Privacy laws across the world protect the information of consumers online. Websites and apps whose audience includes or is targeted to children under the age of 13 face additional requirements for their Privacy Policies and websites.
The US-based law, COPPA, dictates the Privacy Policy requirements companies who fall into this category must follow.
Below is an article summarizing COPPA and its rules that companies need to be aware of in order to have a COPPA-compliant Privacy Policy.
- 1. What is COPPA?
- 2. What to Include in a COPPA Privacy Policy
- 2.1. Information Collected
- 2.2. Parental Controls
- 2.3. Security of Information
- 2.4. Persistent Identifiers and Third Parties
- 2.5. Child-Generated Content
- 2.6. Contact Information
- 2.7. Updates or Changes to the Policy
- 3. Notice and Consent
- 4. Where to Post Your COPPA Privacy Policy
- 5. Summary
What is COPPA?
The Children's Online Privacy Protection Act, or COPPA, is a US federal law designed to protect the private information of children online. The Federal Trade Commission, or FTC, is an organization that enforces COPPA's requirements and offers helpful tips for how to comply with COPPA.
The law applies to the online collection of the personal information of children under the age of 13 by websites and apps. It's primary purpose is to give parents control over the collection and use of their children's information online.
COPPA applies to all websites and apps that collect the information of children and whose sole audience is children under the age of 13.
For a company with a general audience, COPPA is only applicable if the company has "actual knowledge" that it collects private information from children. COPPA doesn't require companies to investigate if their users are actually children or if a child lies about their age. However, a general audience company will fall under COPPA if they later learn that they are collecting a child's information.
COPPA is only applicable to commercial companies. Non-profits are not covered by COPPA.
To specifically comply with COPPA, companies must:
- Have a clear and comprehensive online Privacy Policy
- Provide a direct notice to parents to gain their consent to collect their child's information
- Give parents a choice to control the collection and restrict the sale of their child's personal data to third parties
- Allow parents to access and request deletion of their child's information
- Give parents the ability to stop the collection
- Protect the child's information using reasonable steps
- Retain the child's information for only as long as necessary and must delete when that ends by using reasonable measures
- Not condition the child's access to parts of the website by requesting additional information
What to Include in a COPPA Privacy Policy
As mentioned above, there are multiple rules companies must follow to comply with COPPA, the first being a company must:
"Post a clear and comprehensive online Privacy Policy describing their information practices for personal information collected online from children"
A COPPA Privacy Policy looks similar to other policies required by privacy laws, such as the GDPR. However, COPPA adds additional sections specifically targeted to the collection of the information of children and parental controls over that collection.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
A note to consider when drafting your Privacy Policy: Including a simple notice to parents at the beginning of your policy or children's section that summarizes and states your compliance with COPPA can be a good option.
Here's how Hasbro does this:
The below examples of clauses that your COPPA Privacy Policy should have are not exclusive. You can include additional sections depending on your site's services.
Information Collected
Your Privacy Policy must include a section detailing the information that is collected from children by your website or app.
You can provide a broad description of the information collected, as Disney does, or construct a more detailed one.
In this section, you should state how the information is collected, how and why it is used, and whether it is disclosed or sold.
Sanrio provides an example of how to provide a detailed report of how a child's information is collected and for what reasons, including newsletters and polls:
Another example is how LeapFrog does it.
Parental Controls
The main purpose of COPPA is to give parents even more control of the collection and use of their children's information online. Your Privacy Policy needs to include the steps it takes to obtain a parent's consent and how they can delete or restrict the collection of their child's information.
Nintendo offers parents a completely separate page entitled "Parental Control" which includes all of the information parents need to know about how Nintendo collects their child's data:
In your actual COPPA Privacy Policy, you need to have a statement or section regarding how you obtain a parent's consent to gather a child's information.
Email is one of the most common ways of doing this, as Disney states here:
Part of COPPA is that parents are allowed to access their child's info and request the deletion of the information. Make sure you note this in your Privacy Policy in a clear and understandable way.
Here's how Sanrio does this:
Security of Information
COPPA is designed to protect a child's information. It's a good option to include a section in your Privacy Policy that states what your data security precautions are.
LeapFrog offers a short but essential section regarding how it protects the information of all its users, including children:
You don't have to be too specific about what technology or safeguards you use, but you do need to let it be known that you do take steps to protect data you collect.
Persistent Identifiers and Third Parties
While cookies and IP addresses, or as the FTC calls "persistent identifiers," are required to be disclosed by some privacy laws, COPPA allows companies to not disclose them only if:
- Your company collects no other personal information, and
- The identifiers are collected and stored only for the "support for the internal operations" of your company
Companies that don't fall under the exception need to disclose.
