Privacy laws across the world protect the information of consumers online. Websites and apps whose audience includes or is targeted to children under the age of 13 face additional requirements for their Privacy Policies and websites.
- 1. What is COPPA?
- 2.1. Information Collected
- 2.2. Parental Controls
- 2.3. Security of Information
- 2.4. Persistent Identifiers and Third Parties
- 2.5. Child-Generated Content
- 2.6. Contact Information
- 2.7. Updates or Changes to the Policy
- 3. Notice and Consent
- 5. Summary
What is COPPA?
The Children's Online Privacy Protection Act, or COPPA, is a US federal law designed to protect the private information of children online. The Federal Trade Commission, or FTC, is an organization that enforces COPPA's requirements and offers helpful tips for how to comply with COPPA.
The law applies to the online collection of the personal information of children under the age of 13 by websites and apps. It's primary purpose is to give parents control over the collection and use of their children's information online.
COPPA applies to all websites and apps that collect the information of children and whose sole audience is children under the age of 13.
For a company with a general audience, COPPA is only applicable if the company has "actual knowledge" that it collects private information from children. COPPA doesn't require companies to investigate if their users are actually children or if a child lies about their age. However, a general audience company will fall under COPPA if they later learn that they are collecting a child's information.
COPPA is only applicable to commercial companies. Non-profits are not covered by COPPA.
To specifically comply with COPPA, companies must:
- Provide a direct notice to parents to gain their consent to collect their child's information
- Give parents a choice to control the collection and restrict the sale of their child's personal data to third parties
- Allow parents to access and request deletion of their child's information
- Give parents the ability to stop the collection
- Protect the child's information using reasonable steps
- Retain the child's information for only as long as necessary and must delete when that ends by using reasonable measures
- Not condition the child's access to parts of the website by requesting additional information
As mentioned above, there are multiple rules companies must follow to comply with COPPA, the first being a company must:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Here's how Hasbro does this:
You can provide a broad description of the information collected, as Disney does, or construct a more detailed one.
In this section, you should state how the information is collected, how and why it is used, and whether it is disclosed or sold.
Sanrio provides an example of how to provide a detailed report of how a child's information is collected and for what reasons, including newsletters and polls:
Another example is how LeapFrog does it.
Nintendo offers parents a completely separate page entitled "Parental Control" which includes all of the information parents need to know about how Nintendo collects their child's data:
Email is one of the most common ways of doing this, as Disney states here:
Here's how Sanrio does this:
Security of Information
LeapFrog offers a short but essential section regarding how it protects the information of all its users, including children:
You don't have to be too specific about what technology or safeguards you use, but you do need to let it be known that you do take steps to protect data you collect.
Persistent Identifiers and Third Parties
While cookies and IP addresses, or as the FTC calls "persistent identifiers," are required to be disclosed by some privacy laws, COPPA allows companies to not disclose them only if:
- Your company collects no other personal information, and
- The identifiers are collected and stored only for the "support for the internal operations" of your company
Companies that don't fall under the exception need to disclose.
In Mattel's Children Privacy Statement is an example of how to disclose the use of third-parties and how it can affect children:
Here's another example of how to present this information, from Nickelodeon:
Many websites or apps rely upon content created by its users, including children, to function. The same protections you would employ for adults, applies to children, but can be trickier. If you do use child-generated content, you need to disclose this, and obtain consent.
Mattel tackles this by addressing all user content and specific rules for child-generated content, such as requiring a parent's email address:
All Privacy Policies should include a section where consumers and users can find your company's contact information if they have questions or concerns. This is even more important if you collect information from children, since parents will likely have heightened concerns.
Crayola has a contact information section that includes not only an address, but email address and phone number as well:
Updates or Changes to the Policy
Here's how Disney does this:
Here's an example of this type of clause, from Crayola:
Notice and Consent
COPPA requires that notice is given to parents before their child's data is collected and that verifiable parental consent be obtained.
Now let's talk about consent. While there aren't specific requirements on what counts as verifiable consent, the FTC offers guidance on the topic, as well as some examples of what would be adequate consent.
Some of the acceptable methods for obtaining verifiable parental consent include:
- Signing a paper consent form that can be sent back to the company via mail, fax or electronic scan
- Using a payment system that provides the account holder with notification of separate transactions
- Calling a toll-free number that is staffed by trained personnel
- Connecting to trained personnel via video conference technology
- Providing a copy of official ID to be checked against a database
- Answering a series of challenge questions that would be difficult for anyone other than the parent to answer
- Verifying a picture of photo ID, then comparing the photo to a secondary photo collected using facial recognition technology
You can see how some of these methods can become quite elaborate and technically advanced.
Take a look at how Funbrain does it:
Remember, you can't collect a child's information without the parent's consent. While there are many different methods for doing this, you should find the one that will satisfy the law, while also being reasonable for your business. If you don't have the means to have a toll-free number manned by a trained employee 24 hours a day, one of the less intense methods will be better for you.
Here's how Bitmoji does it:
Here's how Mattel does this:
You can also have a separate link to the children's section on your homepage.
For example Nintendo includes a separate link to its parental control area in its footer:
Your policy should have common clauses found in other policies, such as security procedures and information about third party data transfers, but COPPA adds that you must have clauses that:
- State what information is collected from children
- How parents can control the collection of their child's information
- How notice is given to parents and how parents can give consent
If you don't include these sections, you could potentially be in violation of COPPA.