Children's Privacy
By Federal Trade Commission
Aug 17, 2005, 15:04

Untitled Document

Frequently Asked Questions about the Children's
Online Privacy Protection Rule

Volume 1

The following FAQs are intended to supplement the compliance materials available on the FTC's website. To view the Rule and the compliance materials, go to



1. What is the Children's Online Privacy Protection Rule?

The Children's Online Privacy Protection Act (COPPA) was passed by Congress in October 1998, with a requirement that the Federal Trade Commission (FTC) issue and enforce rules concerning children's online privacy. The primary goal of the Act and the Rule is to place parents in control over what information is collected from their children online. The Rule was designed to be strong, yet flexible, to protect children while recognizing the dynamic nature of the Internet.

  • The COPPA Rule applies to operators of commercial websites and online services directed to children under 13 that collect personal information from children, and operators of general audience sites with actual knowledge that they are collecting information from children under 13.
  • Those operators must:

(1) post clear and comprehensive Privacy Policies on the website describing their information practices for children's personal information;

(2) provide notice to parents, and with limited exceptions, obtain verifiable parental consent before collecting personal information from children;

(3) give parents the choice to consent to the operator's collection and use of a child's information while prohibiting the operator from disclosing that information to third parties;

(4) provide parents access to their child's personal information to review and/or have it deleted;

(5) give parents the opportunity to prevent further collection or use of the information

(6) maintain the confidentiality, security, and integrity of information they collect from children.

  • In addition, the Rule prohibits operators from conditioning a child's participation in an online activity on the child's providing more information than is reasonably necessary to participate in that activity.

2. Where can I find information about COPPA?

The FTC has a comprehensive website,, which has information concerning all the activities of the agency. In the upper section of the home page is a link that says "Privacy Initiatives." If you click on that banner, you will have access to a variety of documents regarding the Children's Rule, including the proposed and final Rules, the public comments received by the Commission in the course of the rulemaking, guides for businesses and parents, safe harbor applications we've received and any public comments on those applications, notice of any cases brought under the Rule, and announcements of future activities. Materials concerning general privacy and financial privacy (including the Gramm-Leach-Bliley rulemaking) are available there as well.

In addition, the FTC has set up a special web page designed for kids, parents, businesses, and educators at In addition to providing the Rule and compliance materials for businesses and parents, this web page features online safety tips for children and other useful education resources about the Rule and online privacy in general.

All educational materials on our website are also available free by calling the FTC's Consumer Response Center's toll free number at (877) FTC-HELP.

3. What do I do if I have questions about the COPPA Rule?

The first thing you should do is read the educational materials available on our website and through our toll free telephone number (877) FTC-HELP. If you still have questions, you can email us at or contact our Consumer Response Center at toll free (877) FTC-HELP. The FTC also has an online form to file complaints or request information at the website.

4. When did COPPA and its implementing Rule go into effect?

The Act and the Rule went into effect on April 21, 2000.

5. COPPA applies to "websites directed to children." What determines whether or not a website is targeted to children?

The Rule sets out a number of factors in determining whether a website is targeted to children, such as its subject matter, language, whether it uses animated characters, and whether advertising appearing on the site is directed to children. The Commission will also consider empirical evidence regarding the ages of the site's visitors. These standards are very similar to those previously established for TV, radio, and print advertising.

6. Does COPPA apply to information about children collected from parents or other adults?

No. COPPA and the Rule only apply to personal information collected from children, not their parents or other adults. The Rule's Statement of Basis and Purpose, however, notes that the Commission expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA. See Rule n. 213.

7. Why does COPPA apply only to children under 13? What about protecting the online privacy of teens?

Young children may not understand the safety and privacy issues created by the online collection of personal information, and are therefore particularly vulnerable. Children under 13 has often been the standard for distinguishing adolescents from young children who may need special protections. As a general matter, however, the FTC encourages operators to afford teens privacy protections, given the risks inherent in the disclosure of personal information for all ages. The FTC has recommended that Congress pass legislation to ensure the fair information principles be implemented for all consumers. In the interim, websites' information practices are still subject to Section 5 of the FTC Act, which prohibits deceptive or unfair trade practices. See July 15, 1997 Staff Opinion Letter to Center for Media Education for guidance on how Section 5 applies to information practices involving children and teens.

