COPPA 101: What Marketers Need to Know About the Children's Online Privacy Protection Act

Since the old days of advertising, marketers have used language, jingles, and images that specifically appeal to children. Yes, they may not have spending power, but their parents do. And today’s child is tomorrow’s customer. Even today, advertisers are always seeking ways to engage with younger audiences and nurture awareness. Whether through online games, apps, social media platforms, or other interactive technologies, marketers are ever on the lookout for opportunities to build brand loyalty at an early age. However, when targeting audiences that include children under the age of 13, strict privacy laws come into play; most notably, the Children's Online Privacy Protection Act (COPPA).

COPPA is a law designed to protect the online privacy of children and places significant obligations on marketers and businesses that cater to minors, even indirectly. While the penalties for non-compliance are severe, understanding and adhering to COPPA is manageable with the right strategies in place. The following guide can serve as an introduction – or refresher – for marketing professionals on what COPPA entails, why it matters, and how to stay compliant in regard to advertising that caters to minors.

What Is COPPA and What Does It Cover?

The Children's Online Privacy Protection Act was enacted by Congress in 1998 and is enforced by the Federal Trade Commission (FTC). Its primary purpose is to ensure the privacy and safety of children under 13 by regulating how businesses collect, use, and disclose their personal information online. COPPA is meant to be all-encompassing, and applies to any website, app, or online service that either targets children or knowingly collects personal information from children under 13.

Personal information under COPPA includes but is not limited to:

• Name
• Address
• Email
• Phone number
• Geolocation
• Photographs or videos featuring the child
• Any persistent identifiers, like IP addresses or cookies

One of COPPA’s requirements is that businesses must obtain verifiable parental consent before collecting any of the above personal information from under-13 minors, without exception.

Why Marketers Need to Care About COPPA

Marketers routinely create content that appeals to children, especially when it comes to products such as toys or video games, or in the fields of entertainment and education. That in and of itself is not worrisome from a regulatory standpoint. However, even if a company's primary audience is not minors, it's essential to consider the possibility that their digital platforms, services, or products may unintentionally attract interested children.

Non-compliance with COPPA can result in substantial fines. The FTC has historically taken action against several prominent companies, issuing multimillion-dollar penalties for violations of the law. For example, YouTube was fined $170 million in 2019 for failing to comply with COPPA regulations related to children's privacy on its platform.

Beyond financial penalties, companies also face reputational risks when they fail to protect children's privacy, as regulatory missteps are public knowledge. In an age where trust and transparency are critical to consumer relationships, a COPPA violation can severely damage a brand's image, especially among parents and advocates for child safety.

How COPPA Works: Key Requirements for Marketers

To comply with COPPA, marketers must follow specific guidelines when their services or products interact with children under 13. Here are the key requirements:

1. Privacy Policy Disclosure

Companies that collect personal information from children must have a clear and comprehensive privacy policy explaining their data practices. The policy must detail what information is collected, how it is used, and whether it is shared with third parties. Marketers should ensure this information is easily accessible and written in a way that is understandable to parents, guardians, and other laypersons.

2. Parental Consent

One of COPPA’s most rigid requirements is obtaining verifiable parental consent before collecting personal information from children. Businesses must ensure that parents are aware of what data is being collected and how it will be used. There are several methods to obtain parental consent, including:

• Email verification with a credit card transaction
• Signed consent forms faxed or mailed to the company
• Verifiable consent through video conferencing tools

3. Limit Data Collection

Marketers should only collect the information necessary for the activity or service being provided. Collecting more data than required – from adults as well as minors – not only exposes businesses to compliance risks but, in the case of underage recipients, also violates COPPA’s inherent principle of data minimization. This also translates to the financial industry. While it’s true that minors cannot apply for mortgage loans, of course, they can open and co-control certain types of bank accounts, which require the gathering and retention of personal information.

4. Information Security and Retention

COPPA requires businesses to take reasonable steps to protect the confidentiality, security, and integrity of personal information collected from children. This includes using industry-standard encryption, secure storage practices, and limiting access to data. Additionally, companies must not retain children’s personal information longer than necessary and should have procedures in place to permanently delete it once it’s no longer needed.

5. Educational and Marketing Content

When creating content for children, marketers must be absolutely certain that it is age-appropriate and complies with COPPA’s guidelines. This applies to advertisements embedded in apps or websites, promotions, and interactive features such as in-game purchases or giveaways. Marketing practices that encourage children to disclose personal information or falsely indicate that children can participate without parental consent are strictly prohibited by law.

Practical Tips for Staying Compliant with COPPA

For marketers working in industries that cater to children in any way, COPPA compliance must be an integral part of campaign planning. Here are some practical steps you can take to ensure compliance:

• Review Your Audience Demographics

Even if your target audience isn’t explicitly children, your marketing campaigns, website, or app might attract younger users. Regularly review your audience demographics using analytics tools to determine whether you are interacting with children under 13. If you find that a portion of your audience does include minors, adjust your data collection practices accordingly to stay within COPPA boundaries.

• Utilize Contextual Advertising

When marketing to children, carefully avoid behavioral advertising that relies on tracking a child’s activities or interests across websites or apps. This strategy opens the door to unnecessary data gathering. Instead, focus on contextual advertising, which delivers ads based on the content of the webpage or app without tracking the child’s personal information.

For example, if your target market consists of families, your ads can be shown on pages or apps that cater to family-friendly content without the need for personalized individual tracking.

• Implement Age Screening Mechanisms

One way to stay compliant with COPPA is by integrating ‘age-gating’ mechanisms into your digital platforms. Age gates prompt users to enter their birth date before allowing them to access content or features that may collect personal information. For marketers, this is a very useful tool that can help make sure children under 13 aren’t inadvertently exposed to services that collect personal data without parental consent.

• Work with COPPA-Compliant Ad Networks

When working with third-party ad networks, research and choose partners that have a strong commitment to child privacy and COPPA compliance. These networks should know not to collect personal information from users under 13 or track their activities across platforms. Make sure to establish clear contracts with network partners that outline these expectations.

Beyond COPPA: Emerging Privacy Concerns in Marketing to Kids

While COPPA is a cornerstone of child privacy law in the U.S., it is not the only regulation marketers must consider. With growing scrutiny on children's privacy worldwide, additional laws are being enacted, such as the General Data Protection Regulation (GDPR-K) in Europe, which has even stricter requirements for collecting data from minors.

Moreover, the FTC has expanded its oversight beyond COPPA to address broader issues such as influencer marketing, native advertising, and deceptive practices in children's marketing. The regulatory landscape is a constantly-shifting one, and these developments emphasize the need for marketers to stay informed about regulatory changes that could affect their advertising practices.

Conclusion: Make Child Privacy a Marketing Priority

Compliance with COPPA is not just a legal obligation but a moral one. Children are a vulnerable and easily swayed audience, and businesses that create products for minors have a duty to prioritize their privacy and safety. For marketers, this means adopting responsible advertising practices, keeping abreast of privacy laws, and creating a safe digital environment for children.

By following COPPA guidelines and being mindful of broader privacy concerns, marketers can build lasting trust with parents and create long-term brand loyalty through the generations. It is a certainty that digital marketing will continue to evolve, so protecting children's privacy must remain a top priority as advertising regulations work to keep pace with new technology and new demand.

For further guidance on how to ensure compliance with COPPA in your marketing efforts, refer to the FTC’s official guidelines or reach out to ActiveComply for compliance resources and assistance.