Children's Online Privacy Protection Act of 1998 report

This report displays Children's Online Privacy Protection Act (COPPA) issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation. Note: Many of the issues in this report are similar to those in the HIPAA report. If both reports are added to a dashboard, you will see an inflated number of total issues. To prevent this from happening, you can create tabs for each report, or just add one of the reports to a dashboard.

Why it matters

The COPPA Act requires the U.S. Federal Trade Commission to issue and enforce rules to protect the online collection and use of personal information from children under the age of 13. The primary goal is to place parents in control over what information is collected from their children online.

A common misunderstanding is that COPPA only applies to the operators of websites directed at children under the age of 13 that collect personal information, those websites that feature cartoons or characters, promote children's products, use child models, use childlike fonts and colors or provide games. More importantly, COPPA also applies to "general audience" websites that knowingly collect personal information from children under the age of 13. It is critical for all website operators to assess their properties to determine if they are within the scope of COPPA.

This legislation applies to operators of:

  • Commercial websites or online services directed to children under 13 that collect personal information from children
  • General audience sites that knowingly collect personal information from children under 13
  • General audience sites that have a separate children's area and that collect personal information from children

Foreign-run websites must comply with COPPA if they are directed to children in the U.S. or if they knowingly collect information from children in the U.S.

COPPA requirements

The Federal Trade Commission summarizes the COPPA requirements for applicable website operators as follows:

  • Post a privacy policy on the homepage of the website and link to the privacy policy on every page where personal information is collected.
  • Provide notice about the site's information collection practices to parents and obtain verifiable parental consent before collecting personal information from children.
  • Give parents a choice as to whether their child's personal information will be disclosed to third parties.
  • Provide parents access to their child's personal information and the opportunity to delete the child's personal information and opt-out of future collection or use of the information.
  • Not condition a child's participation in a game, contest or other activity on the child's disclosing more personal information than is reasonably necessary to participate in that activity.
  • Maintain the confidentiality, security and integrity of personal information collected from children.

Best practices for complying with COPPA

  • Gain a detailed understanding of COPPA requirements. The more you understand the requirements, the easier it will be to develop strategies for meeting them.
  • Determine your COPPA strategy. Determine the applicability of COPPA to your websites, and develop compliance strategies. For example, if your website is primarily targeted at adults, it might be wise to avoid knowingly collecting personal information from children by not asking for age or date of birth.
  • Develop policies and standards. Develop privacy notices, establish data collection principles, and determine suitable technical standards for blockage and parental consent
  • Assess and fix existing websites. Identify and review all forms that are collecting personal information. If age is not required, it makes sense to avoid collecting it. If it is required, you will need to implement suitable blockage and parental consent mechanisms.
  • Address new websites. Provide training to all website stakeholders (including third parties), integrate standards in website design/content creation business processes, and integrate compliance checking in QA processes.
  • Consider seal program/safe harbor. Subscribing to an FTC-approved COPPA safe harbor program run by an objective third party organization such as TRUSTe can provide valuable implementation guidance and acts as a first line of defense.
  • Conduct ongoing monitoring. Implement ongoing monitoring processes to ensure:
    • New websites comply with established COPPA standards
    • New website stakeholders receive appropriate training
    • Changes to existing websites do not create COPPA noncompliance