COPPA: Children’s Online Privacy Protection Act

30 October 2018
COPPA: Children’s Online Privacy Protection Act

In this guide you'll learn more about COPPA, the online privacy law for kids, and how it applies to your website or mobile app (running on Windows, iPhone or Android) under the new rules of COPPA 2013.


1. About COPPA

The Children's Online Privacy Protection Act of 1998 or simply, COPPA, was enacted in 1998 to protect the privacy of children under the age of 13. It's a US federal law and it first became effective on April 21st, 2000, with other new changes becoming effective on July 1st, 2013.

This law is applicable to US businesses, but it can apply to any foreign businesses if they collect personal information from children under 13 residing in the US.

COPPA is applicable if your website or mobile app (regardless if it's available in the iOS Store, Google Marketplace or Windows Store, etc.) is:

  • Operating under US jurisdiction
  • Running on servers that are hosted in US
  • Operated by businesses with headquarters located in the US territory

1.1. What is Personal Information

COPPA doesn't separately define personal information from any rules that usually define this expression, such as a website for the general audience.

The term "Personal information" ("PI") is broadly defined, but it means every kind of data that you can use to identify an individual and, in the case of COPPA, any kind of data that can identify a children under 13:

  • First and last name
  • Email address
  • Telephone number
  • Physical address, like street name or city
  • Instant message usernames, e.g. Yahoo! ID or Skype
  • Geolocation information

Keep in mind that, when considering mobile apps, personal information also means geolocation information.
Personal data can also mean any kind of information that when combined can identify an individual, e.g. anonymous identifiers.

1.2. What is Personal Information Collected

Collecting personal information, even for kids under 13, can be done in many ways. Regardless how you collect this kind of data, here is what the COPPA Compliance guidelines state about what "collecting" means:

  • Requesting, prompting, or encouraging the submission of information, even if it's optional
  • Letting information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records
  • Passively tracking a child online

Note the optional keyword in this section: COPPA applies to you if you know you're collecting personal information from kids under 13, even if the information you are requesting is optional, not mandatory.

The general recommendation is not to collect personal information unless it is required for a legitimate business purpose.

2. Check if COPPA applies to you

COPPA doesn't apply to all websites or mobile apps unless you collect personal information from kids under 13. If any of the following cases apply to you, you must become compliant with COPPA:

  • Your website's or mobile app's content is aiming at kids under 13 and you collect personal information from them
  • Your website or mobile app is aimed at kids under 13, but you let other parties collect personal information from them
  • Your website's or mobile app's target is a general audience, but you have knowledge that kids under 13 that are using your service and that you are collecting personal information from them

The FTC defines "website or online service" in their "Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business":

  • Mobile apps that send or receive information online
  • Internet-enabled gaming platforms
  • Plug-ins
  • Advertising networks
  • Internet-enabled location-based services
  • Voice-over internet protocol services

While COPPA applies to "kids under 13", it's recommended for any online business to have a look at all compliance guidelines to see if any applies to their website or mobile app.

Schools don't fall under COPPA, but third parties do

When it comes to interactions with schools, COPPA takes on a unique function.

According to the FTC, schools do not fall under COPPA because this act does not apply to information collected by nonprofits serving educational purposes or to information collected by state governments.

COPPA applies to commercial entities. A school is considered to be part of the local government and is not functioning for commercial purposes.

However, many third-party commercial businesses, websites and mobile apps may provide services to schools and the students, and COPPA would extend to these third parties.

In cases such as these, the school can act as an intermediary between the third party and the parent, allowing the third party to obtain consent from the school district or the school rather than needing to obtain it directly from the parent.

Requirements for third party websites or mobile apps

If your website or mobile app is used by students at the direction or implementation of a school, and for non-commercial, educational purposes only, your burden for meeting the requirements of COPPA is lessened in that you don't have to obtain direct verifiable parental consent before data is collected so long as 3 conditions are met:

  1. The school must have previously obtained permission from parents to act on their behalf in such matters
  2. The website or mobile app operator must comply with all other COPPA requirements
  3. The website or mobile app service must be provided solely for the educational benefit of the students and/or the school, and not for commercial purposes.

