What is the Children’s Online Privacy Protection Act?

The impact that social media and other online sites have on young-people today can be very extensive. Given that children are a more vulnerable group of society, less aware of the risks involved with giving out their personal data, it’s not surprising that across the world there are a variety of regulations in place to help protect children’s privacy and security online.

In Europe, the General Data Protection Regulation (GDPR) has a section that sets out rules for companies to follow when collecting and processing children’s personal data. The equivalent in the US is an act dedicated specifically to protecting the privacy and security of children online.

The Children’s Online Privacy and Protection Act (COPPA) came into effect as part of US Federal Law in 2000. The Act was specifically designed to protect the online collection of personal information of children under the age of 13 and is applicable to both websites and mobile apps.

COPPA was developed to address the rapid growth of online marketing techniques in the 1990s that were targeting children and were collecting personal data from children without parental knowledge or consent.

Although the Act was intended for US businesses, but it also applies to any foreign businesses if they collect personal information from children under 13 residing in the US. Therefore, most global social media and online websites will have to be both GDPR and COPPA compliant.

The Act specifies:

  • That sites must require parental consent for the collection or use of any personal information of young website users
  • What must be included in a privacy policy, including the requirement that the policy itself be posted anywhere data is collected.
  • When and how to seek verifiable consent from a parent or guardian.
  • What responsibilities the operator of a Web site legally holds with regards to children’s privacy and safety online, including restrictions on the types and methods of targeting with marketing content those under 13.

In September 2011, the US announced proposed revisions to the COPPA rules. The proposed changes expanded the definition of what it meant to “collect” data from children and presented a data retention and deletion requirement. This mandated that data obtained from children be retained only for the amount of time necessary to achieve the purpose that it was collected for. It also added the requirement that operators ensure that any third parties to whom a child’s information is disclosed have reasonable procedures in place to protect the information.

In practice, the Federal Trade Commission (FTC) can accuse any website or app should they feel are not complying with this legislation. This happened to Chinese owned app TikTok in 2019 when the FTC alleged that it “illegally collected personal information from children” by not obtaining their parents’ permission before they signed up. TikTok was fined $5.7 million for failing to comply with COPPA and was required to add a ‘kids only’ mode to the app.

Do you have any questions about what else you can do to protect your children’s privacy and security online? Let us know if the comments below