top of page
  • Robert Stines

Protecting Children's Privacy Online

Children today are digital natives. They do homework, read books, talk to friends, play games and watch videos online. Personally, I want my children to be tech savvy and use the Internet, but I am concerned that my children's first introduction to the "birds and the bees" will be through a YouTube video. Or that my children will be forced into premature maturity through unfiltered online content. I am also concerned about scrupulous characters who try to take advantage of children online.

In general, children do not understand what data is being collected about them or how it can be used against them. Children, who are so trusting and gullible, can easily fall victim to criminal behavior online.

Parents, like myself, need to be the first line of defense by installing filtering software on children's computers and mobile devices. Some software and online platform companies understand parent's concerns and have launched family friendly products to filter websites and monitor children's online activity (e.g., Google, Microsoft and Apple). There are also laws to protect the privacy of children online.


The Children's Online Privacy Protection Act (COPPA) was enacted to protect children's use of the Internet. The primary goal of COPPA is to place parents in control over what information is collected from their children.  It was designed to protect children under age 13. 

The Act applies to operators of commercial websites and online services (including mobile apps) that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

Examples of online services include services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements, or interact with other online content or services.

Operators covered by the Act must:

  • Post a clear online privacy policy describing their information practices for personal information collected online from children;

  • Provide direct notice to parents and obtain parental consent, with limited exceptions, before collecting personal information from children;

  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);

  • Provide parents with access to their child's personal information to review and/or have the information deleted;

  • Give parents the opportunity to prevent further use or collection of a child's personal information; and,

  • Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security.

A court can hold operators who violate the Act liable for civil penalties of up to $41,484 per violation. The amount of civil penalties a court assesses may hinge on a number of factors.

To be clear, COPPA was not designed to protect children from viewing particular types of content. 

Furthermore, no law will totally prevent abuse of children's personal information online. To be safe, parents should probably become engaged in their children's online activity and do some research on technological safeguards.

Companies Should Comply with COPPA

Companies both large and small need to be aware of, and comply with, COPPA.

To comply with the Act, companies should determine

  • what information is collected,

  • is the information from children under the age of 13,

  • how the information is collected,

  • how it is used,

  • whether the information is necessary for the company's activities,

  • whether the company has adequate mechanisms for providing parents with notice and obtaining verifiable consent,

  • whether the company has adequate methods for parents to review and delete their children’s information, and

  • whether the company has adequate data security, retention, and deletion practices.

If a company violates COPPA, the FTC and state attorneys general may prosecute and enforce the Act - not something any company should want to experience.

Robert Stines Cyber Law Attorney
Robert Stines


bottom of page