, but it’s important to choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.”  This could include a signed consent form, verifiable photograph, or use of a credit card for verification.  

Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids

Even after parental consent is obtained and the data is collected, operators are required to honor the rights and protections associated with the personal information.  For instance, if a parent requests you delete the information, the request must be granted.  

Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information

Similar to step 5, COPPA compliance doesn’t end once the data is collected, stored, or sold.  It is the responsibility of the operator to ensure that this personally identifiable information is secured and accessible only to the 3rd parties identified in the privacy policy.


Talk to a Lawyer to Answer Your Privacy Questions