The Children's Online Privacy Protection Rule (COPPA), which came into effect in 2000, is a federal law of the United States which details how website operators must process information collected from children under the age of 13. The law specifically states what type of data is covered and how website operators may legally collect this data. Under COPPA, websites must obtain parental consent in order to collect the Personally Identifiable Information (PII) of anyone under the age of 13. COPPA gives the Federal Trade Comission (FTC) the ability to levy fines against companies which do not properly comply with the law. Below, we'll detail what types of data COPPA covers, how to properly comply with the law, and what may happen when COPPA violations are found.

What COPPA Covers

COPPA covers the online collection of PII from children under 13. The law does not cover collection of information about children under 13 when the information is provided by a parent or adult (though this data is expected to remain confidential). COPPA defines what data is considered to be PII. Under the law, PII includes:

  • First and last names;
  • Physical addresses;
  • Email addresses or screen names;
  • Phone numbers;
  • Images, videos, or audio files of the user;
  • Geolocation information;
  • Any information which tracks a user across different websites (such as a cookie);
  • Any information about the user which a website stores and combines with any of the identifiers above.

COPPA applies to any commercial website or digital service which is directed towards children under 13 or has actual knowledge that children under 13 are providing information. Third-party services, such as online advertising networks, which receive data of users from other websites or services which are directed towards children under 13 must also follow COPPA regulations. Non-profits are exempt from this requirement, though those that operate for the commercial benefit of their members are subject to the act.

How to Comply with COPPA

COPPA requires companies that fall under its purview to receive parental consent before collecting any information from children under 13. There are several methods companies can use to verify parental consent, including:

  • Having the parent sign and return a consent form via mail, email, or scanned upload;
  • Having the parent call an operator of the website via phone or video conference;
  • Offering the parent to pay an online fee using a credit/debit card;
  • Allowing the parent to upload a scanned copy of a government issued ID, which is then verified for authenticity and compared to an uploaded photo of the parent taken by a mobile or web camera.

In addition, websites must clearly and prominently display a link to their privacy policy on their home or landing pages, and on any page where PII may be collected from children under 13. Parents may revoke consent at anytime. Note that there are some circumstances where knowingly maintaining the data of child is permitted without parental consent. Examples of this include instances where the collection of a name and contact information of a child or parent is necessary to provide notice and receive parental consent.

The FTC has also approved industry-led safe harbor programs that offer systems to notify parents and certify consent. These are designed to encourage self-regulation and help govern COPPA compliance. These programs can also fulfill the COPPA notification and consent certification requirements on behalf on their members. The safe harbor programs are operated by TRUSTe, ESRB, CARU, PRIVO, iKeepSafe, kidSAFE, and Aristotle International.

COPPA Violations

In 2016, the FTC raised the maximum civil penalty dollar amounts for violations from $16,000 to $40,000.  This fine can be applied for each COPPA violation. This means that a company may be fined each time website or online service improperly collects PII from users under the age of 13. However, COPPA fines are usually negotiated settlements and are based on the scope and severity of the case.

In September of 2019, YouTube was hit with the largest COPPA fine in history, with $136 million paid to the FTC and $34 million to the state of New York. YouTube was found to have used persistent identifiers (e.g. cookies) to track users who they knew were under the age of 13 and had not received parental consent. In February of the same year, ByteDance (the owner of TikTok) was also fined $5.7 million for COPPA violations stemming from how their apps failed to request parental consent for users who had created accounts and were under the age of 13. These fines demonstrate how the FTC is increasingly on the lookout for COPPA violations and is willing to levy larger fines in order to enforce compliance.