8. Does the Rule apply to information collected prior to the its effective date?

No, but if a site collects new information after the effective date of the Rule, even for existing registrants, they must comply. For example, if an operator collected a child's email address prior to April 21 and now wishes to collect the child's postal address to send a premium or prize, the operator must comply with COPPA prior to collecting the mailing address.

Similarly, if a child registered at a website prior to April 21, 2000 for an online newsletter and the website invites the child to sign up for a new chat room, the fact that the child was already registered with the site does not obviate the need for the operator to comply with COPPA for purposes of enabling the child to register for the chat room.

9. Are there any protections that apply to information collected before COPPA went into effect?

Yes. Although the Rule covers only information collected after its effective date, previously collected information is still subject to the protections afforded by Section 5 of the FTC Act. Thus, if an operator engaged in deceptive or unfair practices when collecting, using or disclosing information from kids, the operator could face FTC action. See Staff Opinion Letter to Center for Media Education issued July 15, 1997, outlining what would be deceptive and/or unfair practices with regard to the collection and use of children's information.

10. I know the Rule is triggered by the collection of personal information from children, but the information I collect at my site is voluntary and not mandatory. Does the Rule still apply?

Yes. Whether your information collection is voluntary or mandatory, it still constitutes collection and triggers the Rule.

11. Hasn't the Children's Online Privacy Protection Act been declared unconstitutional?

No. The Children's Online Privacy Protection Act (COPPA), has not been challenged and went into effect on April 21, 2000. Enforcement of the Children's Online Protection Act (COPA), which sought to regulate the dissemination of material harmful to minors on the Internet, was preliminarily enjoined by the U.S. District Court for the Eastern District of Pennsylvania, ACLU v. Reno, 31 F.Supp.2d 473 (E.D. Pa.1999). That decision was affirmed by the Third Circuit, 217 F.3d 162 (3d Cir. 2000). For information on COPA and the work of the Commission on Child Online Protection, which is studying methods and technologies to help reduce access by minors to such materials visit

12. Will the COPPA Rule keep my child from accessing pornography?

No, not directly. COPPA is meant to give parents control over the collection of their children's personal information and does not limit children's access to information publicly available on the Internet. COPPA may help keep your child off email lists. Information about COPA, which does address dissemination of pornography to minors, is available at If you are concerned about your children accessing pornography or other inappropriate materials on the Internet, you may want to look for a filtering program or an Internet Service Provider that offers such tools. Information about such tools is available at and


13. How will the FTC enforce the Rule?

The FTC will monitor the Internet for compliance with the Rule and bring law enforcement actions where appropriate to deter violations. Parents and others can submit complaints to the FTC through our website and our toll-free number (877) FTC-HELP. We will also investigate referrals from consumer groups, industry, and approved safe harbor programs, as appropriate.

14. What are the penalties for violating the Rule?

Website operators who violate the Rule could be liable for civil penalties of up to $11,000 per violation. The level of penalties assessed may turn on a number of factors including egregiousness of the violation, e.g., the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties and the size of the company.

15. Do the states or other government agencies have jurisdiction over this issue?

Yes. COPPA also gives states and certain federal agencies authority to enforce compliance with the Act with respect to entities in their jurisdiction. For example, the Office of the Comptroller of the Currency will handle compliance by national banks and the Department of Transportation will handle air carriers.

