To which entities does the law apply?
The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What data is covered?
The Rule defines personal information to include:
- First and last name
- A home or other physical address including street name and name of a city or town
- Online contact information
- A screen or username that functions as online contact information
- A telephone number
- A Social Security number
- A persistent identifier that can be used to recognize a user over time and across different websites or online services
- A photograph, video, or audio file, where such file contains a child’s image or voice
- Geolocation information sufficient to identify street name and name of a city or town, or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
What are the compliance requirements?
The primary goal of COPPA is to place parents in control over what information is collected online from their children under age 13. Operators covered by the Rule must:
- Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children,
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children,
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents),
- Provide parents access to their child's personal information to review and/or have the information deleted,
- Give parents the opportunity to prevent further use or online collection of a child's personal information,
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security,
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use, and
- Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
Legal Authority: Federal Trade Commission
Law/regulations: Children’s Online Privacy Protection Rule (COPPA)
Privacy Owner: Department head of program engaging in the covered activity.