In effect since 2000.
Key provisions of the COPPA:
- Notice and Consent: COPPA requires operators of commercial websites and online services directed to children under 13 or organizations collecting personal information from children under 13 to provide notice to parents and obtain verifiable parental consent before collecting personal information from children. The notice must describe the operator's data collection and use practices and the types of third parties with whom the information may be shared;
- Parental Rights: COPPA gives parents the right to review and delete their child's personal information and the right to refuse the collection or use of their child's personal information. Operators must provide a reasonable method for parents to exercise these rights;
- Privacy Policy: COPPA requires operators to post a privacy policy on their website or online service that describes their data collection and use practices concerning children;
- Data Security: COPPA requires operators to take reasonable steps to protect the confidentiality, security, and integrity of the personal information they collect from children.
- Safe Harbor Programs: COPPA allows industry groups and others to develop self-regulatory safe harbor programs to govern operators' privacy practices, provided that the FTC approves them.
COPPA violations can result in substantial penalties, including fines of up to $43,280 per violation. The Federal Trade Commission (FTC) has the authority to investigate and enforce compliance with COPPA.