Published
July 1, 2023
Updated
The Children's Online Privacy Protection Act (COPPA) is a law in the United States that regulates the online collection of personal information from children under the age of 13.
COPPA imposes several requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
This is most likely to affect websites in the education or gaming / entertainment industries.
Among other things, the COPPA rule requires;
- Notice: Website operators must provide a clear, understandable, and complete notice of their information practices, including what information they collect from children, how they use such information, and their disclosure practices for such information.
- Verifiable Parental Consent: Before collecting, using, or disclosing personal information from a child, operators must obtain verifiable parental consent. There are several methods available to obtain verifiable parental consent, including but not limited to: obtaining a signed form from the parent via postal mail or facsimile; accepting and verifying a credit card number in connection with a transaction; taking calls from parents, through a toll-free telephone number staffed by trained personnel; or by using a digital certificate that uses public key technology.
- Provide parents access to their child's personal information: A parent has the right to review the personal information collected from their child and to refuse to permit its further use or maintenance.
- Prohibit conditioning a child's participation on collection of more information than is reasonably necessary: Website operators can't require a child to disclose more information than is reasonably necessary to participate in an activity as a condition of participation.
- Maintain confidentiality, security, and integrity of information they collect from children: Websites must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
- Data retention and deletion requirements: Operators of websites or online services should retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
Failure to comply with COPPA can result in fines issued by the Federal Trade Commission (FTC), which enforces the law. As with all legal matters, it's advisable to consult with a legal expert to ensure full compliance with COPPA's requirements.
FAQs
Answers to frequently asked questions.