Does your online business systems collect information from children under the age of 13? If yes, then you need to ask yourself: “Does my website/mobile app/gaming platform/ad network compliant with COPPA?”

If your business is oriented into the US market you need to be familiar with the Children's Online Privacy Protection Act of 1998 or simply COPPA. In our practice, there were over dozen of EdTech projects related to the COPPA execution. While developing new startup projects for our clients, we have faced all the possible pitfalls. As a result, we came up with the best practices in terms of building the mechanism of interaction between kids and the online environment - so the children's privacy protection would be achieved. That is why we decide to share our knowledge about such a controversial issue.

The official summary of the US federal law, located at 15 U.S.C. §§ 65016505 (Pub.L. 105–277, 112 Stat. 2681-728) sounds like “COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age”. The Act was passed by the US Congress in 1998 and took effect in April 2000. COPPA is managed by the Federal Trade commission (FTC).

While the summary sounds quite clear in its intention to protect children’s privacy online, it might not be quite explicitly vivid how your business depends on this law. So, let’s discuss this issue step by step.


What is COPPA?

So, COPPA is a law that institutes a strict set of guidelines for online businesses to protect the privacy of children under the age of 13. The law regulates the collection of personal information from children by online services including websites, advertising, and mobile apps. It specifies what data can and cannot be collected from children without parental consent. Basically, COPPA gives parents control over what information websites/mobile apps can collect from their kids.

To be more specific, the Act defines:

  • The sites must require parental consent for the collection or use of any personal information of young internet users.

  • What must be included in a privacy policy, including the requirement that the policy itself be posted anywhere data is collected.

  • When and how to seek verifiable consent from a parent or guardian.

  • What responsibilities the operator of the website legally holds with regards to children’s privacy and safety online, including restrictions on the types and methods of marketing targeting those who are under 13.

Note, that COPPA applies to any company worldwide that works with data of children in the US. Additionally, the notion of “kid’s age” will vary from state to state. Particularly, the age of a “kid” in the US is defined as anyone under the age of 13.

Why Does COPPA Matter?

Nowadays, online businesses have a great responsibility for collecting private information of its users. The issue becomes more acute when kids' privacy violation is on the stake. Currently, kids could be subjects of online predators, identity thieves, and data miners. Therefore, to reduce the risks of the kid’s data would wind up in the wrong hands, the COPPA works a security umbrella to protect children’s privacy online.

Additionally, with the rapid development of the social media environment, COPPA was intended to address the growth of online marketing techniques that were targeting children. Different websites were compiled personal data from children without parental knowledge or consent. At that time, children, as well as adults, did not understand the full scope of negative outcomes of revealing personal information online.

But, what could be referred to as personal information? The FTC defines “personal information” as:

  • First and last names;

  • Nicknames and screen names;

  • Email addresses;

  • Geolocation;

  • Physical addresses;

  • Telephone numbers;

  • Instant message details;

  • Hobbies and interests;

  • Photographs;

  • Video and audio files;

  • “Persistent” or “anonymous” identifiers (IP addresses, cookies, device serial numbers).

So, not only does COPPA establish guidelines for how online businesses should treat children’s information, but it penalizes companies that fail to follow these guidelines. The FTC uses various methods to enforce COPPA and imposes high penalties on everyone who fails to comply. In order to find violators, the FTC encourages everyone to submit a complaint about a site that they think might violate the guidelines of the Act.


Case Studies: TikTok, Facebook, YouTube

Nowadays, the majority of social media platforms are focusing on the young generation, simultaneously a lot of platforms may occasionally neglect the underaged children’s legislation. Following the viral marketing strategies, such platforms may not put a second thought of the children’s privacy protection online. Take a look at some vivid examples.

TikTok. TikTok is an app with which you can record short music videos. While using simple editing tools and trend songs the app became an indispensable tool of entertainment when young people can dance and lip-syncing to their favorite songs and share it with the Internet community. So far, so good?

However, a social media video app was fined $5.7 million over child privacy violations by FTC. The popular social media platform was accused of storing profiles and personal information children aged under 13 without their parents’ consent, as well as making those profiles public. Surely, such an app publishes very little data on their demographics and the under-13 children tend to lie while registering in the app. But, in the case of TikTok you need to look at the content itself which is going to become a magnet for sexual predators who are likely to try to contact them through the app’s chat feature.

Right after being fined by the FTC, TikTok published a note and updated the app at an age gate. For now on all users need to verify their age and the under 13-year-olds will be directed to the separate, more restricted in-app experience that protects their personal information and prevents them from publishing certain videos on the platform.

Facebook. In 2018 Facebook’s Messenger Kids was accused of collecting kids’ personal information without getting verifiable parental consent. Messenger Kids is the first major social platform designed specifically for young children (as young as five years old) to let kids chat with friends and family. However, it was stated that Facebook’s parental consent mechanism does not meet the requirements of the COPPA which was the main trigger to take action against it. As a result, the Facebook was fined $5 billion by FTC.

