Child and Student Privacy

COPPA applies to:



• commercial websites that are directed to children under the age 13 or directed to a general audience if the website has actual knowledge that it’s collecting personal information on children.
• third party services that collect information from a website that collects information from children who use that website

The types of businesses that are subject to COPPA’s provisions include:

• social media platforms, including YouTube, Facebook, and Instagram
• app developers who create apps directed to children
• mobile apps that connect to the internet and collect personal information on children
• ad networks
• websites that allow children to play games online

Among other things, COPPA requires covered businesses to:



• Post a privacy policy online that clearly describes their practices for collecting personal information from children
• Expressly notify parents of those privacy practices
• Get verifiable consent from parents before collecting covered information from children
• Keep collected data confidential and secure and refrain from sharing data with third parties who are not capable of keeping it confidential and secure
• Delete data when the purpose for collecting it has been fulfilled
• Give parents access to their children’s information and the ability to delete it

COPPA’s definition of “personal information” is broad and includes the following information to the extent it relates to children under age 13:

• Names and physical addresses
• Email addresses and online contact information, including screen names and user names
• “Persistent identifiers” (data that is tied to and identifies a particular child and that’s used to track that child over time and across other websites; this includes customer numbers stored in cookies, IP addresses and the serial numbers of devices used to access the internet)
• Telephone numbers
• Social Security Numbers
• Photos, videos or audio files that contain a child’s image or voice
• Location data that could be used to determine a child’s address
• Any data collected from a child that relates to the child or the child’s parents and can be used to identify the child by combining it with other data

The Federal Trade Commission brings enforcement actions against businesses that violate COPPA and can assess civil penalties of up to $41,484 per violation. COPPA also authorizes state attorney generals to file enforcement actions against violators, although Massachusetts does not have a history of doing so.

While COPPA does not authorize private lawsuits, any business that collects children’s data in violation of its provisions should also be committing an unfair or deceptive act or practice that violates our consumer protection law. Parents or students whose COPPA rights have been violated should be entitled to file a private lawsuit for damages, including reimbursement for legal fees and costs. Chapter 93A also gives courts the power to order double or triple damages for intentional violations.



If you believe that your rights or your children’s rights under COPPA or FERPA have been violated, please contact me. We can go over the facts to see whether you have grounds for filing a lawsuit. The initial consultation is free. There’s no out-of-pocket cost for contacting me.