Children's Online Privacy Protection Act (COPPA) FAQ
What is COPPA?
COPPA is The Children's Online Privacy Protection Act. It was signed into law in October 1998 to protect the privacy of children by controlling the personal information that can be collected from children online. The Federal Trade Commission (FTC) enforces COPPA by requiring compliance with its Children's Online Privacy Protection Rule.
Who must comply with COPPA?
If any of your online services such as a web site or mobile app is directed at and collects Personally Identifiable Information from children under the age of thirteen (13), or if any section of your online service is directed at and collects Personally Identifiable information from children under the age of thirteen (13), or if you knowingly collect (or maintain) Personally Identifiable Information from children under the age of thirteen (13) on your Site(s), you must comply with COPPA.
You must comply with COPPA if:
• You operate a website or online service that is specifically aimed at children under 13 AND the site collects or maintains Personally Identifiable Information; OR
• You operate a general audience website or online service that collects Personally Identifiable Information, including age or date or birth, from children under the age of 13.
What happens if I don't comply with COPPA?
The Federal Trade Commission is authorized to assess civil penalties of $11,000.00 per violation, if it finds that a company has violated or evaded COPPA. The total amount of penalties assessed could be far in excess of $11,000.00.
Is COPPA compliance required even if the age field is optional?
I operate a general audience Web site. What can I do if I don't want to collect and maintain children's PII?
If you do not wish to collect and maintain data from children under the age of 13 , you may create a "bump-out" mechanism.
Is the "bump-out" mechanism fool-proof?
No. Implementing the "bump-out" mechanism demonstrates that you are taking all necessary and reasonable steps to comply with COPPA and are not knowingly collecting and maintaining data from children under the age of 13.