In this guide you'll learn more about COPPA, the online privacy law for kids, and how it applies to your website or mobile app (running on Windows, iPhone or Android) under the new rules of COPPA 2013.
The Children's Online Privacy Protection Act of 1998 or simply, COPPA, was enacted in 1998 to protect the privacy of children under the age of 13. It's a US federal law and it first became effective on April 21st, 2000, with other new changes becoming effective on July 1st, 2013.
This law is applicable to US businesses, but it can apply to any foreign businesses if they collect personal information from children under 13 residing in the US.
COPPA is applicable if your website or mobile app (regardless if it's available in the iOS Store, Google Marketplace or Windows Store, etc.) is:
Operating under US jurisdiction
Running on servers that are hosted in US
Operated by businesses with headquarters located in the US territory
1.1. What is Personal Information
COPPA doesn't separately define personal information from any rules that usually define this expression, such as a website for the general audience.
The term "Personal information" ("PI") is broadly defined, but it means every kind of data that you can use to identify an individual and, in the case of COPPA, any kind of data that can identify a children under 13:
First and last name
Physical address, like street name or city
Instant message usernames, e.g. Yahoo! ID or Skype
Keep in mind that, when considering mobile apps, personal information also means geolocation information. Personal data can also mean any kind of information that when combined can identify an individual, e.g. anonymous identifiers.
1.2. What is Personal Information Collected
Collecting personal information, even for kids under 13, can be done in many ways. Regardless how you collect this kind of data, here is what the COPPA Compliance guidelines state about what "collecting" means:
Requesting, prompting, or encouraging the submission of information, even if it's optional
Letting information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records
Passively tracking a child online
Note the optional keyword in this section: COPPA applies to you if you know you're collecting personal information from kids under 13, even if the information you are requesting is optional, not mandatory.
The general recommendation is not to collect personal information unless it is required for a legitimate business purpose.
2. Check if COPPA applies to you
COPPA doesn't apply to all websites or mobile apps unless you collect personal information from kids under 13. If any of the following cases apply to you, you must become compliant with COPPA:
Your website's or mobile app's content is aiming at kids under 13 and you collect personal information from them
Your website or mobile app is aimed at kids under 13, but you let other parties collect personal information from them
Your website's or mobile app's target is a general audience, but you have knowledge that kids under 13 that are using your service and that you are collecting personal information from them
The FTC defines "website or online service" in their "Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business":
Mobile apps that send or receive information online
Internet-enabled gaming platforms
Internet-enabled location-based services
Voice-over internet protocol services
While COPPA applies to "kids under 13", it's recommended for any online business to have a look at all compliance guidelines to see if any applies to their website or mobile app.
Schools don't fall under COPPA, but third parties do
When it comes to interactions with schools, COPPA takes on a unique function.
According to the FTC, schools do not fall under COPPA because this act does not apply to information collected by nonprofits serving educational purposes or to information collected by state governments.
COPPA applies to commercial entities. A school is considered to be part of the local government and is not functioning for commercial purposes.
However, many third-party commercial businesses, websites and mobile apps may provide services to schools and the students, and COPPA would extend to these third parties.
In cases such as these, the school can act as an intermediary between the third party and the parent, allowing the third party to obtain consent from the school district or the school rather than needing to obtain it directly from the parent.
Requirements for third party websites or mobile apps
If your website or mobile app is used by students at the direction or implementation of a school, and for non-commercial, educational purposes only, your burden for meeting the requirements of COPPA is lessened in that you don't have to obtain direct verifiable parental consent before data is collected so long as 3 conditions are met:
The school must have previously obtained permission from parents to act on their behalf in such matters
The website or mobile app operator must comply with all other COPPA requirements
The website or mobile app service must be provided solely for the educational benefit of the students and/or the school, and not for commercial purposes.
For example, an online homework help service, or web-based testing modules would be acceptable, but a website or mobile app that tries to sell school supplies to students would not be.
Other COPPA requirements mentioned in point 2 above include the following:
The website or mobile app operator must give all of the required notices to the school
The website or mobile app operator must make options and information available to the parents of the students with regard to how the collected data will be used, disclosed, and retained
The first statement under the introduction references parental verifiable consent on the website by stating that, "We will NOT knowingly collect, use or distribute personal information from children under the age of 13 without prior verifiable consent from a parent or guardian."
