COPPA Compliance

Nothing is more rewarding than creating great products for kids and marketing them online. Companies that sell products to kids aged below 13 years must adhere to the Children's Online Privacy Protection Rule ("COPPA"). This federal regulation stipulates how businesses ought to collect and store the personal data of under-13 users.

COPPA Compliance Guide for Beginner’s

COPPA compliance is enforced by the Federal Trade Commission (FTC). It stipulates what website operators, marketers, and other providers of online services should do to protect minors’ safety and privacy online. For instance, if COPPA covers a company, certain information ought to be included in its privacy policy. Similarly, parental consent must be sought when collecting certain information from under-13 users.

COPPA Compliance

What is COPPA Compliance?

COPPA got enacted to address the unprecedented growth of online marketing techniques targeting children during the late 90s. At the time, websites were collecting minors’ data without parental consent or knowledge. COPPA obligates website operators and providers of online services to abide by specific guidelines relating to the collection and handling of minors’ personal information. These guidelines include:

  1. Websites must seek parental consent before collecting personal information from under-13 website users.
  2. What a privacy policy should contain, including the requirement that the privacy policy itself be posted where data is collected.
  3. How and when to seek verifiable parental consent.
  4. Responsibilities of operators regarding minors’ safety and privacy online, including restrictions on marketing techniques.

How to Become COPPA Compliant?

To achieve COPPA compliance status, online services and operators must first define their target audience as per COPPA compliance guidelines. They should understand what comprises personal information. A company also needs to ensure that its privacy policy is clear and updated. Verifiable parental consent should be sought before collecting, handling, or disseminating minors’ personal data.

Website operators must understand the various levels of parental consent based on what they collect. Reasonable measures should be taken to ensure that third-parties and service providers also have mechanisms for protecting the integrity, security, and confidentiality of minors’ personal information.

For a company to become COPPA-compliant, it must ensure that personal information collected from minors isn’t stored for longer than necessary. When getting rid of the data, measures should be put in place to avoid exposure or loss. Parents are allowed to review data collected from their kids. They can also withdraw consent for the sake of protecting their kids’ privacy.


Verifiable Parental Consent

This is a COPPA compliance requirement, which is meant to ensure that parents know who is collecting their kids’ personal information, and for what purpose. Consent must be sought from parents before web operators collect kids’ personal information. As per COPPA compliance guidelines, personal information includes kids’ names, addresses, online contact information, social security number, a universal identifier that can be used to recognize users across different websites, and photographs.

To get verifiable parental consent, website operators should collect parents’ contact information online from their kids. After that, they should contact the parents and describe the personal information that they have collected, and why they did so. A link to the operators’ privacy policy should also be sent to the parents.

COPPA Compliance Exceptions

The FTC allows certain limited limitations, which mostly relate to verifiable parental consent. COPPA allows website operators to collect minors’ personal information without prior permission if they are making one-time requests, such as asking the minors to enter a consent. Besides, verifiable parental consent isn’t required when minors request to receive information that is distributed regularly, which as weekly newsletters.

If a web operator believes that an under-13 user’s safety is at risk after the minor claims to be in some harm or danger, the operator can collect the personal information of the minor along with his/her parents’ information. Verifiable parental consent can also be circumvented if an operator is protecting his/her website from getting attacked through or by minors’ accounts. In such situations, operators can collect the minors’ personal information and respond appropriately.

Raising the Age

Currently, COPPA protects children below 13 years. For COPPA compliance purposes, operators only need to label their websites as 13+ to start collecting minors’ personal information. Today, children below 13 years can still access such sites and provide their information to operators, knowingly or unknowingly.

Often, such data ends up getting sold to third-parties. This has led to calls for the age to be raised because at 13 years, kids are still too young to make rational decisions. Those who support this idea argue that 13 years shouldn’t be considered the age of adulthood on the Internet and that the age limit should be raised to 18 years.