Certified Information Privacy Professional (CIPP): US - Children's Online Privacy Protection Act, COPPA, Verifiable Parental Consent

What This Is

Verifiable Parental Consent is the cornerstone of the Children’s Online Privacy Protection Act (COPPA). It requires any website or online service that collects personal information from children under?13?years old to obtain a consent method that a parent (or legal guardian) can verify as genuine before the data is collected, used, or disclosed. Without this consent, the operator cannot legally gather names, email addresses, geolocation, or any other personally?identifiable information (PII) from a child.

Real?world example: A popular mobile game marketed to kids asks for a player’s email to “save progress.” Because the user is 11?years old, the game must first present a consent screen that lets a parent confirm—via a credit?card transaction, signed PDF, or government?issued ID—that they approve the collection of the child’s email address.

Key Terms & Provisions

• COPPA (Children’s Online Privacy Protection Act) – U.S. federal law (15?U.S.C. §§?6501?6506) that protects children’s online personal information. Applies to operators of websites or online services directed to children or that knowingly collect from children under?13.
• Personal Information (PI) under COPPA – Any individually?identifiable information collected from a child, e.g., name, address, email, phone number, geolocation, biometric data, or a persistent identifier (cookies, device IDs).
• Verifiable Parental Consent – A consent method that the FTC deems “reasonable” to confirm a parent’s identity and authority, such as: (1) a signed consent form (physical or electronic), (2) a credit?card transaction, (3) a toll?free number call, (4) a government?issued ID scan, or (5) a combination of these.
• Operator – The entity that controls the website or online service (the “controller” under GDPR terminology). The operator is responsible for compliance, not the parent or child.
• Child?Directed Site/Service – A site that is intended for children (e.g., cartoon streaming platform) or that collects PI from children knowingly (e.g., a social?media app that allows users as young as 12).
• Notice Requirements – Before collecting PI, operators must post a clear, concise privacy policy that explains: what data is collected, how it is used, who it is shared with, and the parent’s rights (review, delete, revoke consent).
• Data Retention & Deletion – COPPA mandates that PI collected from children be retained only as long as necessary to fulfill the purpose for which it was collected; otherwise it must be securely destroyed.
• Security Measures – Reasonable administrative, technical, and physical safeguards must protect children’s PI (e.g., encryption in transit, limited access, regular security testing).
• Enforcement & Penalties – The FTC can impose civil penalties up to $43,280 per violation (2024 inflation?adjusted amount) for each instance of non?compliance.
• Safe Harbor & COPPA?Safe Harbor – Voluntary programs (e.g., the FTC’s “Children’s Online Privacy Protection Safe Harbor”) that certify compliance; not required but can mitigate enforcement risk.

Step?by?Step Process for Obtaining Verifiable Parental Consent

1. Identify Child Users

2. Use age?gating, self?declaration, or contextual clues to determine if a visitor is under?13.

3. Present the COPPA Notice

4. Show a concise privacy notice (in plain language) before any data collection, describing the PI to be gathered, its purpose, and the parent’s rights.

5. Select a Verifiable Consent Method

6. Choose one of the FTC?approved mechanisms (e.g., electronic signature on a PDF, credit?card transaction, toll?free call). Ensure the method matches the risk level of the data (higher?risk data-stronger verification).

7. Collect and Store Consent Evidence

8. Record the parent’s consent (timestamp, method, IP address, consent text) in a secure, tamper?evident log for at least the data?retention period.

9. Proceed with Data Collection

10. Only after consent is verified may the operator collect, use, or disclose the child’s PI.

11. Maintain Ongoing Rights Management

12. Provide parents with a portal or contact point to review, delete, or revoke consent at any time; honor requests promptly (generally within 45?days).

Common Mistakes

CIPP Exam Insights

1. Scope vs. Targeting – The exam often asks whether COPPA applies to a site that does not market to children but accidentally collects a 12?year?old’s email. Remember: knowledge + collection = coverage.
2. Verifiable Consent Methods – Expect a question that lists several consent options; you’ll need to pick the one the FTC explicitly deems “reasonable” (e.g., signed form, credit?card transaction).
3. Parent?Only vs. Child?Only Data – Distinguish between “child?directed” services (full COPPA obligations) and “general?audience” services that merely must not collect PI from children without consent.
4. Interaction with State Laws – Some states (e.g., California’s “Online Privacy Protection Act for Children”) have stricter age thresholds (13?or 16). The exam may test whether COPPA preempts or co?exists with these statutes.

Quick Check Questions

1. Scenario: A free?to?play app for kids under 13 asks for a child’s name and email to create an account. The app displays a privacy notice and sends a confirmation link to the parent’s email.
   Answer: Non?compliant. Email confirmation alone is not a verifiable parental consent method under COPPA.

2. Scenario: A news website includes a comment section that allows users to post without logging in. A 12?year?old posts a comment that includes their hometown. The site has no age?gate.
   Answer: Non?compliant. The site “knowingly” collected PI from a child (geolocation) without verifiable parental consent.

3. Scenario: A toy manufacturer’s website offers a “create your avatar” game for children. The site uses a credit?card transaction to verify parental consent before any data is captured.
   Answer: Compliant. A credit?card transaction is an FTC?approved verifiable consent method.

Last?Minute Cram Sheet (10 One?Liners)

1. COPPA §?312(a)(1) – Requires verifiable parental consent before collecting any PI from children?<?13.
2. Verifiable Methods – Signed PDF, credit?card transaction, toll?free call, government?ID scan, or a combination thereof.
3. Penalty Ceiling (2024) – Up to $43,280 per violation (inflation?adjusted).
4. Notice Timing – Privacy notice must be posted before any PI collection.
5. Retention Rule – Keep child PI only as long as needed for the stated purpose; otherwise delete securely.
6. Security Standard – “Reasonable” safeguards = encryption, limited access, regular testing (FTC guidance).
7. FTC Safe Harbor – Voluntary certification; does not replace the need for compliance.
8. Scope Trigger – Knowingly collecting PI from a child or operating a child?directed service = COPPA applies.
9. Parent Rights – Review, delete, and revoke consent anytime; operator must honor within 45?days.
10. Exam Trap – “Email confirmation = verifiable consent” is false; only the methods listed in §?312(a)(2)(C) count.

Ready to ace the exam? Memorize the consent methods, keep the “knowingly + PI = coverage” rule front?and?center, and practice spotting the subtle differences between a simple privacy notice and a full COPPA?compliant consent flow. Good luck!