The Children’s Online Privacy Protection Rule seeks to put parents in control of what information commercial websites collect from their children online. Most companies that run websites directed to children under 13 are aware of their responsibilities under the COPPA Rule. But if you run a site directed to a general audience or operate an ad network, plug-in, or other third-party service used by kid-directed sites, you may have COPPA compliance obligations, too.
For detailed compliance resources, visit the FTC’s COPPA page. But here is some general information to help you determine if COPPA applies to you.
- What is COPPA?
- What does the Rule require?
- Who’s covered by COPPA?
- When does the operator of a website or online service have “actual knowledge” of someone’s age?
What is COPPA?
Congress passed the Children’s Online Privacy Protection Act (COPPA) to put parents in the driver’s seat when it comes to information websites collect about their kids under 13. Congress directed the Federal Trade Commission (FTC), the nation’s consumer protection agency, to issue the Children’s Online Privacy Protection Rule. The Rule has been in place since 2000 and the FTC revised it, effective July 1, 2013.
What does the Rule require?
Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. Visit the FTC’s COPPA page for compliance resources.
Who’s covered by COPPA?
The Rule applies to operators of commercial websites and online services directed to children under the age of 13 that collect personal information. In addition, it applies to operators of sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Under the 2013 revisions, COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users of another site or online service directed to kids under 13. That means that in certain circumstances, COPPA applies to advertising networks, plug-ins, and other third parties.
The Rule doesn’t require operators of sites or services directed to general audiences to investigate the ages of its users. However, asking for or otherwise collecting information that establishes that a visitor is under 13 triggers COPPA compliance.
So here’s the answer in a nutshell. You’re covered by COPPA if:
- Your website or online service is directed to children under 13 and collects personal information from them;
- Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13; or
- You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.
When does the operator of a website or online service have “actual knowledge” of someone’s age?
Although the Rule doesn’t define the term, the FTC has said that an operator has actual knowledge of a user’s age if the site or service asks for – and receives – information from the user that allows it to determine the person’s age. For example, an operator who asks for a date of birth on a site’s registration page has actual knowledge as defined by COPPA if a user responds with a year that suggests they’re under 13. An operator also may have actual knowledge based on answers to “age identifying” questions like “What grade are you in?” or “What type of school do you go to? (a) elementary; (b) middle; (c) high school; (d) college.”
Third-party sites or services may have actual knowledge under COPPA, too. For example, if the operator of a child-directed site directly communicates to an ad network or plug-in about the nature of its site, the ad network or plug-in will have actual knowledge under COPPA. The same holds true if a representative of the ad network or plug-in recognizes the child-directed nature of the site’s content. Another way an ad network or plug-in may have actual knowledge: If a concerned parent or someone else informs a representative of the ad network or plug-in that it’s collecting information from children or users of a child-directed site or service.
For more about complying with the COPPA Rule, visit the FTC’s COPPA page. For answers to particular questions, email coppahotline@ftc.gov.
For More Information
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair practices in the marketplace and to provide information to businesses to help them comply with the law. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Your opportunity to comment
The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.