The Children’s Online Privacy Protection Act (COPPA) requires online services and websites directed to children under 13 to notify parents about the personal information they collect about children and how it will be used; and to obtain parental consent before collecting and using it. The notice must include a link to their privacy policy with more details and, if parents provide consent, enable them to review the information that the website or service collects about their child and delete it. They have the right to revoke their consent at any time.

How serious is the FTC about compliance with COPPA? In 2023, it settled four cases alleging companies violated the law.

Edmodo operated platforms and apps that let teachers create virtual classrooms that as many as 600,000 students under 13 participated in. Kids had to provide their names and email addresses and sometimes their date of birth, phone number and other identifying information. COPPA allows schools to authorize the collection of kids’ information on behalf of parents under limited circumstances, but the company collecting the information is still required to provide proper notices to the schools. The FTC alleged that Edmodo didn’t provide the notices and that it also illegally used the information to serve up targeted ads. Edmodo suspended its U.S. operations in the midst of the FTC investigation.

The FTC reached a $20 million settlement with Microsoft after alleging the company collected information from young users of its Xbox gaming products before getting parental permission. Microsoft then required kids under 13 to get their parents involved, but the FTC said Microsoft retained the data, sometimes for years, even when parents didn’t consent. COPPA prohibits retaining information on kids under 13 longer than is reasonably necessary to fulfill the purpose it was collected for.

The Department of Justice settled a case on behalf of the FTC alleging Amazon deceived parents and users of its Alexa voice assistant service about its data deletion practices. The FTC said Amazon retained young children’s voice recordings indefinitely unless a parent requested the information be deleted and sometimes failed to delete it from all databases.

The most serious case, including a record $275 million civil penalty, involved Epic Games, the maker of the highly popular online game Fortnite. The FTC says a substantial number of the 400 million users of the game are kids under 13 and that Epic collected their full names, email addresses, usernames, and other personal information without getting parental consent. The FTC also said:

• Young kids and teenagers were often matched up by default in real-time voice chat with strangers in the course of playing the game. Some kids were subjected to threats, bullying and sexual harassment. News stories told of kids being coerced into sharing explicit images or meeting offline for sexual activity.
• Epic pocketed millions of dollars in licensing fees for Fortnite-branded merchandise aimed at kids.
• Epic ignored warnings from its own employees about the lack of parental controls.

In a separate action, Epic agreed to pay another $245 million in refunds for unwanted charges users were tricked into making, a practice the FTC calls a “dark  pattern.”

In addition to the monetary penalties, the settlements require all of the companies to reform their practices to comply with COPPA.