16. Have any cases ever been brought for deceptive collection of online information from children?

Yes. Even prior to COPPA, the FTC brought enforcement actions in this area under Section 5 of the FTC Act. In the agency's first Internet privacy case, Geocities agreed to settle charges of deceptively collecting personal information from children and adults. Geocities, FTC Dkt. No. C-3849 (Feb. 12, 1999). The Liberty Financial case involved the "Young Investors" website which deceptively promised to maintain only anonymous information from children and teens. Liberty Financial Companies, Inc., FTC Dkt. No. C-3891 (Aug. 12, 1999). In Toysmart, the FTC alleges that the defendants collected personal information from children without obtaining prior parental consent in violation of COPPA, 16 C.F.R. ? 312.5(c)(2). FTC. v. LLC and, Inc., No. 00-11341-RGS, (D. Mass. filed July 10, 2000, amended July 21, 2000). Commission cases are available on its website via the Privacy Initiatives link from the home page or via its search engine.

17. What do I do if my site isn't in compliance with the Rule?

If you are not collecting any personal information from children, then you are not subject to the Rule. So the quickest thing to do until you can get your site into compliance is to stop collecting personal information from children under 13. In fact, many sites that we have talked to have realized that collection of such information is not necessary.

Then, review your website, your privacy policy, and the Rule carefully. The materials on the Commission's website can provide you with helpful guidance. Take a close look at: what information you collect; how you collect it; how you use it; whether the information you seek to collect is necessary for the activities on your site; whether you have adequate mechanisms for providing parents with notice and obtaining consent; and whether you have adequate methods for parents to review their children's information and for verifying that the people requesting access to kids' information really are their parents.

18. Are websites run by nonprofit entities subject to the Rule?

The Act and the Rule expressly state that they apply to commercial websites and not to nonprofits that would otherwise be exempt from coverage under Section 5 of the FTC Act. Thus, in general, most non-profits are not subject to the Rule. However, nonprofits that operate for the profit of their for-profit members may be subject to the Rule. See FTC v. California Dental Association 526 U.S. 756 (1999), for additional guidance on when nonprofits are subject to FTC jurisdiction. Although true nonprofits are not subject to COPPA, we encourage them to set an example by posting privacy policies and providing the protections set forth in COPPA to children providing personal information at their sites.

19. Does COPPA apply to websites operated by the Federal Government?

It is federal policy that all Federal websites and contractors when operating on behalf of agencies comply with the standards set forth in COPPA. See

20. The Internet is truly a global medium. Do websites set up and run abroad have to comply with the Rule?

Yes. Foreign-run websites must comply with COPPA if they are directed to children in the U.S. or knowingly collect information from children in the U.S. For example, foreign-run kid-oriented websites would be subject to COPPA if they advertised in offline media in the U.S. or on popular U.S. websites. The Rule's definition of an "operator" - who is subject to the Act - includes foreign websites that are involved in commerce in the United States or its territories.


21. My site does not collect any personally identifiable information. Do I still need to post a privacy policy?

No. COPPA only applies to those websites that collect personal information from children. However, the FTC recommends that all websites post privacy policies, so visitors have an easily recognizable place to go to find out about the operator's information practices. Surveys show that most parents are uncomfortable with their children giving out any personal information on the Internet, so as a practical matter, parents will be pleased to read your privacy policy and find out quickly that you do not collect personally identifiable information.

22. What information must I include in my privacy policy and in the direct notice to parents?

The Rule identifies the information that must be disclosed in the privacy policy and in the direct notice - the notice sent directly to the parent. See ?312.4(b) for information regarding the content of the privacy policy and ?312.4(c) for information regarding the content of the direct notice to the parent. Remember, that in addition to including the content required in the privacy policy, the direct notice to parents needs to tell the parent that you wish to collect personal information from the child, that consent is required for you to do so, and how the parent may provide consent. The Rule also requires that the privacy policy be posted clearly and prominently on the home page and that a hyperlink to the policy be provided at each area where personal information is collected.

23. Do I have to disclose my use of cookies, GUIDS, IP addresses, or the use of other passive information collection technology?

Yes, when such information is combined with "personal information." The Rule defines personal information to include individually identifiable information about an individual collected online, including any persistent identifier that is tied to identifying information. Where such passive forms of information collection are tied to identifying information, including a persistent identifier that can be used to identify, contact, or locate an individual, then it is considered personal information under the Rule.

