Federal Internet Law & Policy
An Educational Project

COPPA Requirements

Dont be a FOOL; The Law is Not DIY
  Who Must Comply
  What is Required
    Parental Consent
    Sliding Scale
    Parental Review
    Data Security
  "Personal Info"
  Giving Away Stuff

- Privacy
- Fair Info Practices
- 4th Amendment
- - ECPA
- - FISA
- - Patriot Act
- - Expectation
- - Cybersecurity
- - Anonymity
- - ID Theft
- - Spyware
- - Children's Privacy
- - Cookies
- - Social Networks
- - Advertising
- - Online Profiling
- - Privacy Policies
- - Enforcement
- - CPNI
- - Cable
Dept of Commerce
- - NTIA
- - NIST
- - EU Safe Harbors
- The Feds
- - Pri.Protection Act
- - Privacy Act
- - Pri. Impact Statements
- - Info Law
- - The Press
- Geolocation
- - Location Based Services
- Reference


If one falls into one of the two above categories, one falls under COPPA.  In order to comply with COPPA, one must conspicuously post a privacy policy on the website indicating what data is collected and what is done with it, obtain verifiable consent of the child’s parent, and provide parents the opportunity to review the data collected.  Parents get to revoke their consent and tell online services that they may no longer use and must delete information about their children.  Online services must give parents the option to consent to the information gathering without permitting disclosure of the data to third parties.  If the site makes a material change to the privacy policy, the that site must get consent from all of the parents all over again. Online services must also institute a program to ensure the security and integrity of the data that they collect.

FTC rules set forth specific requirements for compliance with COPPA including what constitutes sufficient notice of your privacy policy and what constitutes parental consent.  The mechanisms of parental consent can take into consideration available technology.  They include digital signatures, a signed form returned by mail or fax, the use of a credit card, or having a parent telephone into a properly trained staff.

Notice: Those falling under COPPA must conspicuously post a privacy policy on their website indicating specifically the following: [16 CFR § 312.4] [COPPA Sec. 1303(b)(1)(A)(i)]

What data is collected The description should be specific, such as "names, addresses, and email addresses," and not the vague "contact information." All data collection

techniques must be indicated including the use of passive techniques such as cookies and other identifiers. Notice should indicate all active and passive data collected.

What will be done with the data Is it for internal transaction purposes such as delivering an ordered book or toy; will it be used for marketing; will it be used for customer service analysis and improvement of the service? Will the information concerning the child be displayed publicly such as in a chat room? Will the information be disclosed to

third parties - if so, then the policy most provide complete information on who the third party is, what they will do with the information, and whether the third party will maintain the security and integrity of the data?.

A Third Party is someone who is not an operator of the website and does not provide internal support for the website.
  • Collection Limitations: Notice should indicate that the operator of the service cannot condition the participation of a child in an activity on the provision of any more information than necessary for that activity.
  • Parental rights: Inform parents that information cannot be collected from their child absent their consent. Inform parents how that consent shall be collected and verified. The notice should also indicate that parents have the right to review the data and the procedures for how this can be achieved.
  • Contact Information: The policy must include

    contact information for everyone involved at the site collecting information (in other words, some sites are a collaboration of multiple entities. If they are collecting information, then their contact information must be included). Contact information includes name, mailing address, telephone number, and email address. If there are multiple operators involved in the site, the website may elect to designate and list only one point of contact of the group. Nevertheless, the identification of all other operators must still be listed.

  • The policy must be clear and understandable, and not in legalize or other jumbled and confusing dialects. Hawking your wares (and other extraneous information) in your privacy policy is a sufficient way of making it confusing and is not permitted.

    A link to the privacy policy must be posted on the homepage and on every page where information is gathered.

    The link must be "clear and prominent" (terms of art for the FTC - in other words, these terms have very specific and well developed meaning). Wee little links at he bottom of the page do not cut it. "Conspicuous" means the link must stand out. This may mean a larger font, a different color font, a different font, or some other means of making the link jump out of the page at the viewer. This also means that the link must be appropriately labeled. Something like ""Legal Notices" is a loser. Examples of appropriate labels include "Privacy Policy," "Privacy Statement," or "Information Collection Practices Statement."

    Parental Consent: Verified parental consent must be obtained from the parent or guardian prior to information collection. If material changes are subsequently made to the privacy policy, consent must again be obtained from all parents. Parents have the right to consent only to the collection of information for purposes internal to the website, without permitting the information to be shared to third parties. [16 CFR § 312.5] [COPPA Sec. 1302(2)(9))]

    The mechanisms of parental consent can take into consideration available technology. They include digital signatures, a signed form returned by mail or fax, the use of a credit card, or having a parent telephone into a properly trained staff.

    Sliding Scale: To make things a bit complicated, the FTC has a sliding scale of requirements.  Temporarily, if a website is using the personal information only for internal purposes, the site can seek confirmation from the parent via e-mail - or confirm the consent by letter or phone call (the FTC is considering whether to transform this temporary rule into a permanent rule).  If, however, the website desires to disclose the information to third parties, the site must use more reliable means of gaining consent, such as those listed in the previous paragraph.

    One area of significant concern is monitored online communities such as email groups or chat rooms.  If the community targets children or if the visitor reveals that the visitor is a child, then the operators of the community must comply with COPPA.  One action the community monitor can take is to strip out all personal information from the messages prior to permitting them to be posted.  This is sufficient and does not require further parental consent.  Operators may elect, instead of stripping out such material, to gain the consent of parents for their children's participation.  These rules do not apply to unmonitored communities.  This is likely to pose a significant challenge to monitored communities that do not target children and are not accustomed to COPPA who are suddenly confronted with a message that states, "Hi, my name is Tommy, I'm in the 6th grade and I am doing a research project..."

    Parental Review: Online services must provide parents with access and the right to review information collected about their children. Parents have the right to revoke their consent and tell online services that they may no longer use and must delete information about their children. An operator's method of compliance with these requirements may not be unduly burdensome on the parents. [16 CFR § 312.6] [COPPA Sec. 1303(b)(1)(B)]

    Data Security: Online services must institute a program to ensure the security and integrity of the data that they collect. [16 CFR § 312.8] [COPPA Sec. 1303(b)(1)(D)]


    Critics of COPPA have raised the following general points: [Matecki p 382]

  • COPPA encourages children to lie about their age in order to gain access to desired websites [Wolcott]
  • However, some argue that a good privacy strategy is to always provide false information unless necessary
  • COPPA encourages websites to simply bar all service to children under the age of 13
  • Some would like to see that the age group that COPPA covers expanded to age 17 and under
  • Privacy Statements are long and hard to understand
  • Parental consent can easily be forged
  • Questions for Review & Pontification

    Web services provided by
    : Home : About Us : Contact Us : Sitemap : Discussion : Search : Newsletter : RSS :
    : ADA : Broadband : Crime : Copyright : DNS : ECommerce : EGovt : First Amendment : Digital Divide :
    : Network Neutrality : Intl : Privacy : Security : SPAM : Statistics : VoIP : Vote : And Much More! :
    :: Feedback : Disclaimer ::
    © Cybertelecom ::