What It Is

Children's Online Privacy Protection Act (COPPA) is a U.S. federal regulation enacted in 1998, effective 2000, enforced by the FTC. It targets operators of commercial websites, apps, and services collecting data from children under 13, mandating verifiable parental consent (VPC). Scope includes child-directed content or known child users; approach emphasizes parental control and data minimization.

Key Components

• Core obligations: privacy notices, VPC mechanisms (11+ methods like credit cards), parental access/review/deletion rights, data security.
• Expansive PII (10+ categories: names, geolocation, persistent IDs, audio/video).
• Built on principles of limited collection and safe harbors (e.g., ESRB, iKeepSafe).
• No formal certification; compliance via self-regulation or FTC audits.

Why Organizations Use It

Legal mandate avoids $43,792/violation penalties (e.g., YouTube's $170M fine). Reduces breach risks, builds parental trust, enables global operations targeting U.S. kids. Enhances reputation in edtech, gaming; mitigates enforcement by FTC/state AGs.

Implementation Overview

Assess child-directed status, deploy age gates/VPC, post policies, minimize data. Applies to all sizes/industries collecting kids' data, U.S./global. Key activities: audits, third-party reviews, ongoing monitoring. No certification but safe harbor participation recommended. (178 words)

What It Is

REACH (Regulation (EC) No 1907/2006) is a directly applicable EU regulation governing the Registration, Evaluation, Authorisation and Restriction of Chemicals. Its primary purpose is to ensure a high level of protection for human health and the environment from chemical risks by shifting responsibility to industry for generating and managing safety data. Scope covers substances, mixtures, and certain articles across the supply chain; it uses a risk-based approach with tonnage-triggered obligations.

Key Components

• Four pillars: Registration (>1 tonne/year dossiers), Evaluation (dossier/substance checks), Authorisation (SVHCs on Annex XIV), Restriction (Annex XVII bans/limits).
• 17 technical annexes define data requirements, SDS rules, lists.
• Built on industry-led data generation, ECHA coordination, national enforcement.
• Continuous compliance model, no certification but mandatory registration.

Why Organizations Use It

• Legal obligation for EU manufacturers/importers to avoid market bans, fines.
• Manages supply chain risks, ensures market access.
• Drives substitution, innovation; builds stakeholder trust via transparency.

Implementation Overview

• Phased: gap analysis, inventory, dossiers, monitoring.
• Applies to chemical/product firms EU-wide; complex for globals.
• No certification; ECHA submissions, national audits required. (178 words)