Children's Online Privacy Protection Act (COPPA)

Children's Online Privacy Protection Act (COPPA) – Complete Guide for CIPP/US Exam

Why COPPA Is Important

The Children's Online Privacy Protection Act (COPPA) is one of the most critical pieces of U.S. privacy legislation because it specifically targets the protection of children under the age of 13 in the online environment. Children are considered a uniquely vulnerable population—they may not fully understand the consequences of sharing personal information online, and they are especially susceptible to manipulative data collection practices. COPPA establishes a framework that places the responsibility on website operators and online service providers to ensure that children's personal information is collected, used, and disclosed only with verifiable parental consent. Understanding COPPA is essential for any privacy professional because violations carry significant penalties, and the law intersects with many aspects of digital commerce, advertising, education technology, and app development.

What Is COPPA?

COPPA was enacted in 1998 and became effective on April 21, 2000. It is codified at 15 U.S.C. §§ 6501–6506. The Federal Trade Commission (FTC) enforces COPPA and has issued the COPPA Rule (16 CFR Part 312), which provides detailed implementation requirements. The law was significantly updated through amendments to the COPPA Rule in 2013, which modernized the definition of personal information and addressed new technologies.

Key Definitions Under COPPA:

• Child: An individual under the age of 13.

• Operator: Any person who operates a website or online service directed to children, or who has actual knowledge that it is collecting personal information from a child. This includes app developers, website owners, and third parties that collect information through a child-directed site or service.

• Personal Information: Under the 2013 amendments, this includes: first and last name; home or physical address; online contact information (e.g., email); screen or user name that functions as online contact information; telephone number; Social Security number; a persistent identifier that can be used to recognize a user over time and across different sites (e.g., cookies, IP addresses, device serial numbers) when used for purposes other than internal operations; a photograph, video, or audio file containing a child's image or voice; geolocation information sufficient to identify a street name and city; and any combination of information that permits physical or online contacting of a specific individual.

• Website or Online Service Directed to Children: A site or service (or a portion thereof) that is targeted to children under 13. The FTC considers factors such as subject matter, visual content, use of animated characters, child-oriented activities, music, the age of models, the presence of child celebrities, ads on the site directed to children, and other evidence about the intended audience.

How COPPA Works

COPPA imposes several core obligations on covered operators:

1. Privacy Policy Requirements
Operators must post a clear, comprehensive, and prominently placed privacy policy on their website or service. The policy must describe:
• The types of personal information collected from children
• How the information is used
• The operator's disclosure practices
• The name and contact information of all operators collecting or maintaining children's personal information through the site
• A description of parental rights, including the right to review, delete, and refuse further collection of their child's information

2. Direct Notice to Parents
Before collecting, using, or disclosing personal information from a child, the operator must provide direct notice to the parent. This notice must include the same information required in the online privacy policy and must clearly state the operator's intent to collect information from the child.

3. Verifiable Parental Consent (VPC)
This is the cornerstone of COPPA. Operators must obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. Acceptable methods of obtaining VPC include:
• Signing and returning a consent form via mail, fax, or electronic scan
• Using a credit card, debit card, or other online payment system that provides notification of each transaction to the account holder
• Calling a toll-free number staffed by trained personnel
• Video conferencing
• Providing a government-issued ID that is checked against a database (with the ID deleted after verification)
• Knowledge-based authentication (answering questions that would be difficult for a child to answer)
• For internal use only (not disclosure to third parties), email plus (email to parent followed by a confirmation step such as a delayed confirmation email)

4. Parental Rights
Parents have the right to:
• Review the personal information collected from their child
• Have the information deleted
• Refuse to permit further collection or use of their child's information
• The operator cannot condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for that activity

5. Confidentiality, Security, and Integrity
Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. They must also retain information only as long as reasonably necessary to fulfill the purpose for which it was collected.

6. Data Minimization
Operators are prohibited from collecting more personal information than is reasonably necessary for a child to participate in a game, prize offer, or other activity.

Exceptions to Parental Consent Requirements

COPPA provides several narrow exceptions where an operator may collect a child's personal information without full parental consent:
• To provide notice to the parent and seek consent
• To respond to a one-time request from a child (the information must then be deleted)
• To respond more than once to a specific request (e.g., subscriptions), but only if the operator notifies the parent and gives the parent the opportunity to opt out
• To protect the child's safety
• To protect the security or integrity of the site
• As otherwise required by law

The Safe Harbor Program

The FTC allows industry groups and others to apply for safe harbor status by submitting self-regulatory guidelines that meet or exceed COPPA requirements. If approved, operators who comply with the safe harbor program's guidelines are deemed to be in compliance with COPPA. Examples of FTC-approved COPPA safe harbor programs include ESRB (Entertainment Software Rating Board), CARU (Children's Advertising Review Unit), kidSAFE Seal Program, Aristotle/PRIVO, and TRUSTe/TrustArc. Operators in safe harbor programs are subject to the oversight and enforcement mechanisms of the safe harbor provider.