    For example, an online homework help service, or web-based testing modules would be acceptable, but a website or mobile app that tries to sell school supplies to students would not be.

Other COPPA requirements mentioned in point 2 above include the following:

  1. The website or mobile app operator must give all of the required notices to the school
  2. The website or mobile app operator must make options and information available to the parents of the students with regard to how the collected data will be used, disclosed, and retained

Below is an example from the Privacy Policy of Family Education Network's (FEN) that very adequately references COPPA and tells readers what policies are set in place to keep children who use this service safe and secure.

This Privacy Policy is in place for all of FEN's subsidiary websites, including the child-oriented FunBrain.com which is marketed toward very young children.

FEN COPPA Section in Privacy Policy

The first statement under the introduction references parental verifiable consent on the website by stating that, "We will NOT knowingly collect, use or distribute personal information from children under the age of 13 without prior verifiable consent from a parent or guardian."

This is the backbone of COPPA and should be included in and followed in every Privacy Policy for any website or mobile app that is either used by or directed towards children under the age of 13.

Edutopia.com makes it easy to find the relevant section of their Privacy Policy by providing a linked table of contents and a separate section for how children under 13 are handled by the website:

Edutopia Quick Reference Chapters

In this case, Edutopia.com doesn't collect any data from children under the age of 13 and therefore doesn't seek verifiable parental consent.

Including language like this is a great option if your website or mobile app has no reason to collect data from users, or specifically from users who are determined to be under 13.

Here's their simple and definitive language below:

Edutopia Children Under 13 Section

Some websites or mobile apps take it a step further and actually require direct parental consent before a child can use the service, regardless of whether the school has obtained parental consent.

An example of this (unnecessary but thorough) implementation can be seen with Edmodo.com, an educational website that works to bring parents, students and teachers together in a collaborative environment.

Edmodo Parental Consent in Privacy Policy

You can see from their Privacy Policy page that students under the age of 18, not just 13, are required to obtain parental consent before using the website service.

3. How to comply with COPPA

You need to comply with COPPA regardless of what type of online business you operate. The FTC made available a video on YouTube, called Protecting Children's Privacy Under COPPA that briefly discusses children privacy:

[youtube=https://www.youtube.com/watch?v=cODKB9fApXk]

The first step in complying with this law is to have a Privacy Policy agreement.

Your Privacy Policy needs to clearly mention how you collect and store personal information from kids under 13. This includes you, as a website operator, but also third parties you may use to run your business that might get this data from you (such as ad networks).

The link to this legal agreement must be placed on all your webpages and it's recommended to make it more prominently.

Do not try to hide your link to the agreement or make the link less visible or hard to reach.

If your website or mobile app is both for the general audience and for kids, you can split your Privacy Policy into two sections: one section may address the general audience and the second one, the kids.

The Privacy Policy must be clear, easy to read and you are required to include the following in it:

3.1. List of all operators

You must list all operators that are collecting personal information for you.

For each operator, you need to include the name and the contact information (physical address, telephone number, and email address). You can include only one operator's contact details if that respective operator is going to answer all inquires on privacy questions, but you'll still need to list all operators.

3.2. Personal Information collection and use

You need to include what type of information you collect from kids: name, address, email, hobbies etc. and how, such as directly from the kids (via forms) or passively (via cookies).

Next, you need to describe how you are going to use that information. You may use it for marketing purposes or notifying kids about some certain competitions that match their hobbies or interests or letting them know about winners of a contest and awards, etc.

Then you need to state if personal data from kids are being disclosed to any third parties. You need to list all third parties that your website or mobile app is using and how they use that information, like ad networks.

