Understanding COPPA compliance requirements: A guide to safeguarding children’s online privacy

As the internet becomes an integral part of children’s lives, ensuring their safety online has never been more critical.

The Children’s Online Privacy Protection Act (COPPA) plays a vital role in protecting the privacy of children under 13 by setting strict guidelines for how businesses can collect and manage their personal information.

For any company that knowingly collects and processes the personal data of minors, understanding COPPA compliance requirements is essential to avoid hefty fines and protect brand reputation. It also helps to build trust with families.

We break down the essentials of COPPA and include a COPPA compliance checklist, so your company can protect children’s online privacy and give parents control.

What is the Children’s Online Privacy Protection Act (COPPA)?

The Children’s Online Privacy Protection Act (COPPA) is a US federal law, passed in 1998 and enacted in 2000, that focuses on safeguarding the privacy of children under 13 on the internet. It requires websites and online services that collect personal information from children to get verified consent from parents or guardians before doing so.

Most of the state-level data privacy laws passed in the United States also defer to COPPA regarding the handling of children’s personal information and consent and data protection requirements.

COPPA was introduced due to rising concerns about children’s safety and privacy as the internet rapidly expanded in the late 1990s. The law was created to prevent the unauthorized collection of personal data from minors and to give parents more control over their kids’ online activities. It took effect on April 21, 2000, and has been updated to keep up with evolving technologies and online practices, like the proliferation of cell phone usage and social media platforms, some of which are specifically targeted to children.

A more comprehensive update, called the Children and Teens’ Online Privacy Protection Act (informally “COPPA 2.0”), was introduced in both 2023 and 2024. However, as of September 2024, it has not yet been passed.

Does COPPA apply to you?

If you operate a website, app, or online service, you might wonder whether COPPA compliance requirements apply to your company. This is an important consideration, as failing to comply can result in significant fines and harm your reputation.

COPPA isn’t limited to child-focused platforms. Even if your main audience is adults, you may still need to comply. Consider the following:

• Do you collect personal information from users?
• Do you already have to obtain consent for collecting personal information from users?
• Is your content likely to attract children under 13?
• Are you aware that children under 13 are or could be using your service?

If you answered “yes” to any of these questions, COPPA guidelines likely apply to your company.

This is also valid for companies based outside the US. COPPA compliance requirements cover foreign websites and services that collect data from children in the United States. Therefore, it’s best to consult with a legal expert if in doubt.

What is personal information according to COPPA?

According to COPPA, personal information includes a broad range of data that can be used to identify a child under 13 years old. Specifically, COPPA defines personal information as:

• First and last name
• Home or physical address, including street name and city/town
• Online contact information like email addresses
• Screen names or usernames that function as online contact information
• Telephone numbers
• Social Security numbers
• Persistent identifiers that can recognize a user over time and across different websites or online services, such as:
  • Customer numbers in cookies
  • IP addresses
  • Processor or device serial numbers
  • Unique device identifiers
• Photos, videos, or audio files containing a child’s image or voice
• Geolocation information sufficient to identify street name and city/town
• Information about the child or their parents that the operator collects from the child and combines with an identifier described above

COPPA’s definition of personal information is broad, covering both direct identifiers and information that could be used to recognize or track a child’s online activities in combination with other information and/or over time.

When is parental consent not required for COPPA?

Parental consent is not required under COPPA when collecting a child’s contact information:

• (Or parent’s) only to get parental consent or provide parental notice
• Only to respond to a one-time request from the child, without storing that information
• To protect the security or integrity of the website or online service
• To support internal operations of the website or online service
• To protect the child’s safety
• When a website or online service is used by a school for educational purposes only, and the school has obtained parental permission

It’s important to note that even in these cases, websites and online services must still comply with other COPPA compliance requirements, such as maintaining the confidentiality and security of any collected information.

COPPA compliance requirements checklist

Curious about how to achieve and maintain COPPA compliance? Use the following COPPA compliance checklist to help ensure that you protect children’s online privacy and give parents control.

Publish a COPPA-compliant privacy policy

Create a clear, detailed, and easily accessible COPPA privacy policy on your website or app. Make sure it can be accessed on or from the homepage or site footer, and wherever children’s data is collected. Include names, addresses, and contact details of all operators collecting data. Clearly describe what information is collected, how it’s collected (including through tracking cookies and other technologies), how it’s used, and whether it’s shared with third parties.

Additionally, explain parental rights in detail, including the ability to review, delete, and refuse further collection of their child’s information. Ensure the policy is written in clear, understandable language without legal jargon.

Notify parents

Implement a system to directly notify parents of your data collection practices before collecting any personal information from children. This notification should be separate from the privacy policy and include specific details about the types of information collected, including any use of Google cookies or similar website tracking technologies.

Update parents promptly if there are any significant changes to these practices. Consider using email, push notifications, or in-app messaging for these direct communications. If data processing purposes change, parents must be notified and new consent to process children’s data must be obtained.

