Protecting Kids' Information Under The Coppa Cabana


In August 2017, Disney and three of its software developer vendors were sued in a class action in California in which it was alleged that Disney collected children’s information in violation of the Children's Online Privacy Protection Act of 1998 (COPPA). In May 2011, a Disney subsidiary, Playdom, agreed to pay a $3M settlement to the FTC for the same practices. This was a settlement, which implies that an award could have been much greater had it gone to trial. The bottom line is that even Disney, which claims to have a robust compliance program and would presumably have the resources to ensure compliance, has been brought to task under COPPA. Joe Leibowitz, then chairman of the FTC, stated:

“Let’s be clear: Whether you are a virtual world, a social network, or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It’s the law, it’s the right thing to do, and, as today’s settlement demonstrates, violating COPPA will not come cheap.”


COPPA is a federal statute that governs the collection of information from children under the age of 13. Among other things, COPPA requires a website operator to provide notice on the website as to what information is collected, how the information is used, and the operator’s disclosure practices. Importantly, the website operator is required under the statute to obtain verifiable parental consent for the collection, use or disclosure of personal information from children. Website operators are required to provide, upon request of a parent, a description of the specific types of personal information collected from the child, the opportunity for the parent to refuse future collection, and a reasonable means for the parent to obtain the actual information collected from that child.

COPPA also prohibits website operators from conditioning a child's participation in a game, the offering of a prize, or another activity for which the child would disclose more personal information than is reasonably necessary to participate. Further, website operators are required to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Geolocation and IP addresses fall under the statute.

If you think that your product or service does not fall under COPPA because it is not a “website”, you could be in for a surprise. The Internet of Things, for example, provides significant opportunity for the collection of information from children under 13. This also is true for smart toys and other web-enabled devices. The increasing monetization of collected data, and the continuously improving systems for exploiting and mining such information, has led to a tremendous incentive to build data collection into seemingly innocent apps and web-enabled hardware.

COPPA is enforced in the United States by the Federal Trade Commission (FTC). Yes, the FTC actively enforces COPPA and has jurisdiction to prosecute lawsuits to enforce it. And, by the very nature of the subject matter being online services, the FTC can and does conduct monitoring operations by simply browsing the Internet.

Bottom line…

If you operate or are considering operating any website that may collect information from children, you would be well advised to establish COPPA compliance procedures. As is true for most regulatory matters, compliance on the front end is almost always less expensive than fixing non-compliance on the back end. If you have received an FTC letter or email asking for information about COPPA compliance, be aware that this often signals that an investigation has already begun. This is generally the first step in the FTC enforcement process. FTC investigations can sometimes be handled and closed confidentially before they proceed to a lawsuit, but only if they are timely and properly addressed. Engaging qualified counsel may save significant trouble and expense.

This article is for informational purposes only and does not provide legal advice. Please do not act or refrain from acting based on anything you read here. Please review the full disclaimer for more information. Relying on the information provided in this article or communicating with Lowndes through our website does not create an attorney/client relationship.

Related Expertise

Jump to Page

We use cookies on our website to improve functionality and collect statistical information on our website traffic. For details on how we use cookies, please see our Privacy Policy. By using this website, you agree to our Privacy Policy and Terms of Use

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. This type of cookie does not collect any personally identifiable information about you and does not track your browsing habits. You may disable necessary cookies by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies (also known as performance cookies) help us improve our website by collecting and reporting information on its usage at an aggregate level. You may disable analytical cookies by clicking on the Manage Cookies button.