3.3. Parent rights section

Your Privacy Policy must include a "Parent rights" section to comply with COPPA. This section informs parents that:

  • You don't disclose information about kids under 13 more than it is necessary to participate in a certain activity
  • That they can review the already submitted information about their kids and how to contact you to delete it or to refuse to allow any future collection and use of their kids' information
  • That they (the parents) can agree to collection and use of kids' information, but they can refuse the collection and use of it to third parties that your business might be using
  • The instructions on how to do the above

3.4. Direct notice

COPPA requires companies to give a "direct notice" to parents before it starts to collect information from kids under 13.

This means that you should not gather information from children until parents give their approval for the collection and use of it.

In some circumstances, COPPA allows a very narrow personal information category to be collected without giving direct notice to parents, but the data collected under these exceptions can not be disclosed to third parties.

COPPA's Six-Step Compliance Plan explains these circumstances:

  • To get verifiable parental consent
  • To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information
  • To respond directly to a child's specific one-time request (for example, if the child wants to enter a contest)
  • To protect the security or integrity of your website or mobile app
  • To provide support for internal operations
  • To protect a child's safety

COPPA requires that verifiable parental consent is obtained from a website or mobile app before you can collect any personal information about a child and that notice of data collection practices is provided.

COPPA defines certain methods on how you can get a verifiable consent (parental consent) from parents:

  • Sign a form and send it back to the company's address via fax, mail or electronic scan
  • Call a toll-free number operated by the company
  • Connecting with a trained personnel via video conference
  • Provide the company with copy of a form of government issued ID that the company can check against a database (but the identification pictures must be deleted from the company's records after the verification process is done)

Verifiable parental consent is typically somewhat complicated to obtain.

A parent may have to submit a government-issued ID and have the data run against a database for verification, or sign a consent form returned to the consent seeker by standard postal mail. Verifying the identity of the parent, as well as verifying that the person is actually the parent of the child can be a process in itself.

Below is an example of a pop-up window that when used on a website is a great way to try to screen out children under the age of 13 and know that consent is needed.

Age Verification for COPPA Method

"Email Plus" method

If you only use kids' information for internal usage, you can use a less complicated method to get the parent consent, called the "email plus" method. This method works like this:

  • The company sends out an email to the parent
  • The parent must respond to that email with their consent
  • The company confirms the consent by sending a confirmation (which can be done via email, letter or a phone call).

Under the "email plus" method you need to let parents know that they can revoke their consent over collecting and use of kids' personal information.

However, note that this method can only be used when limited information is collected for purposes of internal marketing. "Limited information" normally refers to a child's first name or child's and parent's e-mail address etc.

Below is an example of a method of obtaining verifiable parental consent that is known as the Email Plus method that Famigo uses. Famingo provides apps, games, videos and books that appeal to and are designed for children, but in a safe transfer environment for mobile app usage.

Famingo Email Plus Method

If your business must comply with COPPA and the "Email Plus" method (as explained by the FTC) isn't an option for you, here is a checklist of common reasons or scenarios may allow you to collect certain personal information without needing to first obtain parental consent.

This checklist can also help you tell what information you are allowed to collect and how you are allowed to use it.

Remember: you cannot collect anything more than what is listed, and you can only use the information in an exact way and for the exact purpose described.

Exception 1: To get parental consent

If you're trying to reach out to a parent to get their consent to collect their child's personal information, you are only allowed to collect the child's and parent's name and online contact information and nothing else.

This information can only be used to try to get the parent's consent.

If you don't hear back from the parent within a reasonable time, you must fully delete your records of the contact information.

Avokiddo is informing in their Privacy Policy that they're not collecting any kind of personal information from children under 13, but only from parents:

Screenshot from Avokiddo Privacy Policy

The text is clear:

The only "personal information" that Avokiddo collects is from parents and that takes place when 1. an adult contacts Avokiddo via direct e-mail, or 2. when an adult subscribes to our newsletter.


Avokiddo is also notifying parents that their apps are compliant with COPPA:

Avokiddo is COPPA compliant

Exception 2: To let a parent know that his/her child is using your site and/or mobile app, but that no personal information is being collected.

You may only get the parent's online contact information and can only use it to communicate that one bit of information to the parent.

