Complying with COPPA: FAQs

Frequently asked questions about COPPA

1. What is the Children’s Online Privacy Protection Rule?

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law. Effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age.

The Rule applies to all Internet entities that collect, use, or disclose personally identifiable information from children under the age of 13.

Website owners/operators and online services (including mobile apps) must provide a privacy policy sharing when and how verifiable consent is collected from a parent or guardian, and the responsibilities that apply to the operator when protecting children's privacy and safety online.

Operators covered by the Rule must:

  1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children
  2. Provide direct notice to parents and obtain verifiable parental consent.
  3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties.
  4. Provide parents access to their child's personal information to review and/or have the information deleted
  5. Give parents the opportunity to prevent further use or online collection of a child's personal information
  6. Maintain the confidentiality, security, and integrity of information they collect from children.
  7. Retain personal information collected online from a child for only as long as is necessary.

2. Who is covered by COPPA?

The Rule applies to operators of commercial Web sites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. Additionally it applies to operators of general audience Web sites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

3. What is Personal Information?

The Rule defines personal information to include:

  1. First and last name
  2. A home or other physical address including street name and name of a city or town
  3. Online contact information
  4. A telephone number
  5. A social security number
  6. Screen or user name: is considered personal information if it functions as online contact information. Including, email or any other identifier that permits direct contact with a person online.
  7. Persistent Identifiers: any identifier that can be used to recognize a user over time and across platforms. Operators need not seek parental consent for these newly-covered persistent identifiers if they were collected prior to the effective date of the Rule. Unless obtained consent from parents or strictly for use for internal operations of online service (support), the collection of any information reflecting the scope of 'persistent identifier' will trigger COPPA.
  8. Images or videos containing audio of the child's voice/from a child: obtaining parental consent is not necessary based on collecting prior data to effective date of the Rule. It is suggested as a best practice to discontinue the use or disclosure of such information, or if possible, obtain parental consent.
  9. Geolocation information: if the site operator has not obtained parental consent, do so immediately. Operators are required to obtain parental consent prior collecting such geolocation information, regardless of when such data is collected.
  10. Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

4. Where can I find information about COPPA?

The FTC has a comprehensive Web site, www.ftc.gov, which provides information to the public on a variety of agency activities.  Clicking on the Privacy & Security link in the Featured Topics section of the FTC’s home page will take you to the Privacy and Security portion of the FTC’s Business Center.  Clicking on the link labeled Children’s Privacy will take you to the Children’s Privacy section, which also is accessible by cutting and pasting the following link into a web browser: http://business.ftc.gov/privacy-and-security/children’s-privacy.  The Children’s Privacy section includes a variety of materials regarding COPPA, including all proposed and final Rules, public comments received by the Commission in the course of its rulemakings, guides for businesses, parents, and teachers, information about the Commission-approved COPPA safe harbor programs, and FTC cases brought to enforce COPPA.  Many of the educational materials on the FTC Web site also are available in hard copy free of charge by calling the FTC Consumer Response Center’s toll free number at (877) FTC-HELP.

5. What should I do if I have questions about the COPPA Rule?

The first thing you should do is read the FTC’s Children’s Privacy guidance materials.  If, after reviewing the FTC’s online materials, you continue to have specific COPPA questions, please send an email to our COPPA hotline at CoppaHotLine@ftc.gov.