Skip to main content
COPPA Children's Online Privacy Protection Act

Children's Online Privacy Protection Act


COPPA Children's Online Privacy Protection Act

COPPA requires that the operators of websites or online services directed to children under a certain age must provide notice on the site and obtain verifiable parental consent before collecting data

Passed by Congress in 1998 and enacted in 2000, COPPA requires that the Federal Trade Commission (FTC) issue and enforce rules to protect the online collection and use of personal information from children under the age of 13. Its primary goal is to put parents more in control over what information is collected from younger children online. The rule applies to operators of commercial websites and online services, including mobile apps, directed to this age group, that use or disclose personal information from children or for general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from this age group. It includes these stipulations: They must post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting person information online from children; give parents the choice of consenting to the operator's collection and internal use of this information by prohibiting the operator from disclosing this information to third parties; provide parents the ability to view and delete their child's info, and give parents the opportunity to prevent further use or online collection of a child's personal info; maintain the confidentiality, security and integrity of information they collect from children including taking reasonable steps to release such information only to parties capable of also maintaining this confidentiality and security; retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. It includes information like first and last name, a home or physical address, a screen or user name, a phone number, a social security number, a persistent identifier that can be used to recognize a user over time and across sites, a photo, video or audio file that contains the child’s image or voice, geolocation info sufficient to identify street name and name of a city or town or info concerning the child or the parents of the child that the operator collects online from the child and combines with the identifier described above.

Seeking Clarity?

View the Cybersecurity Dictionary for top terms searched by your peers. 

Explore the Dictionary

Related Assets

June 05, 2019

Cyber Digital Transformation: Cloud Threat Monitoring and Compliance as-a-Service

Apply continuous adaptive risk and threat analysis to multi-cloud environments to meet compliance and reduce security risk.

See Details

February 16, 2017

In Focus: Governance, Risk and Compliance

Federal News Radio | February 16, 2017 Stewardship and management of the federal government’s many missions requires a sound approach to governance, ...

See Details

Optiv Leadership Perspective – Compliance

When looking at major regulations, including GDPR, HIPPA, SOX, etc., there are several commonalities as it relates to visibility, control and governan...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.