Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.
The Children’s Online Privacy Protection Act (COPPA) is an important law in the United States to protect the digital privacy of children under the age of 13.
In short, the law says that it’s not okay for website operators to profile and track children under 13 without their parents’ consent.
Many companies have been fined for violations, and the law must be taken seriously. In September 2019, Google (and its subsidiary YouTube) received a $170 million fine for violating COPPA. YouTube was illegally collecting personal data from children without first informing parents and obtaining their consent. According to the complaint, YouTube used cookies to track children online and subject them to targeted ads persistently. This is why privacy laws are so important - and why you should care: not (only) to avoid hefty fines, but to act like a decent human being. And decent people don’t exploit the privacy of children to earn a few bucks.
Do I need to comply with COPPA?
The FTC states that COPPA applies to websites that collect personal information from kids under 13. If any of the following apply to you, then so does COPPA:
- Your website is aimed at children under 13, and you collect personal information from them
- Your website is aimed at children under 13, and you let others collect personal information from them
- Your website is aimed at a general audience, but you have knowledge that you collect personal information from children under 13
- You run an advertising network or plug-in, and you have knowledge that you’re collecting personal information from website visitors under 13
You can read more about the specifics, but it’s pretty easy to establish whether COPPA applies to you.
Is Fathom Analytics COPPA compliant?
If your website falls under a category that makes COPPA apply to you, you must ensure that your analytics software is COPPA compliant. Technically, we do process personal information of children without their parents’ consent. In our case, the personal information we process is the IP Address. Some would argue that this isn’t personal information, since we cannot identify anybody with it, but it’s still considered personal information under COPPA (the FTC specifies this under section C, number 5; The Rule defines “personal information” to include persistent identifiers, such as a customer number held in a cookie, an IP Address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different websites or online services.).
COPPA states that you may process a persistent identifier (e.g. IP Address) without any sort of parental consent for the “purposes of maintaining or analyzing the functioning of the site”, and that no direct notice is required. There are 2 limits on how you may use this information:
- You can’t use the information to contact a specific person, including through behavioural advertising, to amass a profile on a specific person, or for any other purpose
- You can’t use this exception if you collect personal information other than a persistent identifier
You should take a read of our Data Journey to see how we ensure that the IP Address is never stored alongside any other personal information. In fact, the IP Address is only ever kept inside our access log for security reasons (automatically deleted after 24 hours) and contains no personal information alongside it. And for our stats collection, we intentionally don’t keep IP Addresses, User Agents, etc. We prefer to use a privacy-first hashing method we invented (detailed on the Data Journey page).
So the answer is, yes, we build our software to be COPPA compliant, and we take the privacy of all your website visitors very seriously. All individuals should be protected on the internet, especially children, and we wouldn’t dream of profiling them or selling their browsing habits. Fathom’s business model is to charge for software, not to exploit your personal data.
Check out our compliance to other privacy-focused laws:
- GDPR Compliance
- Schrems II Compliance
- ePrivacy (cookie law) Compliance
- PECR Compliance
- CCPA Compliance
Or return to our main compliance page.