Fact Sheet 21:
Children’s Online Privacy:
A Resource Guide for Parents

Send to PrinterSend to Printer
Copyright © 1998-2016
Privacy Rights Clearinghouse
Posted June 1998
Revised December 2014
  1. Introduction
  2. Summary of Privacy Tips
  3. Online Marketing to Children
  4. Spam to Minors
  5. Online Privacy Resources
  6. Special Resources for Teens
  7. Directory of Organizations

 Notes:  No endorsements are implied for commercial products named in this guide.

1. Introduction

This guide discusses marketing to youth and other online privacy issues affecting children. If you are interested in safety topics, read the companion guide, Fact Sheet 21a, Children’s Online Safety.

Most children are skilled navigators of the Internet. They are very comfortable using computers and other web-enabled devices.  While the Internet offers children tremendous opportunities to explore new ideas, certain aspects of online activity can be harmful to children.

Websites and mobile apps collect significant amounts of personal information from children. By asking children to register with the site, join a kids’ club, enter a contest, or fill out a questionnaire, these sites can compile names, addresses, favorite activities and commercial products. This information then is used to create customer lists, which may be sold to brokers who, in turn, sell them to other businesses. 

Parents, teachers and other guardians cannot always be on hand to prevent children and youth from visiting web sites with harmful or objectionable content. Nor can they always be available to discuss with children what they are encountering in the online world.

The words “harmful” and “objectionable” can be interpreted in many ways. In this guide, we use these terms to also describe advertising messages and images that are highly manipulative of children. A companion guide, Fact Sheet 21a, Children’s Safety on the Internet provides resources for parents to maximize the benefits of cyberspace for children and minimize the dangers. 

2. Summary of Privacy Tips

No easy solutions exist to ensure your child has harm-free online experiences. Likewise, there are no truly effective technology-based solutions. That’s because, in the final analysis, there is no substitute for parental involvement. The best way to ensure that your children have positive online experiences is to spend time with them and ask them to show you their activities.

Here are the top tips for protecting children’s privacy online. For additional tips, read the remainder of this guide and get acquainted with the many other materials listed.

1. Read the privacy policy statements on the web sites and mobile apps visited by your children. Teach older children to do the same. Look for policies that explain what information is collected, if any, what is done with it, and how you can choose whether or not the child’s information can be collected.

2. Decide if you are going to give consent. If your child is under age 13, you must decide if you are going to give permission for web sites and mobile apps to collect personal information from them, a requirement of federal law (see Section 3). Be sure to carefully read the privacy policy and terms of service before making this decision.

3. Look for the web seal. Look for a privacy "seal of approval” on the first page, such as that of TRUSTe, www.truste.org. To display the logo, participants must agree to post their privacy policies and submit to audits of their privacy practices. Web seal programs also provide dispute resolution services. TRUSTe displays a seal especially for children under age 13.

4. Establish a contract with your youngster. Encourage your children, especially teens, to take responsibility for their online behavior by establishing a contract with them. The web guide for parents, GetNetWise, provides sample contract language, www.getnetwise.org/tools/toolscontracts.php.

5. Be aware of the risks of internet connected smart toys.  Security researchers have uncovered vulnerabilities in internet connected toys. For example, researchers have been able to gain control of dolls that respond to children’s questions and alter the doll’s responses.  Conversations recorded by toys may be accessible to hackers.  In addition, connected toys may present a risk to data security as hackers see connected toys as the weak link in a family’s home network.

6. Set family rules for online computer use. Among those suggested by the National Center for Missing and Exploited Children (www.ncmec.org and www.netsmartz411.org) are the following:

  • Tell your children never to give out identifying information such as family information, home address, school name, or phone number in chat room discussions and when visiting web sites. They shouldn't even reveal such data in private e-mail unless they know whom they are dealing with. They must also not send out personal or family photos without your permission. It’s best for children to use “screen names” that are different from their own in chat rooms.
  • Explain to children that passwords must never be given to anyone, even someone claiming to be from the online service.
  • Warn your children not to respond to messages that are threatening, suggestive, demeaning, or otherwise make you or the child uncomfortable. Tell them to report such messages to you.
  • Set reasonable usage rules, including time limits, for your child's use of the computer. Watch for excessive use of online services late at night. That could be a tip-off there is a problem.
  • Try to make online use a family activity. Keep the computer in a family room rather than the child's bedroom.
  • Get to know your children's online "friends," much as you try to get to know their other friends. Never permit a child to arrange a face-to-face meeting with another computer user without you attending at least the first meeting.
  • Explain that people online may not be who they seem to be. Someone claiming to be a 12-year old girl might actually a 40-year old man.
  • Also explain that not everything they read online may be true. Any offer that's "too good to be true" probably is.
  • Learn about the online services your child uses, including social networking sites such as Facebook. Find out about ways to steer kids to child-friendly sites. If you are a novice to online use, ask your child to show you what they do online and how to log on to online services.

