FTC Updates COPPA Compliance Plan for Business

The Federal Trade Commission has updated its Compliance Plan guidance under the Children’s Online Privacy Protection Act (COPPA) to address:

  • New business models. As technologies evolve, companies have new ways of collecting data, some of which may affect your obligations under COPPA. Just one example: voice-activated devices that collect personal information. If your clients change how they do business, are they keeping up with COPPA?
  • New products covered by COPPA. COPPA applies not only to websites and mobile apps. The law also can apply to the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.
  • New methods for getting parental consent. Getting parents’ permission before collecting personal information online from kids under 13 has always been a key component of COPPA. The revised Compliance Plan discusses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo.

In general, the 6 Step Plan includes:


  1. Determine if your company is a website or online service that collects personal information from kids under 13.
  2. Post a privacy policy that complies with COPPA.
  3. Notify parents directly before collecting personal information from their kids.
  4. Get parents’ verifiable consent before collecting personal information from their kids.
  5. Honor parents’ ongoing rights with respect to personal information collected from their kids.
  6. Implement reasonable procedures to protect the security of kids’ personal information.

The full plan is below.