30 August 2019
In this guide you'll learn more about COPPA, the online privacy law aimed at protecting kids, and how it applies to your website or mobile app.
The Children's Online Privacy Protection Act of 1998 or simply, COPPA, was enacted in 1998 to protect the privacy of children under the age of 13. It's a US federal law and it first became effective on April 21st, 2000.
This law is applicable to US businesses, but it can apply to any foreign businesses if they collect personal information from children under 13 who are residing in the US.
COPPA is applicable if your website or mobile app is:
The term "Personal information" ("PI") is broadly defined, but it means every kind of data that you can use to identify an individual, and in the case of COPPA, any kind of data that can identify a child under 13. Here are a few examples:
Personal data can also mean any kind of information that when combined can identify an individual, e.g. anonymous identifiers.
Collecting personal information, even from kids under 13, can be done in many ways. Regardless of how you collect this kind of data, here is what the COPPA Compliance guidelines state about what "collecting" means:
Note the optional keyword in this section: COPPA applies to you if you know you're collecting personal information from kids under 13, even if the information you are requesting is optional, not mandatory.
The general recommendation is not to collect personal information unless it is required for a legitimate business purpose.
COPPA doesn't apply unless you collect personal information from kids under 13. If any of the following cases apply to you, you must become compliant with COPPA:
The FTC defines "website or online service" in its Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business document:
Schools don't fall under COPPA, but third parties do.
When it comes to interactions with schools, COPPA takes on a unique function.
According to the FTC, schools do not fall under COPPA because this act does not apply to information collected by nonprofits serving educational purposes or to information collected by state governments.
COPPA applies to commercial entities. A school is considered to be part of the local government and is not functioning for commercial purposes.
However, many third-party commercial businesses, websites and mobile apps may provide services to schools and the students, and COPPA would extend to these third parties.
In cases such as these, the school can act as an intermediary between the third party and the parent, allowing the third party to obtain consent from the school district or the school rather than needing to obtain it directly from the parent.
If your website or mobile app is used by students at the direction or implementation of a school, and for non-commercial, educational purposes only, your burden for meeting the requirements of COPPA is lessened.
You don't have to obtain direct verifiable parental consent before data is collected so long as 3 conditions are met:
The website or mobile app service must be provided solely for the educational benefit of the students and/or the school, and not for commercial purposes.
For example, an online homework help service, or web-based testing modules would be acceptable, but a website or mobile app that tries to sell school supplies to students would not be.
Other COPPA requirements mentioned in point 2 above include the following:
The first statement under the introduction references parental verifiable consent on the website by stating that, "We will NOT knowingly collect, use or distribute personal information from children under the age of 13 without prior verifiable consent from a parent or guardian."
In this case, Edutopia.com doesn't collect any data from children under the age of 13 and therefore doesn't seek verifiable parental consent.
Including language like this is a great option if your website or mobile app has no reason to collect data from users, or specifically from users who are determined to be under 13.
Here's the company's simple and definitive clause:
Some websites or mobile apps take it a step further and actually require direct parental consent before a child can use the service, regardless of whether the school has obtained parental consent.
You need to comply with COPPA regardless of what type of online business you operate. The FTC made a video available on YouTube, called Protecting Children's Privacy Under COPPA, that briefly discusses children's privacy:
It also discloses a list of requirements in its COPPA FAQ document:
These requirements are as follows:
The link to this legal agreement must be placed on all your webpages and it's recommended to make it more prominently visible than other links.
Do not try to hide your link to the agreement or make the link less visible or hard to find.
You need to include what type of information you collect from kids: name, address, email, hobbies etc. and how, such as directly from the kids (via forms) or passively (via cookies).
Next, you need to describe how you are going to use that information. You may use it for marketing purposes or notifying kids about some certain competitions that match their hobbies or interests or letting them know about winners of a contest and awards, etc.
Then you need to state if personal data from kids are being disclosed to any third parties. You need to list all third parties that your website or mobile app is using and how they use that information, like ad networks.
Here's an example from Funbrain. The clause includes multiple contact methods for parents to reach out to request information or actions to be taken with their childrens' data:
COPPA requires that a company gives "direct notice" to parents before it starts to collect information from kids under 13.
This means that you should not gather information from children until parents give their approval for the collection and use of it.
In some circumstances, COPPA allows a very narrow personal information category to be collected without giving direct notice to parents, but the data collected under these exceptions can not be disclosed to third parties.
COPPA's Six-Step Compliance Plan explains these circumstances:
COPPA requires that verifiable parental consent is obtained from a website or mobile app before you can collect any personal information about a child and that notice of data collection practices is provided.
It defines certain methods of how you can get a verifiable consent from parents:
Verifiable parental consent is typically somewhat complicated to obtain.
A parent may have to submit a government-issued ID and have the data run against a database for verification, or sign a consent form returned to the consent seeker by standard postal mail. Verifying the identity of the parent, as well as verifying that the person is actually the parent of the child can be a process in itself.
Below is an example of a pop-up window that when used on a website is a great way to try to screen out children under the age of 13 and know that consent is needed.