3.  Online Marketing to Children

What are the privacy implications of children visiting commercial web sites?

Children are a highly marketed segment of the consumer population.  Advertisers and marketers can use the Internet to target children and gather personal information from them for marketing purposes.

When children visit commercial web sites, they might be tempted to fill out surveys, exchange personal information for gifts, register for club memberships, sign up to receive games, and give up personal information in chat rooms. After learning a child's name and favorite fictional hero, a company might send the child an e-mail message pretending to be from that “person.”  Younger children are not likely to realize the difference between fiction and reality.

Web sites and mobile apps can also be designed to invisibly gather information about children's interests.  Many opportunities exist for gathering data from children and sending them targeted messages.

What is the Children's Online Privacy Protection Act (COPPA)?

In 1998 Congress passed the Children's Online Privacy Protection Act (COPPA), which took effect in 2000. (15 U.S.C. 6501) www.ftc.gov/ogc/coppa1.htm. COPPA directed the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s online privacy. The FTC issued the Children’s Online Privacy Protection Rule, effective April 21, 2000. On December 12, 2012, the  FTC issued an amended COPPA Rule effective on July 1, 2013. 

The amended rule significantly broadened and strengthened COPPA to better reflect evolving technology and changes in the way children use and access the internet, including increased usage of smartphones and mobile devices.   

COPPA applies to operators of commercial websites and online services that are (1) directed to children under the age of 13 that collect childrens' personal information or (2) geared toward general audiences when they have “actual knowledge” they are collecting personal information from children under 13.  COPPA also applies to operators when they have “actual knowledge” they are collecting personal information from users of another site or online service directed to kids under 13.  That means that in certain circumstances, COPPA may apply to advertising networks, plug-ins, and other third parties.

It's important to note that COPPA does not require operators to investigate the age of their visitors. An operator of a general audience site or service that does choose to ask its users for their generally may rely upon that information, even if the child enters an inaccurate age.

COPPA's definition of "personal information" is broad. It includes a child's name, home or email address, telephone number, social security number, geolocation data, photos, videos, or audio of a child, any unique device identifier, or an IP address.

Websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. A site or app that is subject to COPPA requirements must:

  • Post a clearly written privacy policy with links to the notice provided on the home page and at each area where the site or online service collects personal information from children. COPPA dues not require that a privacy policy for a mobile app be posted in an app store at the point of download, however, the FTC encourages doing so as a best practice.
  • Describe the kinds of information collected from children, for example, name, address, e-mail address, hobbies, and age. This requirement applies to all information, not just “personal information.”
  • Explain how the information is collected – whether directly from the child and/or behind the scenes through ”cookies.”
  • Explain how the web site operator uses the personal information, such as marketing to the child or notifying contest participants, and whether it is disclosed to third parties.
  • Provide parents with contact information – address, phone number, and e-mail address – for all operators collecting or maintaining children’s personal information.
  • Obtain parental consent before collecting, using, or disclosing personal information about a child.
  • Provide parents with the ability to review, correct, and delete information about their children collected by such services.
  • Maintain reasonable procedures “to protect the confidentiality, security, and integrity of personal information collected from children.”

COPPA is a very complicated law.  It cannot be easily summarized. The FTC has issued an updated guide to complying with COPPA in April 2014.   You can also read more about the 2013 COPPA changes at http://business.ftc.gov/blog/2012/12/ftcs-revised-coppa-rule-five-need-know-changes-your-business.

Also useful is the FTC's guide Children's Online Privacy Protection Rule: Not Just for Kids' Sites at http://business.ftc.gov/documents/alt046-childrens-online-privacy-protection-rule-not-just-kids-sites.  Finally, read Guide to Compliance with the Amended Children’s Online Privacy Protection Act (COPPA) Rule in the National Law Review (June 28, 2013) at http://www.natlawreview.com/article/guide-to-compliance-amended-children-s-online-privacy-protection-act-coppa-rule.


What can I do if I suspect that a web site is violating COPPA?

If you think a web site or online service is not complying with COPPA, file a complaint with the Federal Trade Commission:

If the web site or online service is a member of a seal programs such as TRUSTe, you can also complain to those organizations. Their contact information is at the end of this guide.

The FTC will accept emailed questions about COPPA at CoppaHotLine@ftc.gov

Is software available that will prevent my children from transmitting their personal information to web sites?

Yes, although it is not entirely effective. The primary purpose of “parental-control” software, also known as filtering software, is to block objectionable content such as pornography. Several software programs can also be used to block the outgoing transmission of children's personally identifying information, such as names, addresses, and telephone numbers. These programs can also block the use of online chat systems and Instant Messaging (IM).

