As a parent, you have control over the personal information companies collect online from your kids under 13. The Children’s Online Privacy Protection Act gives you tools to do that. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule. If a site or service is covered by COPPA, it has to get your consent before collecting personal information from your child and it has to honor your choices about how that information is used.
The COPPA Rule was put in place to protect kids’ personal information on websites and online services — including apps — that are directed to children under 13. The Rule also applies to a general audience site that knows it’s collecting personal information from kids that age.
COPPA requires those sites and services to notify parents directly and get their approval before they collect, use, or disclose a child’s personal information. Personal information in the world of COPPA includes a kid’s name, address, phone number or email address; their physical whereabouts; photos, videos and audio recordings of the child, and persistent identifiers, like IP addresses, that can be used to track a child’s activities over time and across different websites and online services.
If the site or service doesn’t collect your child’s personal information, COPPA is not a factor. COPPA kicks in only when sites covered by the Rule collect certain personal information from your kids. Practically speaking, COPPA puts you in charge of your child’s personal information.
COPPA works like this: Let’s say your child wants to use features on a site or download an app that collects their personal information. Before they can, you should get a plain language notice about what information the site will collect, how it will use it, and how you can provide your consent. For example, you may get an email from a company letting you know your child has started the process for signing up for a site or service that requires your child to give personal information. Or you may get that notice on the screen where you can consent to the collection of your child’s personal information.
The notice should link to a privacy policy that’s also plain to read — and in language that’s easy to understand. The privacy policy must give details about the kind of information the site collects, and what it might do with the information — say, if it plans to use the information to target advertising to a child or give or sell the information to other companies. In addition, the policy should state that those other companies have agreed to keep the information safe and confidential, and how to contact someone who can answer your questions.
That notice also should have directions on how to give your consent. Sites and services have some flexibility in how to do that. For example, some may ask you to send back a permission slip. Others may have a toll-free number you can call.
If you agree to let the site or service collect personal information from your child, it has a legal obligation to keep it secure.
The first choice is whether you’re comfortable with the site’s information practices. Start by reading how the company plans to use your child’s information.
Then, it’s about how much consent you want to give. For example, you might give the company permission to collect your child’s personal information, but not allow it to share that information with others.
Once you give a site or service permission to collect personal information from your child, you’re still in control. As the parent, you have the right to review the information collected about your child. If you ask to see the information, keep in mind that website operators need to make sure you are the parent before providing you access. You also have the right to retract your consent any time, and to have any information collected about your child deleted.
If you think a site has collected information from your kids or marketed to them in a way that violates the law, report it to the FTC at ReportFraud.ftc.gov.