COPPA Rule

Subscribe to COPPA Rule

On January 30, House Rep. Kathy Castor (D-FL) introduced the Protecting the Information of our Vulnerable Children and Youth (“PRIVCY”) Act, a bill that promises to be a significant overhaul of the Children’s Online Privacy Protection Act (“COPPA”).

Currently, COPPA applies only to personal information collected from children under 13 years old.  The PRIVCY Act would greatly expand COPPA’s scope by making any personal information – including biometric, geolocation, and inferred information, whether collected from the child or not – subject to the law’s requirements.  It also brings a new group of “young consumers” – individuals aged 12 to 18 years old – under the law’s umbrella.  The PRIVCY Act would obligate online sites and services that have actual or constructive knowledge that they “process” personal information about children or young consumers to provide notice to, and obtain consent from, those children’s parents or from those young consumers.  The bill also provides for rights to access, correction, and deletion of children’s and young consumers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.

Additionally, the privacy bill would completely repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.  Currently, seven safe harbor organizations have been approved by the FTC.
Continue Reading Kids’ Privacy Bill Allowing for Private Suits Introduced in House

On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed.  Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations.  The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.

While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”): 
Continue Reading FTC Reaches Settlement with Developer of Tracking Apps

By Ani Gevorkian

The FTC has issued a request for public comment regarding Riyo’s application to recognize a new proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act Rule.  The Rule, which implements the Children’s Online Privacy Protection Act (COPPA), requires certain website operators, mobile applications, and other online services to

As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015.  The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust.  Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.

COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children.
Continue Reading Congressional Privacy Bill: Do Not Track Kids Act of 2015

The Federal Trade Commission (“FTC”) recently reiterated its support for the use of “common consent” mechanisms that permit multiple operators to use a single system for providing notices and obtaining verifiable consent under the Children’s Online Privacy Protection Act (“COPPA”). COPPA generally requires operators of websites or online services that are directed to children under

The staff of the Federal Trade Commission (“FTC”) has released updated guidance on how the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations apply to schools and educational online services through revisions to the Frequently Asked Questions (“FAQS”) that are published on the FTC website.  For a comparison between the old and new school FAQs, please click here.  The FAQs constitute informal guidance, but they are useful for understanding how FTC staff interprets COPPA’s application in different contexts.  Here is a brief summary:

  • The revised FAQs do not change the circumstances under which schools can provide verifiable parental consent on behalf of parents, that is, when an operator collects personal information from students “for the use and benefit of the school, and for no other commercial purposes.”  Examples of prohibited commercial purposes include online behavioral advertising and “building user profiles for commercial purposes not related to the provision of the online service” to the school.
  • While the prior FAQs noted that, in such circumstances, operators should provide schools with robust notice about their data collection, use, and sharing practices, the revised FAQs suggest that these disclosures should track the direct notice requirements outlined in the COPPA Rule.  In COPPA FAQ M.1, FTC staff explains that “the operator must provide the school with all the required notices.”


Continue Reading FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

Last weekend at South by Southwest (“SXSW”) Interactive, a panel promoted the notion that it is in fact possible to harmonize innovation with kids’ privacy in the app space, but that doing so involves “a lot of work.”  In particular, the panel suggested that it takes a conscious desire on the part of app developers to create brands and interfaces that build in transparency, with the specific purpose of inspiring parent trust.  The panel featured Lorraine Akemann, Co-Founder of Moms with Apps; Elana Zeide, Privacy Research Fellow at New York University’s Information Law Institute; and moderator Sara Kloek, Director of Outreach at the Association for Competitive Technology.  It was one of the few privacy events at SXSW Interactive focused on children.

Continue Reading Covington at #SXSW: Can Innovation and Kids’ Privacy Coexist?

The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”).  COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they

Yesterday, the FTC staff released its latest round of updated Frequently Asked Questions (“FAQs”) for its Rule implementing the Children’s Online Privacy Protection Act (“COPPA Rule”).  These new FAQs address the circumstances in which third parties may obtain “actual knowledge” that they are collecting personal information from a child-directed site or service and whether parental consent is needed for child-directed sites and apps that enable user-generated content to be emailed or shared via social media. 

As we previously reported, the FTC enacted sweeping changes to the COPPA Rule in December 2012 that became effective July 1, 2013.  In the last several months, the FTC staff have provided several updates to the informal FAQs. 

“Actual Knowledge” Standard for Third Parties

Third parties such as plugins and ad networks are liable under the new COPPA Rule only if they have actual knowledge that they are collecting personal information from a child under 13 years old or through sites and services that are directed to such children.  Most of the new FAQs try to resolve lingering questions about when a third party has “actual knowledge”:

  1. Third parties can designate specific employees as the points of contact to receive COPPA notices, rather than having actual knowledge imputed to the entire company through any employee.
  2. The third party will not be deemed to have “actual knowledge” — and will have no duty to investigate — if it simply receives a list of URLs of purportedly child-directed websites from which it is collecting personal information. 
  3. If the third party receives “screenshots or other forms of concrete information” about sites on which the third party’s service are integrated, such information could provide actual knowledge:
    • If, based on the screenshots or other concrete information, the third party is “uncertain” whether a site or service is child directed, it ordinarily may rely on representations from the first-party site about whether the site is child-directed.  These representations could be provided in the form of a technological COPPA signal or “flag,” which industry has been working to develop since the idea was proposed by the FTC’s Chief Technologist in a blog post earlier this year. 
    • If, based on the screenshots or other concrete information, it is clear that the site or service is child directed, then any representations made by the first-party site would be overridden and the third party would be deemed to have actual knowledge.


Continue Reading FTC Releases Updated Guidance on New COPPA Rule

The Federal Trade Commission (“FTC”) recently released an additional question and answer as part of its revised COPPA FAQs, which provide guidance on the FTC staff’s interpretations of the rule implementing the Children’s Online Privacy Protection Act (“COPPA”).  As we previously reported, the FTC published substantial revisions to the COPPA FAQs in April in order to account for recent changes to the COPPA rule

New FAQ #80 addresses whether operators must obtain parental consent before sending push notifications.  According to the new FAQ, the “information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule.”  As a result, the FTC explains that the operator will need to obtain parental consent before collecting information from a child’s device in order to send push notifications, unless an exception to COPPA’s parental consent regime applies.  The multiple-contact exception may excuse the operator from the parental consent requirement if the child has consented to receiving push notifications, the operator provides parents with direct notice of the collection and an opportunity to opt out, and the information used to send the push notifications is not combined with other personal information collected from the child.

Continue Reading FTC Releases Additional COPPA FAQ to Address Push Notifications