The Children’s Online Privacy Protection Act (COPPA) is a federal law in the United States that safeguards children’s online privacy. It was enacted in 1998 and serves as a pivotal piece of legislation governing how online platforms handle the personal data of children under the age of 13. COPPA requires online services targeted at children or those knowingly interacting with children to obtain parental consent before collecting, using, or sharing personal information.

The COPPA regulation was crafted in response to growing concerns about internet marketing tactics that targeted children and collected their personal information without parental notification.

Over the years, COPPA has seen numerous updates and enforcement actions as technology and online practices have evolved. Despite efforts to comply, major tech companies like Amazon, Google, and Meta (formerly Facebook) have faced fines and legal challenges for alleged violations of COPPA, including inadequate age-gating systems and improper data collection practices targeting children.

Key Provisions of COPPA

COPPA requirements on website operators:

  • Incorporating a detailed COPPA privacy policy outlining information collection practices.
  • Obtaining verifiable parental consent before collecting personal information from children under 13.
  • Disclosing to parents any information collected on their children by the website.
  • Granting parents the right to revoke consent and request the deletion of their children’s information.
  • Limiting the collection of personal information during online games and contests.
  • Ensuring the confidentiality, security, and integrity of collected personal information.

Enforcement and Impact

COPPA violations are considered unfair or deceptive trade practices under Section 5 of the Federal Trade Commission (FTC) Act, empowering the FTC to impose civil penalties for non-compliance. At the federal level, violations can incur fines of up to $43,792 per violation, and state attorneys general can also take action to enforce COPPA.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about COPPA

Proposed FTC Changes

In response to heightened concerns about online safety for children and adolescents, the Federal Trade Commission (FTC) recently proposed sweeping changes to strengthen COPPA. 

These proposed changes include:

  1. Turning off targeted advertising by default for children under 13 would prevent online services from using targeted ads to track children’s online behavior without parental consent.
  2. Prohibiting personal details like cellphone numbers to keep children engaged: Online services would be restricted from using personal data to send push notifications or other tactics to prolong children’s time on their platforms.
  3. Third-party disclosures need opt-in consent. Businesses would require parents’ separate, verified authorization to release information to third parties, including marketers, unless the disclosure is essential to the website or online service. COPPA-covered companies must disallow third-party behavioral advertising by default and allow it only when parents opt in.
  4. Limiting corporations’ attempts to keep kids online. Some COPPA exclusions would prevent operators from sending push notifications to entice minors to use their service. Operators sending push notifications using kids’ data must flag that usage in their COPPA-required direct and online notices. This would guarantee parents know about and consent to company nudges.
  5. Keeping less data. The FTC proposal would strengthen COPPA by clarifying that operators can only keep kids’ personal information for as long as necessary to fulfill the purpose for which it was collected and cannot use it for any other purpose. The FTC wants operators to publicize their child data retention policy.
  6. Codifying ed-tech advice. When the FTC last examined COPPA, the ed-tech sector was smaller, but much has changed. The proposed rule would formalize the FTC’s COPPA guidelines that schools and school districts can authorize ed tech providers to collect, use, and disclose students’ personal information for school-authorized educational purposes, not commercial purposes while adding safeguards.
  7. Improving Safe Harbor accountability. The proposed COPPA rule would require COPPA’s Safe Harbor programs to publicly disclose their membership lists and provide more information to the FTC to promote openness and accountability.
  8. Increasing data security. Operators would have to design and implement a written children’s personal information security program that includes measures suitable to the sensitivity of the data acquired from youngsters.

These proposed changes aim to shift the responsibility of online safety from parents to digital service providers while curbing the exploitation of children’s data for commercial gain. The FTC’s proposal is open for public comment for 60 days before a final vote by the commission.

Industry reactions to the proposed changes have been mixed, with some trade groups expressing gratitude for the FTC’s consideration of their input. In contrast, others argue that the changes could override parental preferences and hinder online service providers from delivering necessary services to children.

COPPA General Audience

Under the existing COPPA rules, operators of general audience and teen-directed websites and online services must adhere to COPPA regulations if they collect, use, or disclose personal information from children under 13. While websites devoid of kid-oriented content may be exempt from COPPA, those with sections or features that might appeal to children must assess their compliance obligations. To alleviate the burdens of COPPA compliance, many websites and online services have adopted strategies such as refraining from collecting personal information altogether or implementing age-screening mechanisms to restrict access for users under 13. 

The Future of Children’s Online Privacy

As children’s online activities continue to evolve and diversify, ensuring robust protections for their privacy remains an ongoing priority. Continued collaboration between stakeholders, including policymakers, industry players, advocacy groups, and parents, will be essential in shaping the future of children’s online privacy and fostering a safer digital environment for young users.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about COPPA?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content