First, COPPA and the FTC’s implementing regulations prohibit covered operators from collecting or using “personal information” from children under the age of thirteen without first obtaining parental consent. Such consent must be “verifiable” and must occur before the information is collected. Second, covered operators must provide parents with direct notice of their privacy policies, describing their data collection and sharing policies. Covered operators must further post a “prominent and clearly labeled link” to an online notice of its privacy policies at the home page of its website and at each area of the website in which it collects personal information from children. Lastly, covered operators that have collected information from children must establish and maintain “reasonable procedures” to protect the “confidentiality, security, and integrity” of the information, including ensuring that the information is provided only to third parties that will similarly protect the information. They must also comply with certain data retention and deletion requirements. Under COPPA’s safe harbor provisions, covered operators will be deemed to have satisfied these requirements if they follow self-regulatory guidelines the FTC has approved.
COPPA provides that violations of the FTC’s implementing regulations will be treated as “a violation of a rule defining an unfair or deceptive act or practice” under the FTC Act. Under the FTC Act, as discussed in more detail below, the FTC has the authority to enforce violations of such rules by seeking penalties or equitable relief. COPPA also authorizes state attorneys general to enforce violations affecting residents of their states. COPPA does not contain any criminal penalties or any provision expressly providing a private right of action.