Enforcement and Penalties

COPPA is enforced exclusively by the FTC (and, to a limited extent, by state attorneys general). There is no private right of action under COPPA—individuals cannot sue operators directly for violations. Penalties for COPPA violations can be significant. Civil penalties are assessed per violation, and the FTC has levied multi-million dollar fines. Notable enforcement actions include those against TikTok (Musical.ly) for $5.7 million in 2019, YouTube/Google for $170 million in 2019, and Epic Games (Fortnite) for $275 million in 2022.

Mixed-Audience Websites and Actual Knowledge Standard

A key distinction in COPPA is between websites directed to children and general audience websites:
• Child-directed sites: Must comply with COPPA for all users.
• Mixed-audience sites: Sites that are directed to children but do not target children as their primary audience may use age-screening mechanisms to determine whether a user is under 13 and apply COPPA protections only to those users who identify as children.
• General audience sites: Not required to comply with COPPA unless they have actual knowledge that they are collecting information from a child under 13. Actual knowledge is a high standard—constructive knowledge or negligence is not sufficient, but willful blindness may not serve as a defense.

Relationship with Other Laws

COPPA interacts with several other laws and frameworks:
• FERPA: Schools can consent on behalf of parents for the collection of student information in an educational context, but only where the information is used for a school-authorized educational purpose.
• State Laws: Some states, like California (CalOPPA and the CCPA/CPRA), have additional protections for minors. California's Age-Appropriate Design Code Act extends protections to children under 18.
• GDPR: The EU's GDPR sets varying ages of consent for data processing (generally 13–16 depending on the member state), which can create international compliance challenges for operators.

Recent Developments and Proposed Updates

The FTC has been actively considering updates to the COPPA Rule, including potential changes to verifiable parental consent mechanisms, stronger data retention and deletion requirements, limitations on targeted advertising directed at children, and expanding the definition of personal information to capture new technologies. Legislative proposals such as COPPA 2.0 seek to raise the age of protection from 13 to 16 or 17, impose a ban on targeted advertising to minors, and create a digital marketing bill of rights for minors.

Exam Tips: Answering Questions on COPPA

1. Know the Age Threshold: Always remember that COPPA applies to children under 13. This is the single most tested fact. Do not confuse this with other privacy laws that use different age thresholds (e.g., CCPA's provisions for consumers under 16).

2. Understand 'Actual Knowledge' vs. 'Directed To': Exam questions frequently test the distinction between operators of child-directed sites (who must comply regardless) and general audience sites (who must comply only upon actual knowledge of collecting information from a child under 13). Know that mixed-audience sites have a middle-ground option involving age-screening.

3. Memorize Verifiable Parental Consent Methods: The FTC-approved methods of VPC are commonly tested. Remember the 'email plus' method is only available for internal use (not for disclosure to third parties). Know the distinction between the sliding-scale approach for different consent methods.

4. Know the Expanded Definition of Personal Information: The 2013 amendments broadened the definition significantly. Be prepared for questions about persistent identifiers, geolocation data, photos/videos/audio of children, and screen names that function as contact information.

5. No Private Right of Action: This is a frequently tested point. Only the FTC and state attorneys general can enforce COPPA—not individual consumers or parents. If an exam question presents a scenario where a parent wants to sue a company directly under COPPA, the answer is that they cannot.

6. Safe Harbor Programs: Understand that safe harbor programs provide an alternative compliance mechanism. Know that operators in approved safe harbor programs are deemed compliant with COPPA and are subject to the safe harbor program's oversight rather than direct FTC enforcement (though the FTC retains the right to enforce).

7. Exceptions to Consent: Be ready for scenario-based questions testing whether parental consent is required. Remember the key exceptions—especially the one-time response exception, the multiple-contact exception (with parental notice), and the school/FERPA consent exception.

8. Distinguish COPPA from FERPA: In an educational technology context, know that schools can authorize collection under FERPA in lieu of parental consent, but only for school-authorized educational purposes. If the data is used for commercial purposes, COPPA's parental consent requirements apply directly.

9. FTC Enforcement Focus: Be aware of significant enforcement actions and the magnitude of penalties. The exam may test your knowledge of the FTC's enforcement posture and the fact that penalties are assessed on a per-violation basis, which can lead to very large fines.

10. Data Minimization and Retention: Remember that operators cannot condition participation on excessive data collection and must delete information once it is no longer necessary. These principles are testable and align with broader privacy principles.

11. Watch for Trick Questions About Operator Definition: The definition of 'operator' includes not only the site owner but also third-party plug-in operators or ad networks that collect information through child-directed sites. If a question describes a third-party widget collecting data on a child-directed site, that third party may also be an operator under COPPA.

12. Process of Elimination on Exam: When facing a multiple-choice question on COPPA, eliminate answers that reference incorrect age thresholds, that suggest a private right of action exists, or that imply operators need only post a privacy policy without obtaining verifiable parental consent. These are common distractors.

Summary for Quick Review:
• Applies to: Children under 13
• Enforced by: FTC (and state AGs)
• Core requirement: Verifiable parental consent before collection
• No private right of action
• Broadened personal information definition (2013 amendments)
• Safe harbor programs provide alternative compliance path
• Operator includes third parties collecting through child-directed sites
• School/FERPA exception for educational contexts
• Data minimization and retention limits are required
• Significant civil penalties for violations