Facebook Messenger Kids’ privacy policy is incomplete and vague, due to the fact any adult user can approve any account created in the app and “even a fictional “parent” holding a brand-new Facebook account could immediately approve a child’s account without proof of identity”. While Facebook claimed that the app displays no ads and lets parents approve who their children would message, still there are a lot of criticisms about the social media giant security measures.

YouTube. In 2019, YouTube was hit with a COPPA fine of $170 million for illegally collecting children’s personal data and targeting ads at kids YouTube videos without their parents’ agreement. The settlement would be the largest civil penalty ever obtained by the FTC in a children’s privacy case. The particular case could have repercussions for other social media platforms used by young children in the US and worldwide.

People who set up accounts on YouTube must affirm that they are at least 13 and must agree to Google’s terms of service, enabling the company to track users’ video-viewing activities, internet browsing habits and other details. Currently, to comply with COPPA and other applicable laws YouTube introduced the option of determining if your content is “made for kids”. Therefore, while deciding whether your channel or video is made for children, you should take into account such factors as:

  • The subject matter of the video;

  • Whether video includes child actors or models;

  • Whether the language of the video is intended for children to understand;

  • Whether the content is advertised to children and others.

Additionally, note that even if your video includes some of the factors above, it does not automatically mean that the video is for kids.

As a content creator or the owner of online business, you need carefully evaluate the audience you would like to reach with your content, service or product.


COPPA Best Practices: How to Build a COPPA Comply App?

Therefore, if you have the idea to start an online business with a focus on the US market, we highly recommend paying attention to COPPA's best practices.

The most important thing is to develop the logical chain of interaction between children and the online environment to ensure the protection of kids' personal information. If we are talking about the development of the educational app, the very first time, you will face the COPPA requirements that are on the stage of “sign up”. At this point and further, you need to develop a strategy on how a parent should get consent to any action of his child. Since the child has no right to submit personal information and to do any extra activity online, except for completing tasks and exercise on the platform.

So, what do you need to do to comply with COPPA law? First of all, you need to have a clear understanding of your data handling practices and how you can adjust them to meet the necessary requirements. Therefore, in order to build a COPPA comply web app or mobile app you need to follow the steps below.

Step 1. Establish a COPPA-compliant privacy policy

Regardless of the fact that you may already have the privacy policy on your website or an app, it may contradict the COPPA specifications. That is why to comply with COPPA you need to generate a privacy policy that meets the law’s strict requirements.

Your privacy policy should contain the following information:

  • Names, addresses, and phone numbers of the site/service operators;

  • Type of information collected;

  • How information is collected from users;

  • How the site/service operators use the collected information;

  • If the operators disclose collected information to third parties and how those parties use the information;

  • Description of how a parent has the option to consent to the collection of their children’s information from the site without agreeing to the disclosure of that information to third parties;

  • Explanation of parental rights, including the rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child and review the information that has been submitted to the operator about the child in question.

Step 2. Provide notice to parents

Before collecting information from children, COPPA requires that you present a direct notice to parents requesting their consent. You must inform parents of the following:

  • That information (such as the child’s parent or guardian’s name and email address) was collected in order to obtain consent, and the collected information will be deleted after a reasonable amount of time, if no further consent is given;

  • That you wish to collect information from their child;

  • The type of information you will collect from their children and how it will be used;

  • That they must consent before your business can collect, use, and disclose their children’s information;

  • How they can find your privacy policy;

  • How they can give their consent.

Step 3. Get verifiable parental consent

Verifiable parental consent is the agreement given by a parent or guardian, in which the parent or guardian’s identity has been reasonably confirmed. Under COPPA, you need to obtain this consent before collecting information from children. Below are the acceptable methods for obtaining consent from parents, and authenticating their identity:

  • A signed consent form;

  • Use of a credit or debit card (at the time of a monetary transaction);

  • A telephone call;

  • A video conference call;

  • Challenge questions that would be difficult for someone other than the parent to answer correctly;

  • Photo ID.


Nowadays, online businesses have a great responsibility for collecting private information of its users. The issue becomes more acute when kids' privacy violation is on the stake. COPPA has made significant progress in protecting children’s safety and privacy on the Internet since the Act gives parents control over what information websites/mobile apps can collect from their kids.

So if you have the idea to start an online business with a focus on the US market, we highly recommend paying attention to COPPA's best practices. The most important thing is to develop the logical chain of interaction between children and the online.

We hope that the article was useful for you and explain some challenging and controversial issues about COPPA. If you get any other questions that were not discussed in the article, do not hesitate to contact us and we gladly assist you in any inquiries.