Children's Online Privacy Protection Act (COPPA)

    North America

    Children's Online Privacy Protection Act (COPPA)

    16 CFR part 312

    Passed in April 2000, The COPPA Rule, 16 CFR part 312, issued pursuant to the Children’s Online Privacy Protection Act (“COPPA” ) (15 U.S.C § 6502) regulates the collection of the personal information of children. It requires certain website and online operators to provide notice to, and obtain parental consent from, a parent whose child shares information with such an operator. Additionally, it imposes certain limitations by which operators may collect, use, and disclose personal information obtained from children.

    Last Updated: July 30, 2019


  • General

    The Children’s Online Privacy Protection Act (COPPA) was passed in 2000 and was the first federal privacy measure in the United States aimed at protecting the personal information of children. Under COPPA, websites and online services that are directed towards children must display certain notices and in most cases require parental consent before collecting, using, or disclosing, any personal information about children.

    The FTC promulgated the COPPA Rules, § 312,  to implement and operationalize COPPA for businesses. These rules include definitions for terms such as “collect”, “operator” and “personal information.” The COPPA Rule also specifies where and how notice and consent must be communicant and the different methods of obtaining verifiable parental consent, various record keeping obligations for operators, and rules relating to COPPA Safe Harbor programs. Violations to COPPA or the COPPA Rule are treated by the FTC as unfair or deceptive trade acts or practices.

  • Lawfulness, Fairness and Nondiscrimination

    COPPA recognizes the principle of lawfulness, fairness, and nondiscrimination in that information from children must be collected, used, or disclosed, for a specific lawful purpose (to, and with notice to and consent (subject to certain exceptions) from a parent. Under COPPA, subject to certain exceptions, personal information from children can only be collected, used, or disclosed with verifiable parental consent.

    Notice and consent are required in two specific scenarios. First, where the operator of a website or online service directed to children collects information about children. Second, where the operator of a website or online service has actual knowledge that it is collecting personal information from a child. Obtaining verifiable parental consent is subject to certain exceptions, as explained below.

  • Transparency & Free Access

    Notice

    An operator must provide notice on its website or online service about the information it collects from children, how the operator uses such information, and the operator’s disclosure practices of such information. Such notice must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials.

    An operator must make reasonable efforts, taking into account available technology to ensure that a parent of a child receives “direct notice” of the operator’s practices with regard to the personal information obtained from children, along with any material changes to such practices. In the direct notice to the parent, the operator must: i) State that the operator has collected the parent’s online contact information from the child, and, if such is the case, the name of the child or the parent, in order to obtain the parent’s consent; ii) State that the parent’s consent is required for the collection, use, or disclosure of such information. The operator will not collect, use, or disclose any personal information from the child if the parent doesn’t not provide such consent; iii) State the additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent; iv) Display a hyperlink to the operator’s online notice of its information practices; v) State the means by which the parent can provide verifiable consent to the collection, use and disclosure of the information; and vi) State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its’ records.

    COPPA gives certain parents a right to request information about the collection, use, and disclosure of the information the operator receives from the parent’s child.  The operator, upon request and proper identification of that parent, must provide to such parent: 1) a description of the specific types of personal information collected from the child by there operator; 2) the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection of personal information; and notwithstanding any other provision of law, a means that is reasonable to obtain any personal information collected from the child.

  • Purpose specification, Use Limitation and Suitability

    COPPA requires operators to only retain personal information form a child for only as long is reasonably necessary to fulfill the purposes for which the information was collected. For information that no longer needs to be retained, the operator must delete such information using “reasonable measures” to protect against unauthorized access to, or use of, the information in connection with it’s deletion.  Furthermore, an operator may not condition a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosing more information than is “reasonably necessary” to participate in such activity.

  • Data Minimisation, Storage Limitation and Accuracy

    An operator must delete the personal information it’s collected of a child if: 1. Such information is no longer reasonably necessary to fulfill the purpose for which the information was collected; or 2. The parent whose child shared personal information, requests such information’s deletion.  To delete means to remove personal information such that it is not maintained in a retrievable form and cannot be retrieved in the normal course of business.

