COPPA

  1. I. Overview

Helping kids explore technology safely is one of Microsoft’s top goals. We firmly believe that children are an important part of our user ecosystem, whether they’re playing Minecraft, chatting with their grandparents on Skype, or watching Peppa Pig on a Surface Book. We also believe it is important that parents and guardians have suitable safeguards available. That’s why Microsoft has a longstanding commitment to the Children’s Online Privacy Protection Act and similar regulations across the globe.

II. COPPA:  Children’s Online Privacy Protection Act (15 U.S.C. § 6501)

Background: The Children’s Online Privacy Protection Act (COPPA) was passed by Congress in 1998 and took effect in April 2000. It was revised by the FTC, effective July 1, 2013.

Purpose: COPPA was passed to protect the privacy of children under the age of 13 and is intended to give parents control over what information websites can collect from their children.

§ 312.1 Scope of Regulations: This section prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.

How does COPPA work?: COPPA requires a parent or guardian receive notice and give consent before a child can access a website or online service that requires the child to provide personal information.  Before the child can access the site, download the app, etc., the parent should get a plain language notice about what information the site will collect, how it will use the information, and how the parent can provide their consent – some sites may ask the parent to send back a permission slip, call a toll-free number, etc.  If the parent gives their consent to collect personal information, the operator has a legal obligation to keep it secure.

III. Who does COPPA apply to?  

(1) Websites or online services[1] directed to children under 13 that collect personal information from them;

(2) Websites or online services directed to a general audience, where the operator has “actual knowledge”[2] that it is collecting personal information from a child under 13; or

(3) An operator runs a third-party service like an ad network or plug-in, and the operator is collecting information from users of a site or service directed to children under 13.

COPPA applies only to commercial websites and online services; not to nonprofit entities that are otherwise exempt from coverage under Section 5 of the FTC Act.  Foreign-based websites and online services that are directed to children in the U.S. or that knowingly collect personal information from children in the U.S. must also comply with COPPA.

IV. COPPA’s Requirements

COPPA requires that covered websites and online services post privacy policies, provide parents with direct notice of their information practice, and get verifiable consent from a parent or guardian before collecting personal information from children.  Microsoft meets all of these requirements.


[1] Online Service: Broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network (includes mobile apps, social networks, network-connecting gaming, etc.).

[2] Actual Knowledge: An operator has actual knowledge of an user’s age if the site/service asks for and receives information from the user that allows it to determine the user’s age.