Make sure you include the following information in your message to the parent to stay compliant with COPPA:

  • You got their online contact information so you could let him/her know about their child's participation on your site/mobile app.
  • Your site/mobile app doesn't collect personal information.
  • Their email address that you now have won't be used for any other purpose.
  • Include a link to your Privacy Policy.
  • Let the parent know that he/she can email you back and refuse that you allow their child to use your site/mobile app and request to have the contact information deleted.

Jump App, a game studio developing mobile games for kids, is placing their Privacy Policy visible on their website, near the most important menu: the navigation menu.

Jump App Link to Privacy Policy Position

Exception 3: For a one-time request made by a child

If a child is able to contact you, for something such as entering a contest or asking a question, you are only allowed to collect the online contact information for the child (such as an email address.)

Remember: you cannot use this online contact information for anything other than responding to that one-time request, and you must delete the online contact information after the request has been addressed.

Exception 4: For multiple requests by a child

If a child wants to communicate with you multiple times, such as by signing up for your monthly newsletter, you can collect both the child's and parent's online contact information, but nothing more.

You have to contact the parent and let them know the following:

  • You collected their online contact information so you could let them know that their child has asked you for multiple online communications.
  • You collected the child's online contact information to use for these communications.
  • The child's online contact information won't be used for any other purpose and won't be given to anyone else.
  • That, as the parent, they have the ability to not allow the child to receive the communication.
  • Include a link to your Privacy Policy.

Even if your mobile game isn't collecting any kind of personal information, inform parents that you're not collecting data from children.

This is what Electric Eggplant states in their Privacy Policy:

Eggplant Privacy Policy Icons

Exception 5: To protect the safety of a child

If there's a situation where a child's safety may be at risk, such as an abduction in your area of a child who was known to frequently visit a certain website, you may collect a child's name, the parent's name, and both of their online contact information.

You have to contact the parent and let them know the following:

  • You collected this information in order to protect the safety of a child.
  • The information won't be used in any other way or disclosed for any other purpose.
  • Include a link to your Privacy Policy.
  • Give the parent the right to not allow you to use the contact information and request that you delete it.

Exception 6: To protect the security, integrity, and liability of your site or service, or to respond to legal or judicial proceedings.

You are allowed to collect the name and online contact information of a child who uses your site if you are legally required to, or must do so for judicial, security, or liability issues. Remember, you are not allowed to collect any other piece of information from the child for this exception aside from the name and contact information.

You are very limited in how you can use this information. You cannot use the information to contact the person, to create a profile, or for advertising purposes.

Exception 7: To help with internal operations of your website or online service.

A cookie number, IP address, or another persistent identifier can be collected from visitors to a site, even children under 13, when the information is used for things such as authentication of users to a site, personalizing content, legal or regulatory compliance, etc.

This information is impersonal to the child and is solely related to there being a visitor to the site or service, regardless of age.

Absolutely no other information may be collected for these purposes aside from the persistent identifier. You cannot use this information to directly contact the child in any way.

Exception 8: If you know someone misrepresented age on a registration, claiming to be over 13 when they are not.

This exception only applies if the following three requirements are met:

  1. Only a persistent identifier was collected from the child. No personal information, such as name or email address was collected.
  2. The child was actually using your site or service, which was why the persistent identifier was collected.
  3. In a previously-conducted age-screening of the child, he/she indicated being 13 or older.

If this happens, you can keep the persistent identifier collected, but cannot collect other personal information without consent from a parent.

4. Practices on how to comply with COPPA

4.1. For websites

Websites must comply with COPPA just as any mobile app is required to do so. That applies even if your website is an online game for kids.

There are no separate rules of how to comply with COPPA for websites than those that apply to a mobile app. All operators that are collecting data from kids under 13 must follow the same rules as mentioned above and to adapt the privacy functionalities to the medium they operate in, e.g. website, mobile app, plug-in etc.

