Child Online Privacy Rules Updated: What You Should Know

For the first time in 15 years, the Federal Trade Commission has revamped the Children's Online Privacy Protection Act. If your association attempts to reach children online, these changes could affect you. Read on.

One of the earliest efforts to regulate the way organizations use the internet has gotten an update.

The Children’s Online Privacy Protection Act (COPPA), first passed in 1998, had gone without significant modification for years until the Federal Trade Commission (FTC), which accepted comments on the proposed updates last year, approved changes in December that went into effect July 1.

If your organization reaches children online, the changes could affect you. Here’s what you should keep in mind:

Consent requirement: In an op-ed post for USA Today’s CyberTruth, trial attorney Tyler Newby explains that the changes to the law are largely meant to reflect the web’s increasingly social nature. “Reflecting the growth of social networks, user-generated content, and child-oriented mobile apps,” Newby writes, “operators of child-directed sites now must obtain verifiable parental consent before they can collect users’ screen names; photo, video, and audio files that contain a child’s image or voice; geolocation data precise enough to identify a street and city; and persistent identifiers, such as cookies, an IP address, or unique mobile device identifier.”

Even “Like” buttons matter: As lawyer Liisa M. Thomas writes on the Association of Corporate Counsel’s Lexology site, one of the rule changes affects commonly used social media plug-ins, such as Facebook’s “Like” button. In some cases, she notes, the buttons are allowed, but only if they meet certain criteria. “[F]or a plug-in that is used in a way that meets these criteria, an exception to the requirement to notify parents and get their consent will apply, provided that the rule wasn’t triggered in some other way,” she writes.

How to ensure you comply: On a clearinghouse website, the FTC offers a six-step list explaining how to ensure that your privacy policy is up to date and reflects current standards. The key: step six, which encourages a reasonable effort to protect the security of children’s personal information. “Minimize what you collect in the first place,” the FTC advises. “Take reasonable steps to release personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity. Get assurances they’ll live up to those responsibilities. Hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. Securely dispose of it once you no longer have a legitimate reason for retaining it.” If you have questions on whether your site complies, the FTC has made an email hotline available at

For organizations that fail to comply with the new rules, the fine is steep—reaching $16,000 per violation of the law.


Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!