Consumer Protection Fact Sheet - Protecting Your Child's Privacy Online

As a parent, you have control of the personal information companies collect online from your children under the age of 13. The Children’s Online Privacy Protection Act gives you tools to do that. The Federal Trade Commission enforces the COPPA Rule. If a site or service is covered by COPPA, it must obtain your consent before collection personal information from your child and it has to honor your choices about how that information is used.

What is COPPA?

The COPPA Rule was put in place to protect children’s personal information on websites and online services – including apps – that are directed to children under the age of 13. The Rule also applies to a general audience site that knows it is collecting personal information from children that age. COPPA requires those sites and services to notify parents directly and get their approval before they collect, use, or disclose a child’s personal information.

Personal information in the world of COPPA includes a child’s name, address, phone number or email address; geolocation information, photos, videos and audio recordings of the child, and persistent identifies like IP addresses and mobile device ID’s, that can be used to track a child’s activities over time across different websites and online services.

Does COPPA affect the sites and services my children use?

If the site or service does not collect your child’s personal information, COPPA is not a factor. COPPA kicks in only when sites covered by the Rule collect certain personal information from your children. Practically speaking, COPPA puts you in charge of your child’s personal information.

How does COPPA work?

COPPA works like this: Your child wants to use features on a site or download an app that collects their personal information. Before they can, you should get a plain language notice about what information the site will collect, how it will use it, and how you can provide your consent. For example, you may get an email from a company letting you know your child has started the process for signing up for a site or service that requires you child to give personal information. Or you may get that notice on the screen where you can consent to the collection of your child’s personal information. Another way a company can verify a parent’s consent is by requiring a credit card number, even if there is no charge to use the website or download the application.

The notice should link to a privacy policy that is also plain to read – and in language that is easy to understand. The privacy policy must give the details about the kind of information the site collects, and what it might do with the information – say, if it plans to use the information to target advertising to a child or give or sell the information to other companies.

In addition, the policy should state that those other companies have agreed to keep the information safe and confidential, and how to contact someone who can answer your questions. The notice also should have directions on how to give your consent. Sites and services have some flexibility in how to do that. For example, some may ask to send back a permission letter. Others may have a toll-free number you may call. If you agree to let the site or service collect personal information from your child, the have a legal obligation to keep it secure.

What are my choices?

The first choice is whether you are comfortable with the site’s information practices. Start by reading how the company plans to use your child’s information.

Then, it is about how much consent you want to give. For example, you might give the company permission to collect your child’s personal information, but not allow it to share that information with others. Once you give a site or service permission to collect personal information from your child, you are still in control.

As the parent, you have the right to review the information collected about your child. If you ask to see the information, keep in mind website operators need to make sure you are the parent before providing you access. You also have the right to retract your consent any time, and to have any information collected about your child deleted.

Two-factor authentication

Two-factor authentication is an added layer of security that combines something you have, a physical token such as a card or a code, with something you know, something memorized such as a personal identification number (PIN) or password.