Last week, the Federal Trade Commission (“FTC”) released a new reportSix-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children’s Online Privacy Protection Act (“COPPA”). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things (“IoT”). Here’s what you need to know.


Congress enacted COPPA to protect the personal information of children under the age of 13. The FTC, charged with enforcing COPPA, issued the original COPPA Rule in 2000 and an amendment in 2013. Designed to place parents in control of the personal information collected from their children online, COPPA requires operators of websites and online services that knowingly collect, use, or disclose personal information of children under the age of 13 to allow parents the opportunity to review or restrict the personal information being collected and used. Violations of COPPA can carry hefty fines of $40,000+ per violation, as illustrated by a recent episode of HBO’s hit comedy series Silicon Valley.

What’s New  

In addition to providing a six-step COPPA compliance plan, the FTC’s report includes important new guidance:

  • The FTC cautions that harnessing emerging technologies may impact a business’s COPPA obligations. In particular, the FTC advises businesses to examine how the use of newer technologies may have changed the way they collect data, and encourages businesses to ask whether they are still in compliance with COPPA.
  • The FTC reminds everyone that COPPA extends beyond “traditional” platforms like websites and mobile apps. IoT devices and other new technologies marketed to children, including connected toys and online games, are equally subject to COPPA if they collect any personal information, which includes voice recordings, geolocation data and unique device identifiers.
  • The FTC highlights two newly approved methods for obtaining “verifiable parental consent” (“VPC”), which is the cornerstone of COPPA compliance: knowledge-based authentication questions and facial recognition to match a verified photo ID. These methods add to a growing list of FTC-approved VPC mechanisms that offer businesses flexibility when structuring their technologies to comply with COPPA.

Updated Six-Step Compliance Plan

The FTC’s six-step compliance plan aims to help businesses determine whether their products or services are covered by COPPA and, if so, how to comply with COPPA’s requirements. Here’s a quick summary.

  • Step 1: Determine if your company is a website or online service that collects personal information from children under the age of 13. Businesses that directly target children should confirm whether they are actively collecting or allowing third parties to collect personal information from their users. Even if businesses do not intend to target children and collect their information, they still may fall within the scope of COPPA if the business has actual knowledge that it is collecting personal information from children under 13.
  • Step 2: Post a COPPA-compliant privacy policy. Businesses covered by COPPA must post a clear and visible statement of their privacy policy that includes a comprehensive description of the operators collecting personal information from children under the age of 13, how this data is collected and used, and the parents’ rights to review and restrict the collection and use of their children’s information.
  • Step 3: Notify parents directly before collecting personal information from their children. COPPA requires businesses to provide parents with direct notice of their data practices before collecting any personal information from children, and to provide parents with updated direct notices when these practices change.
  • Step 4: Obtain verifiable parental consent before collecting personal information from children. In  general, COPPA requires  businesses to obtain VPC before collecting any personal information  from children. COPPA allows businesses to decide what method they will use to obtain VPC, but the selected method must be reasonably designed to ensure the person giving the consent is the child’s parent. There are narrow, but very important exceptions to the VPC requirement, including an exception that allows operators to collect persistent identifiers (e.g., cookies, IP addresses, unique device identifiers) without VPC when the sole purpose of the collection is to support the internal operations of the website or online service. What that means, and when it applies, are often tricky questions subject to legal interpretation.
  • Step 5: Honor parents’ ongoing rights  to control personal information collected from their children. Businesses must comply with the requests of parents to delete or modify their children’s personal information even if consent was initially given.
  • Step 6: Implement reasonable procedures to protect the security of children’s personal information. Businesses should limit the information they collect from children to only that which is necessary and restrict the third party entities with whom they share this information to ensure the confidentiality, security, and integrity of the personal information collected.