In this case, Edutopia.com doesn't collect any data from children under the age of 13 and therefore doesn't seek verifiable parental consent.
Including language like this is a great option if your website or mobile app has no reason to collect data from users, or specifically from users who are determined to be under 13.
Here's their simple and definitive language below:
Some websites or mobile apps take it a step further and actually require direct parental consent before a child can use the service, regardless of whether the school has obtained parental consent.
An example of this (unnecessary but thorough) implementation can be seen with Edmodo.com, an educational website that works to bring parents, students and teachers together in a collaborative environment.
3. How to comply with COPPA
You need to comply with COPPA regardless of what type of online business you operate. The FTC made available a video on YouTube, called Protecting Children's Privacy Under COPPA that briefly discusses children privacy:
The link to this legal agreement must be placed on all your webpages and it's recommended to make it more prominently.
Do not try to hide your link to the agreement or make the link less visible or hard to reach.
3.1. List of all operators
You must list all operators that are collecting personal information for you.
For each operator, you need to include the name and the contact information (physical address, telephone number, and email address). You can include only one operator's contact details if that respective operator is going to answer all inquires on privacy questions, but you'll still need to list all operators.
3.2. Personal Information collection and use
You need to include what type of information you collect from kids: name, address, email, hobbies etc. and how, such as directly from the kids (via forms) or passively (via cookies).
Next, you need to describe how you are going to use that information. You may use it for marketing purposes or notifying kids about some certain competitions that match their hobbies or interests or letting them know about winners of a contest and awards, etc.
Then you need to state if personal data from kids are being disclosed to any third parties. You need to list all third parties that your website or mobile app is using and how they use that information, like ad networks.
3.3. Parent rights section
You don't disclose information about kids under 13 more than it is necessary to participate in a certain activity
That they can review the already submitted information about their kids and how to contact you to delete it or to refuse to allow any future collection and use of their kids' information
That they (the parents) can agree to collection and use of kids' information, but they can refuse the collection and use of it to third parties that your business might be using
The instructions on how to do the above
3.4. Direct notice
COPPA requires companies to give a "direct notice" to parents before it starts to collect information from kids under 13.
This means that you should not gather information from children until parents give their approval for the collection and use of it.
In some circumstances, COPPA allows a very narrow personal information category to be collected without giving direct notice to parents, but the data collected under these exceptions can not be disclosed to third parties.
COPPA's Six-Step Compliance Plan explains these circumstances:
To get verifiable parental consent
To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information
To respond directly to a child's specific one-time request (for example, if the child wants to enter a contest)
To protect the security or integrity of your website or mobile app
To provide support for internal operations
To protect a child's safety
3.5. Parental consent
COPPA requires that verifiable parental consent is obtained from a website or mobile app before you can collect any personal information about a child and that notice of data collection practices is provided.
COPPA defines certain methods on how you can get a verifiable consent (parental consent) from parents:
Sign a form and send it back to the company's address via fax, mail or electronic scan
Call a toll-free number operated by the company
Connecting with a trained personnel via video conference
Provide the company with copy of a form of government issued ID that the company can check against a database (but the identification pictures must be deleted from the company's records after the verification process is done)
Verifiable parental consent is typically somewhat complicated to obtain.
A parent may have to submit a government-issued ID and have the data run against a database for verification, or sign a consent form returned to the consent seeker by standard postal mail. Verifying the identity of the parent, as well as verifying that the person is actually the parent of the child can be a process in itself.
Below is an example of a pop-up window that when used on a website is a great way to try to screen out children under the age of 13 and know that consent is needed.
"Email Plus" method
If you only use kids' information for internal usage, you can use a less complicated method to get the parent consent, called the "email plus" method. This method works like this:
The company sends out an email to the parent
The parent must respond to that email with their consent
The company confirms the consent by sending a confirmation (which can be done via email, letter or a phone call).
Under the "email plus" method you need to let parents know that they can revoke their consent over collecting and use of kids' personal information.
However, note that this method can only be used when limited information is collected for purposes of internal marketing. "Limited information" normally refers to a child's first name or child's and parent's e-mail address etc.
Below is an example of a method of obtaining verifiable parental consent that is known as the Email Plus method that Famigo uses. Famingo provides apps, games, videos and books that appeal to and are designed for children, but in a safe transfer environment for mobile app usage.
