coppa-compliance
COPPA Compliance — Children's Online Privacy Protection Act
Overview
The Children's Online Privacy Protection Act (COPPA), codified at 15 U.S.C. Sections 6501-6506 and implemented through the FTC's COPPA Rule at 16 CFR Part 312, regulates the online collection, use, and disclosure of personal information from children under 13 years of age. COPPA applies to operators of commercial websites and online services (including mobile apps) directed to children under 13, or operators with actual knowledge that they are collecting personal information from a child under 13. The FTC's 2013 amendments significantly expanded the scope to cover persistent identifiers used for behavioural advertising, photos, videos, audio recordings, and geolocation data. The FTC issued a Notice of Proposed Rulemaking (NPRM) in December 2023 proposing further amendments including restrictions on push notifications to children and expanded consent requirements for targeted advertising.
Statutory and Regulatory Framework
COPPA Statute — 15 U.S.C. Section 6502
- Section 6502(a)(1): Unlawful for an operator of a website or online service directed to children, or having actual knowledge of collecting from a child under 13, to collect personal information in a manner that violates the FTC's regulations.
- Section 6502(b)(1): FTC must issue regulations requiring operators to: (A) provide notice of information practices; (B) obtain verifiable parental consent; (C) allow parents to review information collected; (D) allow parents to refuse further collection/use; (E) limit collection to what is necessary for the activity.
- Section 6502(b)(2): FTC shall apply regulations considering competitive impact, costs, and benefits, and potential effect on existing safe harbor programs.