What is COPPA?
COPPA applies to operators of commercial websites directed to children 12 and under that collect or maintain personal information, as well as other websites that have actual knowledge that they are collecting or maintaining personal information from a child 13 and under.
What Does the COPPA Rule Require?
Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children.
Who is Covered?
The Rule applies to operators of commercial websites and online services directed to children under the age of 13 that collect personal information. In addition, it applies to operators of sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Under the 2013 revisions, COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users of another site or online service directed to kids under 13. That means that in certain circumstances, COPPA applies to advertising networks, plug-ins, and other third parties.
The Rule doesn’t require operators of sites or services directed to general audiences to investigate the ages of its users. However, asking for or otherwise collecting information that establishes that a visitor is under 13 triggers COPPA compliance.
You’re covered by COPPA if:
- Your website or online service is directed to children under 13 and collects personal information from them;
- Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13; or
- You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.
Obtaining “Actual Knowledge” of a User’s Age
Although the Rule doesn’t define the term, the FTC has said that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. For example, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. An operator also may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?” or “What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college.”
Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content. Another way an ad network or plug-in may have actual knowledge: If a concerned parent or someone else informs a representative of the ad network or plug-in that it’s collecting information from children or users of a child-directed site or service.
Do You Operate a Website or Online Service That Collects Personal Information From Kids Under 13?
COPPA doesn’t apply to everyone operating a website or other online service. Put simply, COPPA applies to operators of websites and online services that collect personal information from kids under 13. Here’s a more specific way of determining if COPPA applies to you. You must comply with COPPA if:
Your website or online service is directed to children under 13 and you collect personal information from them.
Your website or online service is directed to children under 13 and you let others collect personal information from them.
Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.
To determine if you’re covered by COPPA, look at how the Rule defines the following key terms:
“Website or online service”
COPPA defines this term broadly. In addition to standard websites, examples of others covered by the Rule include:
- mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads),
- internet-enabled gaming platforms,
- advertising networks,
- internet-enabled location-based services,
- voice-over internet protocol services,
- connected toys or other Internet of Things devices.
“Directed to children under 13”
The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and other reliable evidence about the age of the actual or intended audience. If your website doesn’t target children as its primary audience, but is “directed to children under 13” based on those factors, you may choose to apply COPPA protections only to users under age 13. If that’s what you decide to do, you must not collect personal information from any users without first collecting age information. For users who say they are under age 13, don’t collect any personal information until you have obtained verifiable parental consent.
Each of these is considered personal information under COPPA:
- full name;
- home or other physical address, including street name and city or town;
- online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
- screen name or user name where it functions as online contact information;
- telephone number;
- Social Security number;
- a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
- a photo, video, or audio file containing a child’s image or voice;
- geolocation information sufficient to identify a street name and city or town; or
- other information about the child or parent that is collected from the child and is combined with one of these identifiers.
Under COPPA, you’re collecting information if you:
- request, prompt, or encourage the submission of information, even if it’s optional;
- let information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records; or
- passively track a child online.
If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA. If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too.