Management, compliance & auditing

How to comply with COPPA — 7 steps

Greg Belding
August 2, 2018 by
Greg Belding

Protecting children online should be of paramount importance to all, especially in today's world. In response to this pressing issue, in 1998 Congress enacted the Children's Online Privacy Protection Act (COPPA), which gives parents of children under 13 control over what information is collected from their children online. This article will detail how organizations can maintain compliance with COPPA regulations.

COPPA overview

Since 1998, COPPA has helped protect the personal information of children under 13 years old. Enforced by the Federal Trade Commission (FTC), COPPA mandates that websites and online services that collect the personal information of children under the age of 13 must remain in compliance with COPPA's protective practices or risk civil penalties, including large fines.

Luckily for organizations that are grappling with COPPA compliance, the FTC has released a business guidance plan for COPPA compliance. Below are summaries of these tips.

Please note that this article in no way substitutes for organizational audits aimed at COPPA compliance. Rather, it is intended to be a brief refresher for those in your organization responsible for maintaining compliance.

Becoming COPPA-compliant

Website or online service?

First, it would be helpful to define what is construed as a website or online service with respect to COPPA. "Website" or "online service" have broad definitions under COPPA. Besides standard websites, the following are also included in this definition:

  • Mobile apps, such as online games, social networking apps or apps with ads that target users based on their behavior, that send or receive user information for users under age 13
  • Gaming platforms that are Internet-enabled
  • Advertising networks
  • Plug-ins
  • Location services that are Internet-enabled
  • VOIP services
  • IoT devices, including Internet-connected toys

Determine if your website or online service is covered by COPPA

The first point of compliance to look at is whether your website or online service is covered by COPPA. If your organization's website falls under one of the categories below, then it is covered by COPPA:

  • Websites or online services that target users under age 13 and collect personal information
  • Websites or online services that target users under age 13 and let third parties collect information
  • Websites or online services that target a general audience, when you have knowledge of the fact that you are collecting personal information of users under age 13
  • When you have personal knowledge that a plug-in or ad network from your organization collects user personal information from websites that target users under age 13

Post a COPPA-compliant privacy policy

Let's say your website or online service is indeed covered by COPPA. In that case, the next step is for your organization to post a clear and comprehensive privacy policy that details how your organization handles personal information collected regarding users under 13. This privacy policy should be posted on the homepage of your organization's website, and if your website has a section specifically for kids, it should be posted there as well.

For COPPA compliance, your privacy policy needs to include:

  • A concise list of all third-party operators that are collecting personal information – including plug-ins and advertising networks. Include the operator's name and contact information
  • Descriptions of the user personal information collected from users under 13 and how it is to be collected and used
  • Description of the rights of the user's parents. This should include a section stating that you will only require users under 13 to disclose what is reasonably necessary

Notify parents directly about your information practices before collecting the information

You will also have to give parents direct notice of your information-collecting practices. This concise, clearly-stated notice must inform parents that

  • Contact information collected was for consent purposes
  • You want to collect their child's personal information
  • That parental consent is required before you can collect, use and disclose the personal information
  • What the information to be collected is and the method of disclosure to others
  • Link to your organization's privacy policy
  • Ways for the parent to give consent

If parental consent is not received within a reasonable amount of time, the organization will delete the parent's contact information from the organization's records

Get parental consent

COPPA is flexible with how organizations can receive consent from parents, leaving it up to the organization itself to use available technology and their own creativity to devise a means to transmit parental consent.

Honoring parents' ongoing rights

Once personal information is collected from their children under 13, the rights of the parents continue. Upon request of a parent, an organization must:

  • Provide a method for the parents to review their child's personal information that was collected
  • Provide a method for the parents to revoke consent and to refuse subsequent collection or use of their child's personal information
  • Provide a way to delete their child's collected personal information

Implementation of information security procedures

COPPA mandates that organizations implement and maintain reasonable information security procedures to protect the security, confidentiality and integrity of personal information collected from users under 13. Some tips for organizations that are planning on implementing such information-security procedures include:

  • Minimize the amount of personal information collected
  • Use reasonable steps to ensure that the release of personal information of users under 13 is only with third-parties with the capacity to maintain security, confidentiality and integrity
  • Make sure that personal information is retained for only as long as is reasonably necessary for the reason why it was collected in the first place
  • Implement a secure method of information disposal for personal information once it is no longer legitimately necessary to retain it

Following this roadmap, organizations can ensure COPPA compliance and keep their underage users safe.


Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, FTC

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.