3.6. Exceptions for parental consent
If your business must comply with COPPA and the "Email Plus" method (as explained by the FTC) isn't an option for you, here is a checklist of common reasons or scenarios may allow you to collect certain personal information without needing to first obtain parental consent.
This checklist can also help you tell what information you are allowed to collect and how you are allowed to use it.
Remember: you cannot collect anything more than what is listed, and you can only use the information in an exact way and for the exact purpose described.
Exception 1: To get parental consent
If you're trying to reach out to a parent to get their consent to collect their child's personal information, you are only allowed to collect the child's and parent's name and online contact information and nothing else.
This information can only be used to try to get the parent's consent.
If you don't hear back from the parent within a reasonable time, you must fully delete your records of the contact information.
The text is clear:
The only "personal information" that Avokiddo collects is from parents and that takes place when 1. an adult contacts Avokiddo via direct e-mail, or 2. when an adult subscribes to our newsletter.
Avokiddo is also notifying parents that their apps are compliant with COPPA:
Exception 2: To let a parent know that his/her child is using your site and/or mobile app, but that no personal information is being collected.
You may only get the parent's online contact information and can only use it to communicate that one bit of information to the parent.
Make sure you include the following information in your message to the parent to stay compliant with COPPA:
You got their online contact information so you could let him/her know about their child's participation on your site/mobile app.
Your site/mobile app doesn't collect personal information.
Their email address that you now have won't be used for any other purpose.
Let the parent know that he/she can email you back and refuse that you allow their child to use your site/mobile app and request to have the contact information deleted.
Exception 3: For a one-time request made by a child
If a child is able to contact you, for something such as entering a contest or asking a question, you are only allowed to collect the online contact information for the child (such as an email address.)
Remember: you cannot use this online contact information for anything other than responding to that one-time request, and you must delete the online contact information after the request has been addressed.
Exception 4: For multiple requests by a child
If a child wants to communicate with you multiple times, such as by signing up for your monthly newsletter, you can collect both the child's and parent's online contact information, but nothing more.
You have to contact the parent and let them know the following:
You collected their online contact information so you could let them know that their child has asked you for multiple online communications.
You collected the child's online contact information to use for these communications.
The child's online contact information won't be used for any other purpose and won't be given to anyone else.
That, as the parent, they have the ability to not allow the child to receive the communication.
Even if your mobile game isn't collecting any kind of personal information, inform parents that you're not collecting data from children.
If there's a situation where a child's safety may be at risk, such as an abduction in your area of a child who was known to frequently visit a certain website, you may collect a child's name, the parent's name, and both of their online contact information.
You have to contact the parent and let them know the following:
You collected this information in order to protect the safety of a child.
The information won't be used in any other way or disclosed for any other purpose.
Give the parent the right to not allow you to use the contact information and request that you delete it.
Exception 6: To protect the security, integrity, and liability of your site or service, or to respond to legal or judicial proceedings.
You are allowed to collect the name and online contact information of a child who uses your site if you are legally required to, or must do so for judicial, security, or liability issues. Remember, you are not allowed to collect any other piece of information from the child for this exception aside from the name and contact information.
You are very limited in how you can use this information. You cannot use the information to contact the person, to create a profile, or for advertising purposes.
Exception 7: To help with internal operations of your website or online service.
A cookie number, IP address, or another persistent identifier can be collected from visitors to a site, even children under 13, when the information is used for things such as authentication of users to a site, personalizing content, legal or regulatory compliance, etc.
This information is impersonal to the child and is solely related to there being a visitor to the site or service, regardless of age.
Absolutely no other information may be collected for these purposes aside from the persistent identifier. You cannot use this information to directly contact the child in any way.
Exception 8: If you know someone misrepresented age on a registration, claiming to be over 13 when they are not.
This exception only applies if the following three requirements are met:
Only a persistent identifier was collected from the child. No personal information, such as name or email address was collected.
The child was actually using your site or service, which was why the persistent identifier was collected.
In a previously-conducted age-screening of the child, he/she indicated being 13 or older.
If this happens, you can keep the persistent identifier collected, but cannot collect other personal information without consent from a parent.
4. Practices on how to comply with COPPA
4.1. For websites
Websites must comply with COPPA just as any mobile app is required to do so. That applies even if your website is an online game for kids.
