The Essential Guide to COPPA Compliance

If you run a website that collects personal information, there’s a chance you’re going to need to comply with the Children’s Online Privacy Protection Act – also referred to as COPPA. 

In this detailed guide, we provide you with essential information on the purpose of COPPA and whether it applies to your website or mobile application. 

We also cover the steps you need to take to achieve COPPA compliance and avoid unnecessary lawsuits. 

Let’s start.

What is COPPA Compliance?

Created in 2000, the Children’s Online Privacy Protection Act (COPPA) regulates how websites collect information from children. It prevents marketers from targeting children with unethical campaigns in order to gather data. 

The aim of the act is to protect children, not hinder online businesses and innovation. 

Who is Covered By COPPA

COPPA compliance is applicable to websites, mobile apps, and any other online services that fall into the following categories:

• Directed at children 13 years and younger
• Awareness that they are collecting personal information from children 13 years and younger
• Collect information on the behalf of other websites that collect information from children 13 years and younger

COPPA applies to both active and passive data collection such as tracking cookies. 

What is Personal Information?

It’s also important to understand exactly what is meant by personal information. The following data is deemed to be personal information:

• Full name
• Physical address or general geographic location
• Contact number
• Social Security number
• Email address
• Online usernames
• Online identification (cookies)
• Images of a child or recordings of their voice

COPPA Enforcement

Next, let’s look at how COPPA compliance is enforced.

The Federal Trade Commission (FTC) is responsible for enforcing COPPA. Anyone who believes that a website or mobile app owner or operator is violating COPPA can report the matter to the FTC online. 

By not complying with COPPA regulations, you could find yourself being fined up to $46,000 per violation. How flagrant the violation is, the number of minors affected, how the personal information was used, and how many times an offense has occurred are factors that determine the total penalty.

There have even been instances where penalties have amounted to millions of dollars, which could essentially ruin a business or brand for life. 

Can Other States or Federal Agencies Enforce COPPA?

Absolutely! COPPA has given certain federal agencies and states the authority to enforce compliance requirements, provided they have jurisdiction.  

COPPA Compliance Requirements

There are two primary requirements for complying with COPPA regulations:

1. Post a Privacy Policy

COPPA compliance laws state that there needs to be a privacy policy available on your website or mobile app. 

This policy should outline how you collect and handle personal information from children who are 13 or younger. It should also be written in simple language so that even a child could understand it.

It’s not enough to just have a privacy policy either – it needs to be displayed in a prominent place – you can’t just add a basic link to your footer. 

Along with it being easy to find and read, it should also be distinguishable from other links on your site too. It’s best practice to place this link somewhere close to where you collect personal information.

Here are some of the specifics of what your privacy policy should contain:

• A list of the people and services that are being used to collect personal information on your site. COPPA requires you to specify contact information, including names, address, contact numbers, and addresses.
• How information is collected (actively or passively through cookies).
• Details on the type of information that is NOT collected.
• Specifics on how you plan to use the personal information you collect.
• Whether or not you are sharing this information with third parties. If you will be sharing it, specify how each third party will use this information.

If you have an app, there’s no rule that says you need to place your privacy policy at the point of purchase – it’s enough to place it on your home page. With that being said though, full transparency is always better, so make it as easy as possible for users to find your privacy policy. 

2. Send a Direct Notice to Parents

The second requirement is to send a direct notice to the parents of a child using a particular device. You can only collect personal information once this direct notice has been sent. 

In general, a direct notice needs to contain the following information:

• Explanation of how you obtained a parent’s contact details.
• The personal information you collect from children and what happens with the information.
• A request for consent from the parent.
• A link to the privacy policy.

COPPA Exceptions & Mixed Audience Websites

Let’s finish by looking at a few exceptions and what mixed audience website owners should know about COPPA compliance.

If your website or mobile app doesn’t collect, disclose, or make use of personal information collected from children, COPPA doesn’t apply to you. 

And if you are unsure whether your website or app is deemed to be directed at children, consider the following factors:

• The topic of your site.
• The use of animated characters.
• Whether or not your site or app includes activities and incentives that would appeal to a child.
• The visuals and audio used.
• The use of models or celebrities that would appeal to a younger audience.
• Whether the advertising or promotions are directed at children.
• Any evidence that would suggest your site’s target audience is children 13 years or younger. 

Also, if you are using any data from children that have been collected from another website, COPPA applies to you.

Now, what about websites that target a mixed audience that includes children?

Basically, if there is any content, product, or services on your website that are directed at children, you need to comply with COPPA.

In Closing

COPPA requirements are simple and straightforward, so there’s no reason why you should delay compliance.

Plus, by complying, not only are you doing your part to protect a younger online audience, but you’re avoiding costly lawsuits and business failure.