Ask Our VP of Compliance: January 2021

“COPPA: Children’s Online Privacy Act”


COPPA is a federal law that restricts the online collection of “personal information” from minors under the age of 13.


COPPA applies to 2 types of website or online services. (a) those that are directed to children under 13, and (b) those that have actual knowledge that they are collecting or maintaining information from children under 13.


How do we know when a website or online service is directed to children under 13? The FTC (who enforces this law) considers the following: (a) subject matter, (b) visual content, (c) use of animated characters or child-oriented activities and incentives, music or other audio content, (d) age of models, (e) presence of celebrities who appeal to children, (f) language or other characteristics of the service, and (g) whether advertising promoting or appearing on the website or online service is directed at children.



What must a website or online service do under COPPA?  They must provide clear notice on their sites about information that they collect from children, how they use the information, and their disclosure practices for this information. Furthermore, they must obtain “verifiable parental consent” before collecting, using, or disclosing any personal information from minors under 13.


What is “personal information” under this Act? (a) first and last name, (b) physical mailing address, (c) online contact information, (d) screen or user name that can function as online contact information, (e) telephone number, (f) social security number, (g) “persistent identifiers” that can be used to recognize a user over time and across different websites or online services, (h) photographs, videos, or audio files of the child, (i) geolocation information that can identify the child’s street, city, or town, or (j) information regarding the child or the child’s parents, collected along with one or more of the above identifiers.


What constitutes verifiable parental consent? – Website or online service must use methods that are “reasonably calculated”, in light of available technology, to ensure that the person providing consent is the child’s parent. Good luck with all that.


COPPA provides some acceptable examples of reasonably calculated methods. All of them are highly burdensome and/or time consuming.


However, if the personal information is only collected for internal operations and the website or service will not disclose to any outside party, it can get parental consent using the “email plus” method which is nearly as burdensome as the other methods.


Additionally – the website or online service must provide parents with an ongoing opportunity to access the personal information, delete the information, or prevent further use or collection of the information.


Finally, there is also a vague mandate that the website or online service maintain confidentiality, security, and integrity of information.


As if the above wasn’t enough to stop you from collecting data on minors, the FTC is authorized to fine companies up to $42,530 PER VIOLATION!


If you absolutely must collect information about minors for your business to exist, you should be aware of the COPPA requirements and implement them perfectly. Misuse of personal information, or disclosures involving children are no laughing matter and you should  employ the services of cybersecurity experts that will ensure your compliance. DigitalEdge can help.

Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Was this article helpful?