Skip to content

The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. The COPPA Rule puts additional protections in place and streamlines other procedures that companies covered by the rule need to follow.

Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children.

The Rule applies to operators of commercial websites and online services directed to children under the age of 13 that collect personal information. In addition, it applies to operators of sites and online services geared toward general audiences when they have “actual knowledge” they are collecting information from children under 13. Under the 2013 revisions, COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users of another site or online service directed to kids under 13. That means that in certain circumstances, COPPA applies to advertising networks, plug-ins, and other third parties.

The Rule doesn’t require operators of sites or services directed to general audiences to investigate the ages of its users. However, asking for or otherwise collecting information that establishes that a visitor is under 13 triggers COPPA compliance.

So, here’s the answer in a nutshell. You’re covered by COPPA if:

  1. Your website or online service is directed to children under 13 and collects personal information from them;
  2. Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13; or
  3. You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.

Does your company use email to communicate with your prospective and current customers? If so, are your emails in compliance with the CAN-SPAM requirements?