COPPA-Compliant Privacy Policy

COPPA-Compliant Privacy Policy

If you create websites, apps or games for children under 13 years of age, you face additional requirements for your Privacy Policy agreement and your business policies on user data than you would if you had an adult-tailored product.

The Children's Online Privacy Protection Act (COPPA) sets the rules and standards for websites and apps that provide services to children in the U.S.

This article addresses the requirements of the COPPA act and how to create a Privacy Policy that complies with these requirements.


About COPPA

The "COPPA" acronym refers to both the "Children's Online Privacy Protection Act" and "Children's Online Privacy Protection Rule." Both set forth the requirements for businesses that provide services, games, and websites specifically for children under 13 years old.

The U.S. Congress passed the COPPA Act in 1998. It's enforced by the Federal Trade Commission (FTC).

FTC Logo

COPPA contains a list of requirements regarding the management of children's personal information once a business collects it. Other provisions of this act restrict the access that minors can have to the website or app materials, often requiring a parental birthdate verification process before access is granted.

This verification process exists primarily as a means for parents to enforce their children's' privacy interests online.

If you have actual knowledge that your website or app collects data from children under 13, you're required to comply with COPPA.

The same is true if your general audience includes children under 13, even if you use a parental verification process rather than collect information directly from children.

To play it safe, assume COPPA is relevant if you believe any user who finds your website or app is likely to be under the age of thirteen.

Once you determine that you fall under COPPA, you are bound by additional privacy requirements.

In addition to any other laws you must follow, you must also:

  • Post a clear and conspicuous Privacy Policy describing your privacy practices, including those used with children,
  • Develop a notice process for parents,
  • Give parents the choice of consenting to the collection of children's information,
  • Never disclose children's information to third parties unless it's necessary for your business to work. Make this clear to parents,
  • Develop a process that allows parents to review or change a child's information or request that you delete it,
  • Allow parents to prevent further use and collection of a child's information,
  • Take reasonable steps to assure the security of children's information, and
  • Retain information on children for only as long as necessary.

Many of these requirements are not much different than other privacy requirements and standards.

The main differences are:

  • The additional parental consent and notice procedures, and
  • The additional clauses that are required to be included in your Privacy Policy

COPPA & Privacy Policy

COPPA provisions can be in your current Privacy Policy - as long as you clearly label these provisions in the legal agreement. If you feel safer doing so, you can also draft a separate "COPPA-Compliant Privacy Policy."

Placement

Users should find your "COPPA-Compliant Privacy Policy" the same way as they find your other agreements: Easily.

Disney Jr. created a separate COPPA Privacy Policy and it's linked at the bottom of its web pages:

Children Online Privacy Policy link in footer of Disney Jr website

Nick Jr. includes COPPA provisions in its general Privacy Policy agreement. To access the agreement and read the provisions, users can visit the link at the bottom of the page:

Nickelodeon: Privacy link in webpage footer

PBS Kids offers a more involved approach to finding the Privacy Policy and the related COPPA provisions.

Rather than maintain the Privacy Policy page on the children's page, it keeps the agreement on a page reserved for parents. Accessing the page requires first hitting the link for parents at the top of the page:

PBS Kids: Button to access Parents page

Then, once the user is in the parents' page, there are links that point to the Privacy Policy of PBS Kids:

PBS Kids: Parents Page: Privacy Policy links in footer

The Privacy Policy links should be easy to find through your mobile apps as they are through your website. With Disney Jr., the Privacy Policy is linked from its Apple App Store profile page:

Disney Jr App on App Store profile page: Link to Privacy Policy

That link from the profile page takes users to Disney Jr.'s mobile website:

Screenshot of Walt Disney Privacy Center Mobile Website

From this "Privacy Center" of the Walt Disney Company, users can find another link to children's privacy provisions:

Walt Disney Privacy Center Mobile Website: Children Privacy item

Clauses

Children's Privacy

You need to be clear that children's privacy is being addressed in your COPPA-compliant Privacy Policy.

One way to do this is through a "Table of Contents" section.

Hasbro takes this approach with its Privacy Policy. Notice the clear plain language that makes the "Children's Privacy" provisions easily found by parents in the policy:

Hasbro coppa-Privacy Policy Table of Contents: Children

Nick Jr. only includes a quick reference in its "Table of Contents", likely because its Privacy Policy mentions both adults and children throughout the agreement.

However, it contains a direct link to what is likely the most important part of COPPA requirements -- parent's access to data.

Nick Jr. COPPA Privacy Policy: Parental Access in Table of Contents

Notice of COPPA obligations

The primary goal of COPPA is to empower parents with knowledge about how their children's information is collected and used.

Consent from parents is required in most cases and one way to assure that consent is given is to provide a notice. This is frequently done at the beginning of a Privacy Policy agreement.