There are no separate rules of how to comply with COPPA for websites than those that apply to a mobile app. All operators that are collecting data from kids under 13 must follow the same rules as mentioned above and to adapt the privacy functionalities to the medium they operate in, e.g. website, mobile app, plug-in etc.
In compliance with COPPA (Children's Online Privacy Protection Act) and all European legislation currently in force, only the parents and legal guardians are permitted to give personally identifiable information concerning of child 12 and under: To comply with these laws, we have created the UpToTen User Account.
Through the UpToTen User Account, the child's parent or legal guardian can send all the information concerning their child(ren) that is necessary for the subscription process. The information we ask for allows us to deliver a personalized and fulfilling experience for club members.
Through the UpToTen User Account, the child's parent or legal guardian has immediate access to and complete control over the personally identifiable information UpToTen holds concerning them. The parent / guardian can modify or delete that information at any time through the UpToTen User Account.
UpToTen's agreement continues with specific sections that are guiding the parents to learn what personal information is collected, how and so on:
What sort of information is collected by this site ?
Concerning children (who therefore have the legal status of minor)
Concerning people who have reached the age of majority
To recap, if you have a website that collects data from kids under 13:
Provide direct notice to parents about your collection and use of kids' under 13 personal information
Get a parent verifiable consent before you start collecting the information
Include a parents' right section where parents can find instruction on their rights over their kids' collected data, how they can contact you to delete or refuse your collection and use of data
4.1.1. Google Tag Child-Directed Treatment
If you have a website that's indexed by Google or a section of a website that is covered by the Children's Online Privacy Protection Act, you are required to notify Google of those specific websites or sections.
4.2. For Android apps
Google Play is stating in its Terms of Service page that accessing Google Play isn't available for kids under 13, while kids between 13 and 18 must get their parent approval for using any app in the store.
Log into the Developer Console of Google Play
4.2.1. Android SDK Tag Child-Directed Treatment
Similar to websites' Child-Directed Tag with Google Webmaster Tools, if you're developing a mobile app on Android, read about Android's SDK Child-directed setting.
Using the child directed treatment Google, on your request, can disable the IBA and remarketing ads. This Android SDK setting can be used for:
all versions of the Google Play services SDK, via AdRequest.Builder.tagForChildDirectedTreatment(boolean)
recent (Android: 4.1.0+; iOS: 4.0.2+) SDK versions, via "Extras"
4.3. For iOS apps
Apple changed its App Store Review Guidelines, in Aug 2013, to clarify the guidelines regarding apps for children under 13 after the recent updates to COPPA 2013.
Initially, iOS developers weren't allowed to collect information from children under 13, such as name, telephone, address. The new section, 17.3 and 17.4, describe that app developers must comply with applicable children's privacy statutes:
17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children's privacy statutes but must include some useful functionality or entertainment value regardless of the user's age
17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children's privacy statutes.
The new guidelines for mobile developers updating their apps to iOS 7 with users as children under aged 13 are:
The apps can not include behavioral advertising (that also applies to using any ad network that in return is using behavioral advertising techniques),
Any app must ask for parental permission before allowing children to "link out of the app or engage in commerce."
The new rules impose a new "Parental Gating" technique that can get iPhone or iPad apps rejected by Apple's team if they don't implement this.
The guidelines are mentioning that special parental precautions must be implemented before you link outside of your app or if the child will be clicking on any links that may lead to in-app purchases.
These cases are:
Link to In App Purchases or Store
More Apps or Share Link
Link to Social Networks (Facebook, Twitter, etc)
Link to any service outside the app
4.3.1. iOS 7 Kids Section Compliance
iOS developers are implementing various techniques to make sure that kids aren't clicking on links that aren't meant to be addressed to them, e.g. buying in-app purchases. Some of these methods are:
asking math questions, e.g. what is 20-5?
a press & hold technique to enter the parents' section with or without based on time, e.g. hold for 3 seconds or just press & hold
Moms With Apps is showcasing various screenshots of iOS apps that are implementing these techniques to prevent kids from entering special sections of an app.
4.4. For Windows apps
Log into your Windows Phone Dev Center account
This is a summary of what you need to do in order to be compliant with COPPA and its 2013 changes:
Follow COPPA's compliance guidelines on how to design your website or mobile app to get parents consent when needed
You need to check what personal data third parties are receiving from you
Implement "parental gate" techniques for your iOS, Android or Windows apps to prevent kids from accessing special section of your app, e.g. in-app purchases