  • Security & Prevention (incl. Confidentiality, Integrity & Availability)

    COPPA requires operators to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The operators must also take reasonable steps to release the children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurance that they will maintain the information in such a manner.

  • Accountability & Recordkeeping

    COPPA establishes a few specific accountability and recordkeeping requirements: 1. Notice on Website 2. Record of verifiable parental consents; and 3.  Safe Harbor Programs

    First, operators must post a “prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page of its website, and on each page where such information is collected from a child.” This notice is in addition to any “direct notice” that may be required in applicable cases.

    Second, operators are required to obtain “verifiable parental consent” before any personal information from children is collected, used, or disclosed. Operators must keep track of these consents because under COPPA, parents have the right to: 1. request a detailed description of the types of personal information collected from the child; 2. Refuse to permit the operators further use or future online collection of personal information about the child. The operator may also terminate any service provided to a child whose parent has  exercised his or her right to refusal; and 3. Direct the operator to delete the child’s personal information.

    Lastly, approved COPPA  Safe Harbor programs annually must provide to the Commission a report summarizing required independent information security assessments, a description of any disciplinary actions taken against subject operators, and a description of any approved parental consent mechanisms. Approved Safe Harbor programs must also keep these records and any complaints by subject operators for a period of a minimum of three years, and upon request make such records available to the Commission for inspection. , containing, at a minimum: i) an aggregated summary of the results of the independent assessments conducted under paragraph (b)(2); ii) a description of any disciplinary action taken against any subject operatory under para. (b)(3); and iii) a description of any approvals of member operator’s use of a parental consent mechanism, pursuant to §312(b)(3).

    Additionally, approved Safe Harbors must maintain, for a period not less than three years, and upon request make available to the Commission for inspection and copying, a record of: i) Consumer complaints alleging violations of the guidelines by subject operators; ii) Records of disciplinary actions taken against subject operates; and iii) Results of independent assessments of subject operators’ compliance required under paragraph b(2).

  • Privacy by Design

    While not mentioned by name specifically, COPPA implicitly suggest that privacy by design be implemented by operators. For instance, in most cases an operator must obtain verifiable parental consent before any personal information is collected from a child by the operator’s website or online service.

  • PIA/DPIA

    Operators are not required to carry out privacy or data privacy impact assessments per se, however, Safe Harbor programs must asses (on at least an annual basis) the information policies, practices, and representations. An operator may still want to perform a PIA/DPIA in order to fully understand the scope of its obligations under COPPA. For example, depending on the kinds of processing activities involving the personal information of children, different types of direct notice will have to be provided to a parent.

  • Data Subject Rights

    COPPA gives the parent whose child has provided information to an operator  certain rights, upon request,  with respect to the collection, use, and disclosure of the child’s personal information:  1. Right to Review/Information 2. Right to Restriction/Objection 3. Right to Erasure/Deletion

    There is no specified timeframe for which an operator needs to respond to a parent’s request.

    1. Right to Review: Upon request by a parent, an operator must provide to parent a description of the specific types or categories of personal information collected form children by the operator (e.g. name, address, telephone number, email, hobbies, and extracurricular activities);

    2. Right to Restriction: A parent may request at any time to refuse to to permit the operator’s further use or future online collection of personal information from that child; and

    3. Right to Erasure/Deletion: A parent may direct the operator to delete the child’s information.

  • Vendor Management

    While not specifically mentioned in COPPA, an operator must be able to asses and manage its relationship with certain third parties. Under COPPA, the operator must take reasonable steps to release (e.g. sharing, selling, renting, or transfer) children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security, and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

     

  • Enforcement

    A violation of COPPA or the  COPPA Rule is treated by the FTC as an unfair or deceptive act or trade practice prescribed under section 15 U.S.C. 57a(a)(1)(B).

  • Certifications and Codes of Conduct

    COPPA creates a Safe Harbor program by which operators may join and demonstrate compliance to the Commission. Additionally, an interested party may seek the Commission’s approval for new parental consent methods and approval for additional support for international operation so the website or online service.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.