Carnegie Mellon University

Children's Online Privacy and Protection Act

Virtual programs with participants under the age of 13 must comply with the Children’s Online Privacy and Protection Act (COPPA).

  • Responsible parties must obtain and use a program-specific COPPA-compliant release form from the Office of General Counsel.
  • Programs must provide details about 1) what (if any) personally identifiable information (PII) is being collected by the program about the participants and 2) where the PII is being collected (e.g. a website, survey, etc.). Each of these is considered personal information under COPPA:
    • First and last name;
    • A home or other physical address, including street name and city or town;
    • Online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
    • A screen name or username where it functions as online contact information;
    • A telephone number;
    • A Social Security number;
    • A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
    • A photo, video, or audio file containing a child’s image or voice;
    • Geolocation information sufficient to identify a street name and city or town; or
    • Other information about the child or parent that is collected from the child and is combined with one of these identifiers.
  • Programs must include links to and information about COPPA in any programming content where the program is collecting personally identifiable information about the minor participants.
  • Programs must provide any other information required under COPPA to the Office of General Counsel, as needed.