COPPA (Children's Online Privacy Protection Act )

What is the Children's Online Privacy Protection Act of 1998 (COPPA)?

The Children's Online Privacy Protection Act of 1998 (COPPA) is a federal law that imposes specific requirements on operators of websites and online services to protect the privacy of children under 13.

The Act was passed by the U.S. Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade Commission (FTC).

COPPA specifies:

  • that sites must require verifiable parental consent for the collection or use of any personal information of young website users;
  • what must be included in a privacy policy, including the requirement that the policy itself be posted anywhere data is collected;
  • when and how to seek verifiable consent from a parent or guardian; and
  • what responsibilities the operator of a website legally holds regarding children's privacy and safety online, including restrictions on the types and methods of marketing targeting children under 13.

Children's Online Privacy Protection Act background

COPPA was passed to strengthen the privacy law and address the rapid growth of online marketing techniques in the 1990s that were targeting children. Various websites were collecting personal data from children without parents' actual knowledge or consent.

Research published by the Center for Media Education showed that children did not understand the potential adverse outcomes of revealing personal information online.

In the wake of media reports demonstrating the ease of gathering private data from children, the public pressured Congress to legislate on the collection of personal information of children.

Children's Online Privacy Protection Act compliance 

COPPA applies to every website that collects data from children under the age of 13. This includes all social media platforms.

Although COPPA does not explicitly define how parental consent should be gained, the FTC has established guidelines to help website operators ensure compliance with COPPA. These suggestions include:

  • Clearly display downloadable consent forms that may be sent to the mail address or faxed to the operator.
  • Clearly display the privacy policy describing information practices for personal information.
  • Take reasonable efforts to provide a privacy notice to the parents about collecting their children's data. 
  • Take reasonable procedures to protect the privacy of the children. 
  • Retain personal information only when necessary to fulfill the purpose for which it was originally collected and delete information to prevent unauthorized access or further use. 
  • Require that a parent uses a credit card to authenticate age and identity.

COPPA rules that site operators allow parents to review children's personal information.

In practice, this means that any relevant site has to provide full access to all user records, profiles and login information when a parent requests it.

The FTC has stipulated parents may delete their child's personal information but may not otherwise alter it.

CCO, chief compliance officer

COPPA Safe Harbor program 

COPPA has created a Safe Harbor program whereby organizations can create self-regulatory guidelines for protecting children. Any organization can submit its self-regulatory guidelines to the FTC.

Once certified, such organizations can then certify other commercial websites regarding COPPA compliance.

See also: data privacy, privacy compliance and consumer privacy.

This was last updated in March 2022

Continue Reading About COPPA (Children's Online Privacy Protection Act )

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG