What is COPPA? COPPA is an abbreviation for the Children’s Online Privacy Protection Act,enacted by Congress in 1998. The primary goal of COPPA is to protect children’s privacy online. The Act gives parents control over what information websites collect and process about their children.
This guide will explain what you need to know about COPPA, its main requirements, and how to comply.
Businesses that fall under COPPA are not allowed to collect and process the personal information of children under the age of 13 without parental consent.
According to definitions, COPPA targets operators, generally any person operating a website or online service, directing the website or online service to children, or having actual knowledge that it is collecting or maintaining personal information from a child.
COPPA applies to a broad group of operators:
In simpler words, you must comply with COPPA both when you are directly targeting children with your website or online service, and when you are not directly targeting children, but you know that children could use your website or online service or that you could be collecting and processing children’s personal data. Please note that COPPA may apply to you even if you’re based outside the United States, but you target children in the US.
Before diving into the requirements, we need to understand some other key terms and definitions of COPPA. This will also clarify whether you need to comply with the Act.
Now that we’ve understood what COPPA is and what its keywords mean, let’s take a look at the main requirements for businesses.
One of the first requirements that come into the picture is to include a Privacy Policy on your website outlining how you collect and process children’s data. To be COPPA-compliant, your notice must disclose:
Remember that you must disclose not only your own data processing activities, but also the ones of third parties that collect children’s personal data through your website. It’s also important to make your privacy policy easy to read and accessible from every page of your website – a good idea is to add it in the footer of your site and make it prominent and hard to miss.
iubenda can support you in creating a privacy policy in line with the Children’s Online Privacy Protection Act, in just a few clicks.
As we said at the beginning, you can’t collect information from children without parental consent. Before collecting children’s personal information, COPPA requires you to show parents a direct notice, which explains:
COPPA allows you to decide which method to use to obtain parental consent. In its Six-Step Compliance Plan, the FTC suggests that you have the parents:
If you collect and process personal information only for internal purposes, you can use a method known as “Email plus”. With this method, you send an email to the parent and have them respond with their consent. You must send a confirmation to the parent via email, letter, or phone call. Using “email plus”, you must let the parent know they can revoke their consent anytime.
Even if parents have given you permission to collect information from their children, they have rights that you should respect and allow them to exercise.
If a parent requests it, you must:
Finally, you must establish and maintain appropriate safeguards for the privacy, security, and integrity of any personal information you collect from children.
It’s important to collect as little information as possible and to make sure that any third parties who may collect personal information from your site have the same safeguards in place.
Keep the information only as long as necessary to fulfill your purposes, and then delete it in a secure manner.
When you design a website or an app for kids, you need to follow specific procedures and guidelines. In fact, besides COPPA, third parties like Apple and Google also have their rules regarding apps for children that you must comply with.
First of all, Apple requires you to comply with applicable law. This means that you must always provide a privacy policy and apply all the standards required by law – be it COPPA, the EU GDPR, or others.
If your app is specifically designed for kids, you should make it clear by adding terms like “For Kids” and “For Children” in the app metadata. The app will then be assigned to the Kids Category in the App Store.
Apps in the Kids Category should not include third-party analytics or third-party advertising, to grant children a safer space. Third-party analytics and contextual advertising may be permitted in some cases, but you need to make sure that these services don’t collect any information about children.
If your app has links that redirect outside the apps, or it offers purchasing opportunities, then you should put these behind a parental gate – which is not the same as the method to get parental consent.
Parental gates block the app navigation for children and require an adult to perform an action to unblock it. It could look something like this:
Google too requires you to comply with applicable law and provide a privacy policy to your users. Moreover, if your app is designed for children, it must follow the Google Play Family Policies.
The first thing you need to do is to select your target audience in the Target Audience and Content section of the Google Play console. If your app is designed for children, select “Children” as the intended audience. Google will ask you to provide details about the app’s target age group and content.
As for Apple, personalized or behavioral advertising is prohibited in apps directed to children and in-app purchases should be designed to avoid the exploitation of children.
There is no parental gate requirement for Android apps, but Google encourages app developers to add parental control features.
As mentioned earlier, websites must include a privacy policy that complies with the Children’s Online Privacy Protection Act (COPPA). According to the COPPA Rule, you must provide a clear and prominent link to your privacy policy on your homepage or landing page, and in any areas of your site where you collect personal information from children.
