NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

COPPA - Children's Online Privacy Protection Act

type
Regulation
Full Name
COPPA - Children's Online Privacy Protection Act (Children's Online Privacy Protection Act of 1998)
Official Name
Children's Online Privacy Protection Act of 1998

Description

Description
Source

Children's Online Privacy Protection Act (COPPA)

COPPA is a landmark U.S. privacy law enacted in 1998 to protect children's personal information online. The law requires websites and online services to obtain verifiable parental consent before collecting personal information from children under 13 years old. Enforced by the Federal Trade Commission, COPPA establishes strict guidelines for how online operators must handle children's data, reflecting growing concerns about youth privacy and safety in the digital age.

Objectives and Scope

  • Protect children under 13 from unauthorized collection of personal information
  • Regulate commercial websites and online services that:
    • Are directed to children
    • Have actual knowledge they collect data from children
  • Establish clear parental consent requirements
  • Create enforcement mechanisms for violations

Key Requirements

  1. Notice Requirements

    • Clear privacy policies describing data collection practices
    • Direct notice to parents about information collection
    • Description of how personal information is used
  2. Parental Consent Obligations

    • Obtain verifiable parental consent before collecting data
    • Provide parents access to collected information
    • Allow parents to delete children's information
    • Enable parents to refuse further data collection
  3. Data Protection Requirements

    Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children

Technical and Operational Requirements

§6502(b) specifies operational requirements including:

  • Implementation of verifiable parental consent mechanisms
  • Establishment of data security protocols
  • Creation of data access procedures
  • Development of data deletion capabilities

Protected Information Types

Personal Information includes:

  • Full name
  • Home address
  • Email address
  • Phone number
  • Social Security number
  • Online identifiers
  • Geolocation data
  • Photos or videos
  • Audio files
  • Behavioral tracking data

Compliance Mechanisms

  1. Direct Compliance

    • Following FTC regulations
    • Implementing required safeguards
    • Maintaining documentation
  2. Safe Harbor Programs

    • Industry self-regulatory guidelines
    • FTC approved compliance programs
    • 180-day review period for safe harbor applications

Enforcement

  • Primary enforcement by the Federal Trade Commission
  • State Attorneys General can bring civil actions
  • Violations treated as unfair or deceptive trade practices
  • Penalties up to $43,280 per violation

Territorial Scope

  • Applies to U.S.-based websites and online services
  • Covers foreign-based services targeting U.S. children
  • Applies to commercial operators only
  • Excludes non-profit organizations

Implementation Timeline

  • Original effective date: April 21, 2000
  • Major rule revision effective: July 1, 2013
  • Ongoing updates through FTC guidance
  • Regular reviews required every 5 years

Projects Following this Regulation

Project
Website
Source

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page