To learn more about the many filtering products available to parents, conduct a search on the words “parental control software” on a search engine such as Google. Also, visit the GetNetWise site, www.getnetwise.org. PRC Fact Sheet 21a, Children’s Online Safety provides further information on filtering.

What is the Child Online Protection Act (COPA)?

The Child Online Protection Act (COPA), 47 USC §231, was passed by Congress in 1998. COPA, which should not be confused with the Children’s Online Privacy Protection Act (COPPA), aimed to stop Internet access to material vaguely characterized as harmful to minors. In the ten years since its enactment, COPA has faced repeated court challenges as an unconstitutional violation of free speech.

On January 21, 2009, the U.S. Supreme Court struck the death blow to COPA when it declined to hear lower court challenges that ruled COPA unconstitutional. For a discussion of COPA and its tortured history, visit  www.eff.org/deeplinks/2009/01/copa .

4. Spam to Minors

Is there a law that prohibits unwanted spam?

The CAN-SPAM Act, effective in 2004, contains provisions that may help parents concerned by the amount of inappropriate e-mail their children receive. The law is primarily aimed at eliminating deceptive unsolicited commercial e-mail, but also addresses the problem of sexually oriented, unsolicited e-mail. 

The act requires that e-mail messages that contain sexually explicit material be so labeled in the subject line. The FTC requires that the text “Sexually-Explicit” be printed at the beginning of the subject line. In turn, concerned parents can use filtering techniques to block e-mail that contains that required text. 

Further, the sexually oriented e-mail must contain an opening page with a clear and conspicuous option to not receive any more e-mail from the sender and a legitimate physical address of the sender. The opener page, called a “virtual brown wrapper” by some, cannot contain any graphic material, but instead may contain a link to the sexually oriented material.

Violation of these rules can be reported to the FTC or to your state’s Attorney General.  Violations of the act will result in fines under Title 18, imprisonment of no more than five years, or both.

It remains to be seen if the law will be effective in labeling sexually oriented spam and enable individuals to prevent it from appearing in the computer’s in-box. Visit the Spam Laws web site for more information, www.spamlaws.com/state/index.shtml (no endorsements implied).

5. Online Privacy Resources

Numerous agencies and organizations provide brochures and other resources about Internet privacy and safety, both online and in paper form. To order paper copies, see the postal addresses and phone numbers at the end of this guide.

6. Special Resources for Teens

The Children’s Online Privacy Protection Act (COPPA), discussed in Section 3, requires parental consent before web sites can collect data from children. But the law only protects those under age 13. The lives of many teens are closely intertwined with the electronic culture offered by commercial web sites and by Internet services like social networking, Instant Messaging and music sharing.

Teens are both shaping and being shaped by their immersion in the digital culture. Marketing to teens is rampant on the Internet. It is common practice for Internet services aimed at teens to offer free products and services in exchange for personal information. 

For general information about online shopping, see our Fact Sheet 23, www.privacyrights.org/fs/fs23-shopping.htm.

For a frank discussion of "cyber street smarts" for youth, visit the web site of CyberAngels, www.cyberangels.org. Its resources offer no-nonsense tips on a variety of topics that are relevant to teens, including dating services, cyberstalking, e-mail privacy, and the dangers of filesharing. 

NetSmartz411, an online service by the National Center for Missing and Exploited Children, answers parents’ questions involving online activities of children and youth. (www.netsmartz411.org)

7. Directory of Organizations

  • American Civil Liberties Union. 125 Broad Street, 18th Floor, New York, NY 10004. DC office: 1400 20th St., NW, Suite 119, Washington, DC 20036. Phone: (202) 457-0800. Web: www.aclu.org
  • American Library Association. 50 E. Huron St., Chicago, IL 60611. Phone: (312) 944-6780 and (800) 545-2433.  Web: www.ala.org
  • Electronic Frontier Foundation. 454 Shotwell St., San Francisco, CA 94110. Phone: (415) 436-9333. Web: www.eff.org
  • Electronic Privacy Information Center. 1718 Connecticut Ave. NW Suite 200, Washington, DC 20009. Phone: (202) 483-1140. Web: www.epic.org
  • Federal Trade Commission, Consumer Protection Bureau. 600 Pennsylvania Ave. NW, Washington, DC 20580. Phone: (877) 382-4357 or (877) FTC-HELP. Web: www.ftc.gov
  • Internet Education Foundation and GetNetWise, 1634 Eye Street NW, Washington, DC 20009, Web: www.GetNetWise.org

  • National Center for Missing and Exploited Children. 699 Prince St., Alexandria, VA 22314. Phone: (703) 274-3900. Hotline: (800) 843-5678. Web: www.ncmec.org
  • TRUSTe. 685 Market Street, Suite 270, San Francisco, CA 94105. Phone: (415) 520-3400. Web: www.truste.org
Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.