Communications and Media

Children's Online Privacy Protection Act

The Federal Trade Commission (FTC) has established rules for Web site operators to make sure that kids' privacy is protected while they're online. These rules are part of the Children's Online Privacy Protection Act (COPPA).

Anyone that operates a commercial Web site or an online service directed to children under 13 that collects personal information from children or operates a general audience Web site and has actual knowledge that they are collecting personal information from children must comply with the FTC rules.

The rules spell out what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.

Directed to Children

To determine whether a Web site is directed to children, the FTC considers several factors, including the subject matter, visual or audio content, the age of models on the site, language, whether advertising on the Web site is directed to children, information regarding the age of the actual or intended audience and whether a site uses animated characters or other child-oriented features.


To determine whether an entity is an "operator" with respect to information collected at a site, the FTC considers who owns and controls the information, who pays for the collection and maintenance of the information, what the pre-existing contractual relationships are in connection with the information and what role the Web site plays in collecting or maintaining the information.

Personal Information

The Children's Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child.

The Children's Online Privacy Protection Rule requires an operator of a commercial Web site that collects personal information from children to do the following:

  • Post a clear and comprehensive privacy policy on the homepage of the site and links to the privacy policy everywhere personal information is collected from children
  • Provide notice to parents about the site's information collection practices and get verifiable parental consent before collecting any information from children
  • Give parents an option to consent to the operator's collection and use of the child's personal information but forbid the operator from disclosing the information to third parties
  • Permit parents to access their children's personal information and give the parents an opportunity to delete the information
  • Provide parents with an opportunity to prevent further collection or use of their children's personal information
  • Maintain the confidentiality, security and integrity of all information collected from children

The Rule prohibits an operator from conditioning a child's participation in an activity on the child's disclosure of more personal information than is reasonably necessary for the activity

What Parents Can Do

Look for a privacy policy on any Web site directed to children. The policy must be available through a link on the web site's homepage and at each area where personal information is collected from kids. Web sites for general audiences that have a children's section must post the notice on the homepages of the section for kids.

Read the policy closely to learn the kinds of personal information being collected, how it will be used and whether it will be passed on to third parties. If you find a Web site that doesn't post basic protections for children's personal information, ask for details about their information collection practices.

Decide whether to give consent. Giving consent authorizes the Web site to collect personal information from your child. You can give consent and still say no to having your child's information passed along to a third party.

Your consent isn't necessary if the Web site is collecting your child's email address simply to respond to a one-time request for information.

At any time, you may revoke your consent, refuse to allow an operator to further use or collect your child's personal information and direct the operator to delete the information.

Questions For Your Attorney

  • What should I do if I notice that a Web site my child has used doesn't have a privacy policy posted (other than not letting my child use the site)? Should I report it to someone?
  • How can I be sure that a Web site operator has deleted my child's personal information after I request it?
  • I gave a web site my consent to collect my child's personal information for certain contests and games. I just learned that the site offered to let my child use "chat rooms," but it never asked for my consent. Is this a violation of COPPA?
Have a privacy law question?
Get answers from local attorneys.
It's free and easy.
Ask a Lawyer

Get Professional Help

Find a Privacy Law lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you