In Mattel's Children Privacy Statement is an example of how to disclose the use of third-parties and how it can affect children:
Here's another example of how to present this information, from Nickelodeon:
Child-Generated Content
Many websites or apps rely upon content created by its users, including children, to function. The same protections you would employ for adults, applies to children, but can be trickier. If you do use child-generated content, you need to disclose this, and obtain consent.
Mattel tackles this by addressing all user content and specific rules for child-generated content, such as requiring a parent's email address:
Contact Information
All Privacy Policies should include a section where consumers and users can find your company's contact information if they have questions or concerns. This is even more important if you collect information from children, since parents will likely have heightened concerns.
Crayola has a contact information section that includes not only an address, but email address and phone number as well:
Updates or Changes to the Policy
If and when you make updates or changes to your Privacy Policy, you need to disclose when you do so. This can be done with a "Last Modified" or "Last Updated" statement at the beginning or end of your policy.
Here's how Disney does this:
You can also include a section in your Privacy Policy that puts users on notice that your policy will change and how you will notify them of this.
Here's an example of this type of clause, from Crayola:
Now that you have the basics down for what your COPPA Privacy Policy should include, let's explore how to get consent, and where to display your Privacy Policy.
Notice and Consent
COPPA requires that notice is given to parents before their child's data is collected and that verifiable parental consent be obtained.
When it comes to giving notice, you should always provide a link to your Privacy Policy at a point-of-sale or sign-up page to notify parents at the time when personal information may be exchanged. This allows parents to be put on notice that personal data will be collected and used and also allows them to find out further details if they wish.
See how Sesame Street links to its Privacy Policy on its account sign-up page:
You should also always include a link to your Privacy Policy in your website footer. This is a common best practice, and parents will know to look here for information about your privacy practices.
Now let's talk about consent. While there aren't specific requirements on what counts as verifiable consent, the FTC offers guidance on the topic, as well as some examples of what would be adequate consent.
Some of the acceptable methods for obtaining verifiable parental consent include:
- Signing a paper consent form that can be sent back to the company via mail, fax or electronic scan
- Using a payment system that provides the account holder with notification of separate transactions
- Calling a toll-free number that is staffed by trained personnel
- Connecting to trained personnel via video conference technology
- Providing a copy of official ID to be checked against a database
- Answering a series of challenge questions that would be difficult for anyone other than the parent to answer
- Verifying a picture of photo ID, then comparing the photo to a secondary photo collected using facial recognition technology
You can see how some of these methods can become quite elaborate and technically advanced.
You can obtain consent in many different ways, but make sure to state how consent will be requested in your Privacy Policy.
Take a look at how Funbrain does it:
Remember, you can't collect a child's information without the parent's consent. While there are many different methods for doing this, you should find the one that will satisfy the law, while also being reasonable for your business. If you don't have the means to have a toll-free number manned by a trained employee 24 hours a day, one of the less intense methods will be better for you.
Make sure your Privacy Policy is accessible at any time, though. This is a requirement of many privacy laws beyond COPPA.
Where to Post Your COPPA Privacy Policy
COPPA requires you to post your Privacy Policy in a "clear and prominent" way.
The FTC offers that to comply with COPPA, a link to your Privacy Policy should be posted on the homepage or landing page of your website and at each place you collect personal information from children.
A common place to link your Privacy Policy on your website is in the footer, like Funbrain does here:
If you have a separate area of your website for children, you must post a link to the Privacy Policy in that area, too.
Apps can be a little bit more difficult, but the requirements are still the same. The Privacy Policy must be accessible within your app. A common place to do this is within a menu.
Here's how Bitmoji does it:
In its app store listing, YouTube Kids includes a link to its Privacy Policy and an email address parents can use to contact the company with questions before purchasing the app:
Websites that have adults and children in their audience may combine their general Privacy Policy with their COPPA Privacy Policy, but there needs to be a link in the table of contents that goes directly to the children's section.
Here's how Mattel does this:
You can also have a separate link to the children's section on your homepage.
For example Nintendo includes a separate link to its parental control area in its footer:
Summary
If your website or mobile app has children under the age of 13 as your sole audience or part of your wider audience, you must follow the requirements COPPA has for your Privacy Policy.
Your policy should have common clauses found in other policies, such as security procedures and information about third party data transfers, but COPPA adds that you must have clauses that:
- State what information is collected from children
- How parents can control the collection of their child's information
- How notice is given to parents and how parents can give consent
If you don't include these sections, you could potentially be in violation of COPPA.