If your website is aimed at both a general audience and children, you can have a single privacy policy that covers all requirements. However, be sure to include a specific section within the policy that addresses COPPA and children’s privacy. On pages of your site that are designed for children, link directly to this section rather than to the general privacy policy.
Let’s recap how to make your website or app compliant with COPPA:
Create a clear and comprehensive privacy policy. It should explain what data you’re collecting from children and why, whether there are third parties involved in the processing, and what rights parents have regarding their children’s data.
Give parents a direct notice to collect their consent, before collecting children’s personal information. The notice should summarize the information contained in the privacy policy and link to the main document.
Get parents’ verifiable consent. You can use the method you want, as long as it’s effective and allows you to verify that the consent was truly granted by the parents.
For apps, choose the appropriate category in the app stores (“For Kids”) and implement additional layers of security, as required by Apple and Google guidelines (parental gate or parental control features). Block targeted advertising.
Honor parents’ rights. Parents have ongoing rights, that they can exercise at any moment.
Protect the kid’s personal information. Make sure you and the third parties have appropriate security measures in place.
Since COPPA is a federal law, its enforcement is regulated by the Federal Trade Commission. Civil penalties for COPPA violations can go up to $51,744 per violation, depending on what happened. There have been cases where the fines have reached millions of dollars.
For example, in 2023 Microsoft agreed to a civil penalty of $20 millions, because they were collecting the personal information of children who signed up for the Xbox gaming system without parental consent.
You can report COPPA violations from this FTC website.
The Children’s Online Privacy Protection Act (COPPA) is part of the complex landscape of privacy laws in the United States. But while laws like the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA) generally have a state-wide scope, COPPA is a federal law that applies throughout the United States.
Another key difference is the target of these laws. COPPA specifically protects children under 13, while State laws safeguard all consumers who are residents of the specific state.
In the table below, we’ve gathered the main differences, but you can read a complete overview here: US State Privacy Laws Overview.
| Aspect | COPPA | CCPA/CPRA | CalOPPA | VCDPA | CPA | UCPA | CTDPA |
|---|---|---|---|---|---|---|---|
| Scope | Protects children under 13 | Protects all California consumers | Applies to commercial websites and online services | Protects all Virginia consumers | Protects all Colorado consumers | Protects all Utah consumers | Protects all Connecticut consumers |
| Applicability | Websites/apps directed at children or with actual knowledge of collecting children’s data | For-profit entities meeting certain thresholds (e.g., revenue, data processing) | Any commercial website or online service collecting personal data from California residents | Entities conducting business in Virginia and meeting specific thresholds | Entities conducting business in Colorado and meeting specific thresholds | Entities conducting business in Utah and meeting specific thresholds | Entities conducting business in Connecticut and meeting specific thresholds |
| Consumer Rights | Parental consent for data collection, access, and deletion | Right to know, delete, opt-out of sale/sharing, correct, limit use of sensitive data | Right to know categories of data collected and third parties shared with | Right to access, correct, delete, and opt-out of data processing | Right to access, correct, delete, and opt-out of data processing | Right to access, delete, and opt-out of data processing | Right to access, correct, delete, and opt-out of data processing |
| Enforcement | Federal Trade Commission (FTC) | California Attorney General and California Privacy Protection Agency | California Attorney General | Virginia Attorney General | Colorado Attorney General | Utah Attorney General | Connecticut Attorney General |
| Data Subject Age | Under 13 | All ages | All ages | All ages | All ages | All ages | All ages |
| Parental Consent Requirement | Yes | In limited cases | In limited cases | In relation to the processing of a known child’s sensitive personal data | In relation to the processing of a known child’s personal data | In relation to the processing of a known child’s personal data | In relation to the processing of a known child’s sensitive personal data |
COPPA stands for Children’s Online Privacy Protection Act (COPPA) and refers to the US law that was enacted in 1998, and subsequently integrated and amended, to safeguard the online privacy of children under the age of 13.
The goal of COPPA is to give parents control over what information is collected from their children online. Websites that target children must meet certain requirements to ensure that they collect as little information as possible and obtain parental consent before collecting that information.
An example of COPPA violation is collecting and processing children’s personal information without parental consent. Civil penalties for COPPA violations can go up to $51,744 per violation.
Here below you’ll find a list of helpful resources to help you with COPPA compliance.
iubenda helps websites and apps of all sizes comply with international regulations, such as the Children’s Online Privacy Protection Act (COPPA).
With our Privacy and Cookie Policy Generator, you can create your privacy policy and add dedicated COPPA clauses, in just a few minutes.
