COPPA Children's Online Privacy Protection Act

COPPA requires that the operators of websites or online services directed to children under a certain age must provide notice on the site and obtain verifiable parental consent before collecting data


Passed by Congress in 1998 and enacted in 2000, COPPA requires that the Federal Trade Commission (FTC) issue and enforce rules to protect the online collection and use of personal information from children under the age of 13. Its primary goal is to put parents more in control over what information is collected from younger children online. The rule applies to operators of commercial websites and online services, including mobile apps, directed to this age group, that use or disclose personal information from children or for general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from this age group. It includes these stipulations: They must post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children; provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting person information online from children; give parents the choice of consenting to the operator's collection and internal use of this information by prohibiting the operator from disclosing this information to third parties; provide parents the ability to view and delete their child's info, and give parents the opportunity to prevent further use or online collection of a child's personal info; maintain the confidentiality, security and integrity of information they collect from children including taking reasonable steps to release such information only to parties capable of also maintaining this confidentiality and security; retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use. It includes information like first and last name, a home or physical address, a screen or user name, a phone number, a social security number, a persistent identifier that can be used to recognize a user over time and across sites, a photo, video or audio file that contains the child’s image or voice, geolocation info sufficient to identify street name and name of a city or town or info concerning the child or the parents of the child that the operator collects online from the child and combines with the identifier described above.


Seeking Clarity?

View the Cybersecurity Dictionary for top terms searched by your peers.