24. Can I include in my privacy policy materials promoting products, services, and/or websites of mine and my partners?

No. The Rule requires that privacy policies must be "clearly and understandably written, be complete, and contain no unrelated, confusing, or contradictory materials." See ?312.4(a). The more complicated and confusing a policy is, the more likely it will be that parents won't understand or even read the policy. And remember, parents who find your policy confusing or difficult to comprehend may be less likely to grant you consent.

25. I run a general audience site, but I offer a specific children's section. Is it acceptable for me to structure my privacy policy so that information about my children's practices and non-children's practices are mixed in together, or do I have to have a separate privacy policy about my practices with respect to children?

In the commentary of the Final Rule, the Commission noted that "[o]perators are free to combine the privacy policies into one document, as long as the link for the children's policy takes visitors directly to the point in the document where the operator's policies with respect to children are discussed, or it is clearly disclosed at the top of the statement that there is a specific section discussing the operator's information practices with respect to children." 64 Fed. Reg. 59894 at n.98. In addition, the link for the privacy policy pertaining to the children's area must appear on the home page of the children's area and at each area where personal information is collected from children. Sites may also wish to post it as part of their general privacy policy.

26. Is it okay for the link to my privacy policy to be at the very bottom of my home page?

As long as the link is "clear and prominent" it is okay to have it at the bottom of the home page. The Rule requires that the link to your privacy policy "be placed in a clear and prominent place and manner on the home page of the website or online service" and at each area where children provide, or are asked to provide, personal information. See ??312.4(b)(1)(ii) and (iii). In its explanation of this requirement, the Commission noted that "'[c]lear and prominent' means that the link must stand out and be noticeable to the site's visitors through use, for example, of a larger font size in a different color on a contrasting background. The Commission does not consider 'clear and prominent' a link that is in small print at the bottom of the page, or a link that is indistinguishable from a number of other, adjacent links." 64 Fed. Reg. 59894.

27. When I send the notice to parents, can I simply email them a link to the privacy policy?

Yes. You may send your direct notice to parents via email, and you may include in that email a link to your privacy policy. Remember that the direct notice to the parent also needs to tell the parents that you wish to collect personal information from the child, that the parent's consent is required for you to do so, and how the parent may provide consent.

It is also important to remember that the notices must not contain unrelated, confusing, or contradictory information. For example, your notice to parents may not include so much additional information that the message about needing consent or the link to the privacy policy is obscured.

28. Do I have to list the names, addresses, phone numbers, etc. of all of the operators at my site? This will make my privacy policy very long and confusing.

Under the Rule, if there are multiple operators collecting information through your site, you may list the name, address, phone number, and email address of one operator who will respond to all inquiries from parents regarding all of the operators' privacy policies and uses of children's information, as long as the names of all the operators are also listed in the notice. See ?312.4(b)(2)(i).

If you wish to list the contact information of all the operators but still keep your privacy policy and notice simple, you can include a link in the privacy policy or notice to the list of operators. Just make sure that when you send the notice to parents to request consent, they can access that list.


29. When do I have to get verifiable parental consent?

The general rule is that an operator must obtain verifiable parental consent before collecting personal information from a child unless the collection fits into one of the exceptions for the collection of online contact information. As described below, the method for obtaining such consent will vary with the use of the information.

30. Can I first collect information from children and then get consent from parents as long as I don't use the information until I get consent?

In most cases, no. COPPA clearly states that operators must get verifiable parental consent before collecting personal information from children under 13. There are several exceptions to this requirement which allow an operator:

(1) to collect a child's name and parent's email address for purposes of providing the required notice and obtaining consent;

(2) to collect a child's email address to respond once to a specific request from a child, as long as the email address is deleted immediately after responding;

(3) to collect a child's email address to respond more than once to a specific request of a child (ie, requesting a subscription).

Source: FTC

© Copyright 2003 by