Children's Privacy: COPPA

COPPA, the Children's Online Privacy Protection Act, protects the personal information of children under thirteen online, and the magic number thirteen is the exam's favorite detail. The rule applies to operators of websites and online services, including apps, that are directed to children under thirteen, and also to general-audience operators that have actual knowledge they're collecting personal information from a child under thirteen. Note the cutoff: COPPA is under thirteen, not under eighteen, teenagers are outside COPPA, though state laws are starting to fill that gap.

The F-T-C is the lead enforcer, with state attorneys general able to bring actions too. So the threshold question is whether the service targets, or knowingly collects from, the under-thirteen group.

COPPA's central obligation is verifiable parental consent. Before collecting personal information from a child under thirteen, the operator must give the parent direct notice of its practices and obtain consent in a way reasonably designed to ensure it's really the parent. The F-T-C lists acceptable methods, a signed consent form, a credit-card or government-ID check, a monitored phone or video call, or knowledge-based questions, and the method must be more robust if the operator plans to disclose the data to third parties.

There are narrow exceptions, like collecting a parent's contact info just to get consent, responding to a one-time request, or supporting internal operations, but the default is no collection without verifiable parental consent first.

Consent is the headline, but COPPA carries the full set of Fair Information Practices. Operators must post a clear privacy notice and give parents direct notice. Parents have ongoing rights: to review the personal information collected from their child, to delete it, and to refuse further collection or use.

Operators must practice data minimization, collecting only what's reasonably necessary for the activity, and they can't condition a child's participation in a game or activity on disclosing more information than needed. They must keep the data secure, retain it only as long as necessary, and delete it when it's no longer needed. So a COPPA program looks a lot like a privacy program in miniature, built around a child and a parent.

Two further pieces the current exam emphasizes. First, COPPA has an F-T-C-approved Safe Harbor mechanism: industry groups can run self-regulatory programs, and operators that join and follow them get a presumption of compliance, useful but not absolute immunity. Second, and increasingly important, the protection of minors is expanding beyond COPPA's under-thirteen line.

Several states have enacted laws extending privacy protections to teenagers, requiring opt-in consent to process or sell the data of minors, restricting targeted advertising to them, and pushing age-appropriate design. So a modern scenario about a fourteen-year-old is often outside COPPA but inside a state minor-privacy law, exactly the kind of layering the updated blueprint wants you to spot.

The trickiest COPPA questions turn on knowledge and audience, so let's sharpen that. If a site or service is directed to children, the operator must treat all users as if they're under thirteen and get parental consent, full stop. The harder case is a general-audience or mixed-audience service that isn't aimed at kids but might attract some.

There, COPPA bites when the operator has actual knowledge that it's collecting personal information from a child under thirteen, for example, a user who states their age or whom the operator otherwise knows is a child. Operators often use a neutral age screen to sort users, but the F-T-C warns against collecting more data than necessary just to run that gate, and against encouraging kids to falsify their age. So the exam fact pattern to watch is the general-audience app that learns a user is twelve and keeps collecting, that actual knowledge triggers COPPA.

Let's lock in the reasoning. If a service is directed to, or knowingly collects from, a child under thirteen online, COPPA applies and verifiable parental consent is the gate. In a school setting, recall from the FERPA lecture that the school can provide that consent on parents' behalf for educational use.

If the subject is a teenager, thirteen to seventeen, COPPA generally doesn't reach them, so you pivot to a state minor-privacy law, which may demand opt-in consent and ban targeted ads. The classic distractor treats COPPA as covering everyone under eighteen, it stops at thirteen. Another forgets that the consent bar rises when data will be shared with third parties.

Recap: under-thirteen trigger, verifiable parental consent, parental review-and-delete rights, Safe Harbor, and the state-law teen layer. Now go test yourself, then on to telemarketing.