标准简介
《儿童在线隐私保护法》(COPPA)是美国于 1998 年通过、由联邦贸易委员会(FTC)执行的联邦法律,保护 13 岁以下儿童的在线个人信息。该法要求面向儿童的网站和在线服务的运营商,或实际知晓正在收集 13 岁以下儿童个人信息的运营商,在收集、使用或披露儿童个人信息前获得可验证的家长同意。COPPA 规则于 2000 年 4 月首次生效,2013 年进行了重大修订,2025 年 1 月发布了最新的规则更新。
COPPA 2025 年最新修订加强了对儿童隐私的保护,主要变化包括:扩大了「个人信息」的定义,纳入了生物特征标识符和精确地理位置数据;限制了推送通知的使用;加强了数据保留和删除要求;引入了更严格的第三方数据共享限制。运营商必须发布清晰全面的隐私政策、提供直接通知给家长、获得可验证的家长同意(方法包括签名表格、信用卡验证、视频通话等)、允许家长审查和删除信息,并维护合理的数据安全程序。FTC 可以对违规企业处以每次违规最高 53,088 美元的民事罚款。近年重大执法案例包括对 Epic Games(Fortnite)处以 2.75 亿美元罚款和对 Amazon(Alexa/Ring)处以 3,000 万美元以上罚款。
Under-13 Protection
Imposes requirements on operators of websites and online services directed to children under 13 or that knowingly collect personal information from children under 13.
Verifiable Parental Consent
Requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
FTC Enforcement
The FTC actively enforces COPPA with civil penalties up to $53,088 per violation. The record penalty was $275 million against Epic Games in 2022.
list_alt Core COPPA Requirements
- Post a clear, comprehensive online privacy policy
- Provide direct notice to parents before collecting data
- Obtain verifiable parental consent before collection
- Allow parents to review and delete child data
- Limit data collection to what is reasonably necessary
- Maintain reasonable data security procedures
- Data retention and deletion requirements
- Safe harbor programs for self-regulation
Who Needs to Comply?
Operators of commercial websites and online services (including apps, games, and connected devices) directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
Key Requirements
Privacy Policy
Operators must post a clear, comprehensive privacy policy describing information practices for children's personal information, including types of data collected, how it is used, and disclosure practices.
Verifiable Parental Consent
Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Methods include signed consent forms, credit card verification, video conferencing, and government ID checks.
Data Minimization
Operators may not condition a child's participation in activities on the collection of more personal information than is reasonably necessary for that activity.
Data Security Program
Establish and maintain a written information security program with reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Parental Access Rights
Parents must be able to review personal information collected from their child, have it deleted, and refuse further collection or use.
Penalties & Enforcement
Civil penalties up to $53,088 per violation. The FTC secured a record $275 million COPPA penalty against Epic Games (Fortnite) in December 2022. Penalties consider the severity of violations, number of children affected, and company size.