Obtain verifiable parental consent

Develop a system to obtain verifiable consent from parents before collecting, using, or disclosing a child’s personal information.

COPPA compliance requirements suggest several methods to verify parental consent, such as signed consent forms, credit card transactions, video conferencing, or government-issued ID checks. Ensure your consent mechanism is designed to achieve as much confidence as possible that the person providing consent is the child’s parent or guardian. Document all consent obtained and maintain these records securely.

Honor parental data requests

Establish a clear process for parents to review the personal information collected from their children, withdraw consent, and/or request the deletion of their child’s data. This process should be easily accessible and user-friendly.

Additionally, implement a system to verify the identity of parents making these requests to help ensure the security of children’s data. Set up a dedicated team or point of contact to handle these requests promptly and efficiently.

Implement data protection measures

Put in place security measures to protect children’s data from unauthorized access, use, or disclosure. This includes using encryption for data in transit and at rest, implementing strong access controls, and maintaining secure storage systems.

Under many data privacy laws, children’s data is categorized the same as sensitive personal information, which can cause increased harm if misused, so children’s data requires the same enhanced restrictions and security measures as other sensitive data.

Regularly update and patch your systems to address potential vulnerabilities. Conduct periodic security audits and penetration testing to ensure the effectiveness of your protection measures. Audit the data you store and process as well and delete or anonymize it when no longer required.

Monitor third-party data practices

Carefully vet and regularly monitor any third parties you share data with to ensure they are also COPPA-compliant. This includes advertising networks, analytics providers, and other service providers. Implement contractual safeguards with these third parties to ensure they handle children’s data in a manner that adheres to COPPA compliance requirements.

Also, regularly audit their data practices and terminate relationships with noncompliant parties. Be particularly vigilant about third-party cookies and tracking technologies on your site or app.

Train staff on COPPA compliance requirements

Conduct regular training sessions for staff on COPPA regulations, proper data handling practices, and procedures for obtaining parental consent. Monitor staff compliance regularly and create clear guidelines for staff on how to handle children’s data and respond to parental

inquiries or requests. It’s important for teams to implement data privacy principles like data minimization, so only data that is explicitly needed to fulfill your company’s stated purposes is collected, stored, and processed.

Document compliance efforts

Maintain documentation of all your COPPA compliance efforts, including privacy policy updates, consent procedures, staff training records, security measures, and third-party agreements. Keep detailed logs of parental consent obtained (and any changes to it over time) and data access or deletion requests fulfilled. This documentation will be crucial evidence in case of audits or investigations by regulatory authorities.

How is COPPA enforced?

COPPA compliance is primarily enforced by the Federal Trade Commission (FTC), which investigates potential violations and takes legal action against companies that fail to comply with the regulations. The FTC can initiate investigations based on complaints from the public, which can be submitted online or through their toll-free number.

In addition to the FTC’s efforts, state attorneys general have the authority to bring COPPA enforcement actions within their jurisdictions. Certain federal agencies, such as the Office of the Comptroller of the Currency and the Department of Transportation, also play a role in enforcing COPPA compliance for specific industries they regulate.

Enforcement actions typically involve legal proceedings and may result in companies being required to implement new privacy policies and procedures to ensure future compliance with COPPA.

COPPA fines and violations for noncompliance

COPPA violations can lead to hefty fines for companies that don’t comply. The FTC can issue civil penalties of up to USD 50,120 for each violation, which means even a few infractions can add up quickly. The actual fine depends on factors like how severe the violation was, the number of children involved, and the misuse of their information.

A well-known example is YouTube’s USD 170 million fine in 2019 for tracking kids’ online activity without getting parental consent.

Beyond fines, companies might be required to introduce new privacy measures, delete improperly collected data, and revise their practices.

In addition, the reputational damage from violating COPPA rules can be just as serious as the financial penalties. Public trust is hard to rebuild once lost, and companies found guilty of mishandling children’s data and violating child privacy laws can face consumer backlash, negative media coverage, and long-lasting damage to their brand. This erosion of trust can impact customer loyalty, deter potential partnerships, and even affect a company’s market value over time.

How Cookiebot™ can help you be COPPA-compliant

Navigating the complexities of COPPA compliance requirements can be challenging for companies that operate websites or online services attracting children under 13. This is where Cookiebot CMP helps simplify this process for you

Cookiebot CMP helps companies comply with COPPA by providing them with a consent management platform. Our tool enables websites to inform parents about data use and obtain verifiable parental consent before collecting personal information from children under 13.

Additionally, Cookiebot CMP assists companies in creating clear and transparent privacy policies that outline data collection practices, which is essential for COPPA compliance. Our privacy policy generator asks targeted questions about your business and data processing activities and makes a unique privacy policy you can embed directly on your website or app.

Moreover, Cookiebot CMP keeps detailed logs of user consent over time, serving as vital documentation of compliance efforts.