"Email Plus" method
If you only collect information from kids for internal usage, you can use a less complicated method to get parent consent called the "email plus" method. This method works like this:
Under the "email plus" method you need to let parents know that they can revoke their consent for the collecting and use of their kid's personal information.
However, note that this method can only be used when limited information is collected for purposes of internal marketing. "Limited information" normally refers to a child's first name or child's and parent's e-mail address etc.
If your business must comply with COPPA and the "Email Plus" method isn't an option for you, here is a checklist of common scenarios where you may be allowed to collect certain personal information without needing to first obtain parental consent.
This checklist can also help you tell what information you are allowed to collect and how you are allowed to use it.
Remember: You cannot collect anything more than what is listed, and you can only use the information in an exact way and for the exact purpose described.
Exception 1: To get parental consent
If you're trying to reach out to a parent to get their consent to collect their child's personal information, you are only allowed to collect the child's and parent's name and online contact information and nothing else.
This information can only be used to try to get the parent's consent.
If you don't hear back from the parent within a reasonable time, you must fully delete your records of the contact information.
Exception 2: To inform a parent that a child uses a site/app but no personal information is collected
You may only get the parent's online contact information and can only use it to communicate that one bit of information to the parent.
Make sure you include the following information in your message to the parent to stay compliant with COPPA:
Exception 3: For a one-time request made by a child
If a child is able to contact you for something such as entering a contest or asking a question, you are only allowed to collect the online contact information for the child (such as an email address.)
Remember: You cannot use this online contact information for anything other than responding to that one-time request, and you must delete the online contact information after the request has been addressed.
Exception 4: For multiple requests by a child
If a child wants to communicate with you multiple times, such as by signing up for your monthly newsletter, you can collect both the child's and parent's online contact information, but nothing more.
You have to contact the parent and let them know the following:
Exception 5: To protect the safety of a child
If there's a situation where a child's safety may be at risk, such as an abduction in your area of a child who was known to frequently visit a certain website, you may collect a child's name, the parent's name, and both of their online contact information.
You have to contact the parent and let them know the following:
Exception 6: To protect the security, integrity, and liability of your service or respond to legal proceedings
You are allowed to collect the name and online contact information of a child who uses your site if you are legally required to, or must do so for judicial, security, or liability issues. Remember, you are not allowed to collect any other piece of information from the child for this exception aside from the name and contact information.
You are very limited in how you can use this information. You cannot use the information to contact the person, to create a profile, or for advertising purposes.
Exception 7: To help with your internal operations
A cookie number, IP address, or another persistent identifier can be collected from visitors to a site, even children under 13, when the information is used for things such as authentication of users to a site, personalizing content, legal or regulatory compliance, etc.
This information is impersonal to the child and is solely related to there being a visitor to the site or service, regardless of age.
Absolutely no other information may be collected for these purposes aside from the persistent identifier. You cannot use this information to directly contact the child in any way.
Exception 8: If you know someone misrepresented age on registration, claiming to be over 13 when not
This exception only applies if the following three requirements are met:
If this happens, you can keep the persistent identifier collected, but cannot collect other personal information without consent from a parent.
There are no separate rules of how to comply with COPPA for websites than those that apply to a mobile app. All operators that are collecting data from kids under 13 must follow the same rules as mentioned above and to adapt the privacy functionalities to the medium they operate in.
However, there are slight differences in how to comply depending on which platform you're on.
Websites must comply with COPPA just as any mobile app is required to do so. That applies even if your website is an online game for kids.
"In compliance with COPPA (Children's Online Privacy Protection Act) and all European legislation currently in force, only the parents and legal guardians are permitted to give personally identifiable information concerning of child 12 and under: To comply with these laws, we have created the UpToTen User Account.
Through the UpToTen User Account, the child's parent or legal guardian can send all the information concerning their child(ren) that is necessary for the subscription process. The information we ask for allows us to deliver a personalized and fulfilling experience for club members.
Through the UpToTen User Account, the child's parent or legal guardian has immediate access to and complete control over the personally identifiable information UpToTen holds concerning them. The parent / guardian can modify or delete that information at any time through the UpToTen User Account."
UpToTen's agreement continues with specific sections that are guiding the parents to learn what personal information is collected, how and so on:
Mattel's Privacy Statement details all the important information a parent needs to know about the data collected:
Avokiddo includes a cute heart icon with a note that the apps the company offers are compliant with both COPPA and the GDPR, which helps let parents know right away that the company cares about privacy:
To recap, if you have a website that collects data from kids under 13:
There are some other requirements here from Apple when it comes to kid's apps:
The new rules impose a new "Parental Gating" technique that can get iPhone or iPad apps rejected by Apple's team if they don't implement this.
The guidelines are mentioning that special parental precautions must be implemented before you link outside of your app or if the child will be clicking on any links that may lead to in-app purchases.
These cases are:
iOS developers are implementing various techniques to make sure that kids aren't clicking on links that aren't meant to be addressed to them, e.g. buying in-app purchases. Some of these methods are:
Here's an example from Apple itself:
Moms With Apps is showcasing various screenshots of iOS apps that are implementing these techniques to prevent kids from entering special sections of an app:
To summarize what you need to do in order to be compliant with COPPA: