COPPA Compliance Guide

The Children's Online Privacy Protection Act (COPPA) is an act passed by US congress in 1998 to protect children under the age of 13 from sharing personally identifiable information and such information being used by businesses to exploit them. It outlines what kind of information can be and cannot be shared by children, how such information must be collected, and the consequences of not complying with the regulation.

COPPA Compliance Guide is enforced by the Federal Trade Commission which has set up guidelines to help businesses comply with the regulation. Essentially, any business whose main target audience is children under the age of 13, or has actual knowledge that some of its users are children under 13 years, or is a third party collecting information on behalf of a site and has knowledge that some of that site's users are under 13 years must comply with the act.

COPPA Compliance Guide

Treading this field requires meticulous due diligence as some clauses can actually put you at risk of receiving hefty fines should you overlook them. For instance, cookies and geolocation are defined as personally identifiable information. By default, your site may be collecting such information from children without your knowledge. It is therefore important to be vigilant. To that end, here's a simple guide that will help you ensure your product or business is COPPA-compliant and has covered all the major loopholes to avoid being prosecuted.

Strategies for Ensuring COPPA Compliance

Depending on your site or business, there are 3 strategies you can employ to comply with COPPA.

  1. Setting an age-gate

    COPPA Compliance Guide is entirely targeted for businesses that interact with users under 13 years. If you have no users under 13 years old, then you're safe. But how do you ensure that? Your product must be made for users above 13 years old. To avoid underage users, you can set up an age-gate that prompts the user to insert their date of birth when signing up. You can then lock out users under 13 years. Now, granted, some children may work their way around and lie about their birth date. Monitoring their activities is your next chance at identifying them and restricting them. For example, you can monitor their language, what they post, etc. A user posting it's their 10th birthday means they're underage. Facebook and other social media sites use this strategy.

  2. Obtaining verifiable parental consent

    If your business or product is entirely targeted at children under 13 years old, then it is important, as per the COPPA Compliance Guide, to ensure you obtain VERIFIABLE parental consent especially if your site requires sharing of personally identifiable information with third parties. You can obtain such consent by requesting parental contact information, requiring the parent to send signed form authorizing consent through fax, scanning, or any other method. To ascertain they're the parent, you can request use of a credit or debit card. This is important to ensure that only the parent is giving such consent and in the event that they're not the parent, you have evidence.

  3. Using email plus

    If your product does not require sharing of personally identifiable information with third parties and has a user base of children under 13 years old, then this is the easiest strategy. Simply request the parent's email, send the email detailing that their child is requesting to use your service and outlining what data will be captured and ascertaining that no third-party will have access to such data, and a link to click if they consent


Setting up Privacy Policy

COPPA Compliance Guide requires that every business whose user base contains children under 13 years old display a prominent privacy policy on its website’s homepage as well as any other page where personally identifiable information may be collected. The policy should be written in such a language that a 13-year-old can easily decipher and should not include any marketing or misleading information. Use visible font and clear background and detail how data is going to be collected, what type of data is going to be collected, where will it be housed, who can have access to such data and why. It should also state that the parent has the exclusive right to request for such data and delete it if need be.

Filtering personally identifiable information

If your product or business does not require sharing of personally identifiable information, then you should have filters in place to detect when such information is shared by children. Personally identifiable information include age, gender, full names, social security number, contact information, telephone number, child's image, video or voice, geo-location, other information collected together with any of these identifiers. If you detect a user sharing PII, the site should give warning why it's dangerous or ban them for a short period, extending the period if they repeat, or finally banning them for life if they do not change their behavior.

Sites that appear directed at children

If your site is not directed at children under 13 years but its features, design, language font appear attractive to children under the age of 13, you will become liable to COPPA. Sites that use animated characters, music appealing to children 13 years old, photos, colors attractive to children are defined by FTC as targeting children under 13. You should, therefore, ensure that the design of your site doesn’t appeal to children if your product is not for children.


NuEduSec is a state of the art cloud platform for school networks designed to help schools and educational institutions for children become CIPA and COPPA compliant. The platform helps keep children's data safe from exploitation and landing on the wrong hands as well as providing protection to students at school, in the classroom or at home while also providing a trouble-free Internet experience in your school network. The platform also monitors students’ activities online and enforces safe internet usage while ensuring the privacy of students and facility alike, allowing proactive shared roles and responsibilities, device tracking and management as well as secure web filtering and enhanced visibility.