COPPA Compliance Requirements

Children's Online Privacy Protection Rule (COPPA) is a federal law that was enacted by Congress in 1998. It is meant to ensure the online safety and privacy of kids below 13 years. It gives parental control over the information that their under-13 kids can provide to online marketers and other web operators. The Federal Trade Commission, which is America’s consumer protection agency, enforces the COPPA Rule.

COPPA Compliance Requirements

COPPA Compliance Requirements - Complete Guide

Before determining whether COPPA compliance applies to you or not, you should first ask whether your website collects information from under-13 years. COPPA does not apply to everybody who operates a website or an online service. The regulation only applies to website operators who collect the personal information of kids below 13 years.

Likewise, COPPA compliance requirements apply to websites or online services that are directed to kids aged below 13 years and also allow third-parties and service providers to collect information from the kids. Sites that target a general audience, but still collect the personal information of under-13 users, also need to be COPPA-compliant. If a company runs an ad plugin or ad network and collects data from under-13 users, it must adhere to COPPA compliance requirements.

Complying with COPPA

Notice to Parents/Guardians

One of the most critical COPPA compliance requirements states that web operators must give “direct notice” to parents about their information collection practices. If the operators make any changes to their traditions, they should duly send an updated notice to parents. Besides being easy to read, the notice served to parents shouldn’t include any confusing or unrelated information.

The notice should inform parents/guardians about collecting their contact information from their under-13 kids to seek their consent. It should also tell them about the intention to collect, use, or disclose personal information from their kids, and that their consent is needed for the web operators to proceed.


Verifiable Parental Consent

COPPA compliance requirements empower parents and guardians to have the final say about information that website operators collect from their under-13 kids. Therefore, online marketers and website operators must seek verifiable parental consent from parents/guardians before collecting data from their kids. Failure to do this puts them at the risk of fines and penalties.

Even after acquiring verifiable parental consent, web operators should allow parents to review their kids’ personal information. If directed, they should be ready to delete whatever information they might have collected. Parents can also refuse to allow the collection of more information or further use of the minors’ data.

However, CIPA compliance requirements also highlight some limited exceptions to the verifiable parental consent guideline. If a web operator is responding directly to an under-13 user’s one-time request, no consent is required. Besides, consent can get disregarded if the operator is trying to protect a child’s safety.

Posting of Privacy Policies on Websites

Websites that are governed by CIPA compliance requirements should also post a privacy policy that clearly and comprehensively describes how personal data collected from under-13 users is handled. The privacy policy must describe a company’s practices as well as the practices of third parties who collect information from its website, including plugins.

There should be a link to the company’s privacy policy on the homepage and other pages where minors’ personal information is collected. If a website targets a general audience but has a dedicated section for kids, a link to the privacy policy should be posted on the homepage of the kids’ section.

Honoring Parents’ Ongoing Rights

COPPA requires web operators to honor parents’ ongoing rights concerning personal data collected from their children. Similarly, web operators have continuing obligations towards parents and their kids.

Every time web operators communicate with parents about the personal information collected from their kids, they should verify that they are indeed dealing with parents. Under COPPA compliance requirements, web operators can terminate services rendered to an under-13 user if his/her parent revokes consent.

Protection of Kids’ Personal Information

COPPA requires web operators to implement reasonable procedures for protecting the integrity, confidentiality, and security of the data that they collect from under-13 users. To achieve this, operators ought to minimize what they collect.

Besides, web operators should only release data to third party operators who can maintain its security, integrity, and confidentiality. Website operators also need to only hold onto collected information for a reasonable period. Once the data is no longer needed, they should get rid of it securely, because, at that point, they won’t have a legitimate reason for having it.