COPPA Compliance
Disclaimer: The information below is not legal advice, and we don't accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding COPPA compliance, please forward this page to your legal team.
What is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a United States federal law administered by the Federal Trade Commission (FTC). It exists to protect the digital privacy of children under the age of 13 by requiring website operators to obtain verifiable parental consent before collecting personal information from them.
COPPA is not a law to take lightly. In 2019, Google and YouTube were fined $170 million for illegally collecting personal data from children without parental consent, using cookies to track children across the internet and serve them targeted advertising. In 2022, Epic Games (Fortnite) was fined $275 million. The fines keep growing. More importantly: children deserve protection, and the companies that exploit their data for profit are doing something genuinely harmful.
Does COPPA apply to you?
The FTC's guidance establishes that COPPA applies to your website if any of the following are true:
- Your website is directed at children under 13, and you collect personal information from them.
- Your website is directed at children under 13, and you allow third parties to collect personal information from them.
- Your website is directed at a general audience but you have actual knowledge that you are collecting personal information from children under 13.
- You operate an advertising network or plug-in and have knowledge that you are collecting personal information from users under 13.
If your website falls into any of these categories, you must ensure your analytics provider is COPPA compliant. That includes Clerion AI.
Is Clerion COPPA compliant?
We believe so. Here is our full analysis.
IP addresses are personal information under COPPA
Under the FTC's COPPA Rule, "personal information" includes persistent identifiers, defined to include IP addresses, customer numbers held in cookies, processor or device serial numbers, and unique device identifiers that can be used to recognise a user over time and across websites. The FTC is explicit that an IP address qualifies.
When a visitor to your website triggers a Clerion tracking event, we receive their IP address as part of the HTTP request. We therefore process personal information of visitors (including, potentially, children), and we take that responsibility seriously.
The "support for internal operations" exception
COPPA provides an exception that permits processing a persistent identifier without parental consent where it is used solely for "support for internal operations", which includes maintaining or analysing the functioning of the website, performing network communications, and authenticating users or security tasks. Two strict conditions apply:
- The information must not be used to contact a specific person, for behavioural advertising, to build a profile on a specific person, or for any other purpose.
- This exception is not available if any other personal information is collected alongside the persistent identifier.
Clerion's use of IP addresses falls within this exception. Here is why:
We never use IP addresses to contact, advertise to, or profile individuals. Clerion AI does not run advertising networks. It does not serve behavioural ads. It does not build individual user profiles. It does not link visitor activity across unrelated websites. The IP address is used solely to derive an approximate country for aggregate geographic reporting, and then it is discarded.
We do not collect other personal information alongside the IP. We do not collect names, email addresses, precise location data, phone numbers, or any other personal information enumerated under the COPPA Rule. The only data elements we process are the IP address (immediately discarded after hashing and geo lookup), a User-Agent string (processed server-side, never stored in raw form beyond the request), and anonymous behavioural events (page views, scroll depth, performance timings).
What actually happens to the IP address
The raw IP address exists in memory on our EU server for a matter of milliseconds, long enough to:
- Resolve a country code via IPLocate's EU-only geo API.
- Produce an HMAC-SHA256 pseudonymous hash using a server-side secret.
After these two operations, the raw IP address is discarded. It is never written to our database, never logged to disk, and never transmitted to any third party in raw form. The only thing stored is the one-way cryptographic hash and the country code.
This is a stronger position than many analytics providers. The raw IP address is not even in an access log on our servers. We do not retain HTTP access logs that would contain raw visitor IPs. The IP address is gone before any persistence occurs.
No cookies, no fingerprinting, no persistent tracking without consent
Clerion's tracking script sets no cookies. It does not fingerprint devices. Without explicit consent from the visitor, it creates no persistent identifier in localStorage or any other storage mechanism. Each visit is treated as independent.
For websites directed at children, the practical consequence is that Clerion operates in a mode that creates no persistent record of any child's visit, which is exactly what COPPA's consent requirements are designed to achieve for operators who cannot or do not obtain verifiable parental consent.
Our data handling in the context of COPPA
| Data element | How we handle it | COPPA relevance |
|---|---|---|
| Raw IP address | Discarded after geo lookup and hashing | Personal information under COPPA, not retained |
| IP hash (HMAC-SHA256) | Stored; irreversible without server key | No feasible path to identify an individual |
| Country code | Stored for aggregate geo reporting | Not personal information |
| User-Agent string | Processed server-side; not stored in raw form | Not personal information when handled this way |
Session ID (sessionStorage) | Cleared on tab close; same-tab only | Ephemeral, not a persistent identifier across visits |
Persistent visitor ID (localStorage) | Only with explicit consent; never by default | Not created without consent |
| Behavioural events (page views, etc.) | Aggregate only; not linked to identified individual | Not personal information |
For operators of websites directed at children
If your website is directed at children under 13, or you have reason to believe children are using it, you should:
-
Review whether you need a COPPA-compliant consent mechanism. If you are relying on the "support for internal operations" exception for Clerion's use of IP addresses, ensure you are not using any other feature (such as the persistent visitor ID) that would take you outside the exception's boundaries.
-
Disable the persistent visitor ID. The
localStorage-based visitor ID is consent-gated by default, but if your site targets children you should confirm it is disabled entirely, not merely behind a standard consent prompt that a child could click through. -
Consult your legal team. COPPA has specific requirements around the content of privacy notices directed at children and the format of parental consent. These are operational requirements that go beyond what an analytics provider can address. They are your responsibility as the site operator.
Conclusion
We built Clerion because analytics should not require exploiting the people whose data powers it. That principle is especially important when those people are children. We do not profile visitors. We do not build persistent cross-site identities. We do not run advertising networks. We do not sell data.
The IP address is personal information under COPPA, and we treat it that way: it touches our systems briefly, is pseudonymised immediately, and is gone before anything is written to permanent storage. That is the right way to handle it, not just for children, but for every visitor to every website using Clerion.