The Children’s Online Privacy Protection Act (COPPA)*, effective April 2000, applies to the online collection of personal information by persons under 13 years of age.  It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on marketing to those under 13.

What you should know about COPPA:

1. You must comply with COPPA, if you operate a commercial website or an online service directed to children under 13 that collects personal information from children, or if you operate a general audience website and have actual knowledge that you are collecting personal information from children.

2. COPPA is self regulated. The Federal Trade Commission (FTC) has the authority to issue regulations but they choose to designate safe harbor provision and encourage industry self-regulation.  Currently the FTC has granted safe harbor to four companies; TRUSTe, ESRB, CARU and Privo.

3. Data collection of any of the following apply to COPPA: Full name, Home address, email address, telephone number or any other information that would allow someone to identify or contact the child.
Also included are other types of information such as hobbies, interest and information collected through cookies or other tracking mechanisms (when they are tied to individually identifiable information).

4.  The website operator must post a link to a notice of its information practices on the home page of its website and at each area where it collects perusal information.

5. Direct notice to parents must be given and needs to contain the same information included on the notice on the website. In addition, the parent or guardian must give consent to collect, use and disclose the information.

6. Exceptions to obtaining parental consent cover popular online activities for kids including contests, online newsletters, homework help and electronic postcards.

7. With the exception for popular online activities, it is a violation to require more information then needed to participate in the activity.

8. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.

9. In the event the site changes how the information is collected, used or disclosed, a new, verifiable parental consent must be obtained and, of course, the written policy must be changed on the site.

10.  At anytime a parent may revoke their consent, refuse to allow an operator to further use or collect their child’s personal information, and direct the operator to delete the information.  In turn, the operator may terminate any service being provided to the child.

*COPPA is sometimes confused with COPA, the Child Online Protection Act, which concerns the exposure of children to online pornography and sexually explicit materials.   COPA is not currently active, and remains under injunction, being it has been declared as unconstitutional, violating the First and Fifth Amendment of the United States Constitution.