Children's Online Privacy Protection Act of 1998 (COPPA) and the Federal Trade Commission's (FTC) implementing regulations (COPPA Rule) govern the online collection, use, and disclosure of personal information from children under the age of 13.
COPPA requires Website Operators and Online Services that: target children under 13, serve mixed audiences and do not age-screen, or have actual knowledge that they collect information from children under 13, such as: websites, mobile apps, network-connected games, network-connected toys or other internet of things (IoT) devices, Voice over IP services, location based services and social networking services to take
In 2013, The COPPA Rule was amended to close a loophole and clarify that where a Website or Online Service integrates a third-party's content or service that collects personal information directly from the third-party’s website or service's users (including, for example, plug-ins and advertisements):
- The Website and Online Service Operators are responsible for ensuring COPPA compliance from the third-party or ad network, while remaining responsible and liable for any failure to comply with COPPA; and
- If the third-party website, plug-in, advertisement, or ad-network are notified by the Website Operator, Online Service Operator, parent or guardian, or a Third-Party Representative (on their own) recognizes the child-directed nature of the Website or Online Service, the third-party must also comply with COPPA.
- Include privacy notices about privacy practices for information that website operators and online service providers collect from children under 13;
- Not condition a child's use of or participation in any online activity on the child's disclosing more personal information than is reasonably necessary;
- Obtain"verifiable parental consent" before collecting, using, or disclosing children's personal information;
- Honor parents ongoing rights with respect to information collected from their child by allowing a parent to review their child's personal information, request deletion of a child's collected information, and refuse to allow any further collection or use of a child's information; and
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children under the age of 13.
If a child’s birthdate, grade in school, or elementary school information, regulators have determined the Website Operator or Online Service has actual knowledge of having collected information from a child under 13. See the FTC’s Report regarding Actual Knowledge.
Verifiable Parental Consent
Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent.
- Providing a consent form to be signed by the parent and returned to the operator by postal mail, facsimile, or electronic scan;
- Requiring a parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent call a toll-free telephone number staffed by trained personnel;
- Having a parent connect to trained personnel via video-conference;
- Verifying a parent's identity by checking a form of government-issued identification against databases of such information, where the parent's identification is deleted by the operator from its records promptly after such verification is complete; or
- Provided that, an operator that does not “disclose” children's personal information, may use an email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: Sending a confirmatory email to the parent following receipt of consent, or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. An operator that uses this method must provide notice that the parent can revoke any consent given in response to the earlier email.