Nick Jr. acknowledges that it collects information from children under age 13. It also indicates adherence to COPPA:

Nick Jr: COPPA Reference in Privacy Policy

PBS Kids does not mention COPPA explicitly, however there is an acknowledgment regarding the collection and use of children's information:

PBS Kids: No COPPA reference in Privacy Policy

Another step you may find necessary is to indicate which websites and apps fall under COPPA.

Nick Jr. offers a list of its websites that fall under COPPA requirements:

Nick Jr. COPPA Privacy Policy: Websites under COPPA list

Hasbro indicates that parents can request a copy of this list by emailing Hasbro:

Hasbro COPPA Privacy Policy: Email for Websites under COPPA list

The purpose is to make it clear that you realize your users include children under 13 and that you collect their data.

You may also take the additional step to inform parents which of your websites, apps and games fall under COPPA.

Verifying parental consent is often the most difficult part for businesses that must comply with COPPA.

Sprout provides online games for children. Children have access to its games but the website does not collect information from them.

Sprout make that clear in their Privacy Policy agreement:

Sprout COPPA Privacy Policy: Children Privacy clause

Sprout's games do not require a sign-in from children. Sign-in is a function of Sprout's website only for parents to use and set up an account with a username and password. This provides the needed parental consent:

Sprout COPPA Privacy Policy: Collection and Use of Information clause

Personal information regarding children, such as birthdates and locations, are only provided by parents, which also indicates consent:

Sprout COPPA Privacy Policy: Children Personal Information is provided to parents

Disney Jr. is also thorough when it comes to parental consent and verification.

It requests a parent's email address when children set up accounts. In some cases, credit card numbers are required. If a child's information is collected by the website, the parent receives a notification:

Disney Jr. COPPA Privacy Policy: Registration requires a parent email address

Hasbro also uses the notice approach. Its Privacy Policy explains this:

Hasbro COPPA Privacy Policy: Collection and Use of Children Personal Information

Third party disclosure

COPPA prohibits businesses from disclosing children's information to third parties unless it's required for the business to operate its websites or apps.

This is similar to the Hasbro example. Just as parents must be informed that data is collected, the same kind of notice must also be provided to parents if you disclose data to third parties.

PBS Kids offers disclosure provisions that could fit into any Privacy Policy. However, notice how it addresses children directly:

PBS Kids COPPA Privacy Policy: Disclosure of Information clause

Disney Jr. is slightly more involved, likely because it's a well-known provider of children's entertainment and it's located in California, which has strict privacy laws.

Disney's Privacy Policy mentions "high level verification" (which requires a parent's email address) and discusses this disclosure in detail:

Disney Jr. COPPA Privacy Policy: Information collected from children available to third parties

Hasbro is the least detailed. Its Privacy Policies incorporates its general third party disclosure provision while being clear it affects children's data as well:

Hasbro Privacy Policy: Disclosure of children personal information to third parties

Child-generated content

User-generated content can create a challenge for many websites and apps when it comes to handling personal information in the content.

User-generated content becomes more complicated when your app or website caters to children.

Disney's approach in its Privacy Policy is to request only the necessary information and delete any excess data in user-generated content.

It also indicates different levels of consent by parents and in some cases provides an email notification when a child's personal data is necessary. Teachers can also stand in for parents on these projects if they are linked to a school-based activity:

Disney Jr. COPPA Privacy Policy: Content Generated by a Child

If you allow "child-generated content," create a process that allows for parental involvement in the content generation, or at least notice when a child generates content.

Parent enforcement rights

Parents can request information or deny future access to collected information and your business must provide a process for this. Failure to do so puts you in conflict with COPPA.

Disney Jr. maintains an extensive process for parental involvement. Parents can access their children's data to change it or contact Disney's Guest Services to request deletion of data:

Disney Jr. COPPA Privacy Policy: Parental Choices and Controls

Hasbro also makes it clear to parents that they have access to collected children's data. Review, collection, and deletion is all possible by contacting Hasbro Consumer Care:

Hasbro COPPA Privacy Policy: Parental Access

PBS Kids describes the right of parents to access and change data:

PBS Kids COPPA Privacy Policy: Parental Consent, Access and Deletion

Contact information

If you don't have your business contact information anywhere in your Privacy Policy, add the information at the end of the policy. This placement is typical with most Privacy Policies.

You may wish to consider providing a separate email address for addressing children's privacy issues. Since the legal impacts of COPPA are often serious, you don't want these requests buried in a general email box.

PBS Kids takes this approach:

PBS Kids COPPA Privacy Policy: Still have questions?

You can adjust your current Privacy Policy to address COPPA requirements with a few adjustments.

Jocelyn M.

Jocelyn M.

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.