With new Children’s Online Privacy Protection Act (COPPA) amendments going into effect in July,  many businesses are working to ensure their products comply with the law.

To clarify what its new COPPA amendments entail, the Federal Trade Commission released responses to frequently asked questions about COPPA compliance. COPPA is designed to protect children under 13 online by regulating how their personal information can be collected, used, and/or transferred.

“Today the FTC further clarified how merchants can comply with the law governing collection and dissemination of childrens’ data,” said Aristotle CEO John Aristotle Phillips. “This clarification was good for parents and kids and good for all businesses that want to interact with children in a responsible, legal manner.

The recently amended COPPA rules are fairly complex, and the FAQs are designed to help those who seek to understand and comply with these changes.

The FAQs cover important topics such as:

  • Who is covered by the Rule:
    • Operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children;
    • Operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13; and
    • Websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children
  • What those covered must do to comply, including:
    • Posting a clear and comprehensive online privacy policy
    • Providing direct notice to parents and obtaining Verifiable Parental Consent, with limited exceptions, before collecting personal information online from children
    • Providing parents access to their children’s personal information
    • Maintaining the confidentiality, security, and integrity of information they collect from children;
    • Retaining personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and deleting the information using reasonable measures to protect against its unauthorized access or use.
  • How the rule defines “Personal Information”, which can now include geolocation information and persistent identifiers used to recognize a user over time and across different websites or online services;
  • How to treat information collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule.
  • A summary of the changes in the Rule.
  • Where to find information about COPPA
  • What sorts of information collection use or transfer can trigger the need to comply with COPPA
  • How the FTC enforces the rule:
    • A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation (COPPA fines actually levied have been as high as 3 million dollars)
  • Information about Privacy Policies and direct notices to parents and a summary these requirements
  • How to obtain “Verifiable Parental Consent”
  • Using a third party such as one of the FTC-approved COPPA safe harbor programs that offer parental notification and consent systems for operators who are members of their programs.
  • Exceptions to the requirement to obtain Verifiable Parental Consent
  • Use of “e-mail plus” where information utilized in “support for the internal operations of the website or online service”
  • Many other definitions, hypothetical situations, and areas of questions that operators and websites, online services and mobile apps must address



Comments are closed.