標準簡介
《兒童線上隱私保護法》(COPPA)是 1998 年 10 月頒布的美國聯邦法律,由聯邦貿易委員會(FTC)透過 COPPA 規則執行,該規則於 2000 年 4 月首次生效。COPPA 對面向 13 歲以下兒童的商業網站和線上服務營運商,或實際知悉正在蒐集 13 歲以下兒童個人資訊的營運商施加特定要求。
COPPA 要求營運商提供清晰的隱私政策,在蒐集資料前取得可驗證的家長同意,賦予家長查閱和控制子女資料的權利,並維護合理的資料安全措施。FTC 積極執行 COPPA 並處以鉅額民事罰款——2022 年對 Epic Games 處以創紀錄的 2.75 億美元罰款。2025 年 1 月最終確定的重大修正案強化了對定向廣告、資料保留和第三方揭露的保護,要求於 2026 年 4 月前完全合規。
Under-13 Protection
Imposes requirements on operators of websites and online services directed to children under 13 or that knowingly collect personal information from children under 13.
Verifiable Parental Consent
Requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
FTC Enforcement
The FTC actively enforces COPPA with civil penalties up to $53,088 per violation. The record penalty was $275 million against Epic Games in 2022.
list_alt Core COPPA Requirements
- Post a clear, comprehensive online privacy policy
- Provide direct notice to parents before collecting data
- Obtain verifiable parental consent before collection
- Allow parents to review and delete child data
- Limit data collection to what is reasonably necessary
- Maintain reasonable data security procedures
- Data retention and deletion requirements
- Safe harbor programs for self-regulation
Who Needs to Comply?
Operators of commercial websites and online services (including apps, games, and connected devices) directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
Key Requirements
Privacy Policy
Operators must post a clear, comprehensive privacy policy describing information practices for children's personal information, including types of data collected, how it is used, and disclosure practices.
Verifiable Parental Consent
Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Methods include signed consent forms, credit card verification, video conferencing, and government ID checks.
Data Minimization
Operators may not condition a child's participation in activities on the collection of more personal information than is reasonably necessary for that activity.
Data Security Program
Establish and maintain a written information security program with reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Parental Access Rights
Parents must be able to review personal information collected from their child, have it deleted, and refuse further collection or use.
Penalties & Enforcement
Civil penalties up to $53,088 per violation. The FTC secured a record $275 million COPPA penalty against Epic Games (Fortnite) in December 2022. Penalties consider the severity of violations, number of children affected, and company size.