Privacy Policy of UpToTen is positioning the "Parent Consent" at the top of its page directly:

UpToTen Privacy Policy

In compliance with COPPA (Children's Online Privacy Protection Act) and all European legislation currently in force, only the parents and legal guardians are permitted to give personally identifiable information concerning of child 12 and under: To comply with these laws, we have created the UpToTen User Account.

Through the UpToTen User Account, the child's parent or legal guardian can send all the information concerning their child(ren) that is necessary for the subscription process. The information we ask for allows us to deliver a personalized and fulfilling experience for club members.

Through the UpToTen User Account, the child's parent or legal guardian has immediate access to and complete control over the personally identifiable information UpToTen holds concerning them. The parent / guardian can modify or delete that information at any time through the UpToTen User Account.

UpToTen's agreement continues with specific sections that are guiding the parents to learn what personal information is collected, how and so on:

  • What sort of information is collected by this site ?
  • Concerning children (who therefore have the legal status of minor)
  • Concerning people who have reached the age of majority
  • Security
  • General Conditions that apply to our Privacy Policy

The Privacy Policy of Mattel Inc. details all the important information a parent needs to know about the data collected:

Mattel Privacy Policy

To recap, if you have a website that collects data from kids under 13:

  • Have an extensive Privacy Policy that explains what is being collected, why is it being collected and with whom.
  • Provide direct notice to parents about your collection and use of kids' under 13 personal information
  • Get a parent verifiable consent before you start collecting the information
  • Optionally, you can use the "email plus" method of getting the consent if you collect minimum information from kids and for internal use only. You must disclose this in your Privacy Policy
  • Include a parents' right section where parents can find instruction on their rights over their kids' collected data, how they can contact you to delete or refuse your collection and use of data

4.1.1. Google Tag Child-Directed Treatment

Tag Child-Directed Treatment

If you have a website that's indexed by Google or a section of a website that is covered by the Children's Online Privacy Protection Act, you are required to notify Google of those specific websites or sections.

Website owners can use Google Webmaster Tools to tag websites for Child-Directed Treatment: http://www.google.com/webmasters/tools/coppa

You'll need a Google account for this.

4.1.2. Block access for kids under 13

If you plan not to direct your website towards children under 13, you can include a "Children's Privacy" disclosure in your Privacy Policy.

4.2. For Android apps

COPPA for Android mobile apps

Google Play is stating in its Terms of Service page that accessing Google Play isn't available for kids under 13, while kids between 13 and 18 must get their parent approval for using any app in the store.

As of this article, Google's Terms of Service don't impose Android app developers to include a Privacy Policy with their mobile apps, but a Privacy Policy is required by law if you are collecting personal data regardless of age.

Google Play Developer Privacy Policy

Their Developer Privacy Policy page states:

As an Android developer, you may submit a Privacy Policy for each of your apps. When users browse your app in Google Play, they will be able to review the Privacy Policy before downloading your app.

As an Android developer, you can update your app to include a Privacy Policy by following these instructions:

  • Log into the Developer Console of Google Play
  • Go to All Applications and then select the application whose Privacy Policy you'd like to add or edit
  • Go to the section marked as Privacy Policy and enter the URL where you have the Privacy Policy hosted online
  • Click Save

4.2.1. Android SDK Tag Child-Directed Treatment

Similar to websites' Child-Directed Tag with Google Webmaster Tools, if you're developing a mobile app on Android, read about Android's SDK Child-directed setting.

Using the child directed treatment Google, on your request, can disable the IBA and remarketing ads. This Android SDK setting can be used for:

  • all versions of the Google Play services SDK, via AdRequest.Builder.tagForChildDirectedTreatment(boolean)
  • recent (Android: 4.1.0+; iOS: 4.0.2+) SDK versions, via "Extras"

4.3. For iOS apps

COPPA for iOS mobile apps

Apple changed its App Store Review Guidelines, in Aug 2013, to clarify the guidelines regarding apps for children under 13 after the recent updates to COPPA 2013.

Initially, iOS developers weren't allowed to collect information from children under 13, such as name, telephone, address. The new section, 17.3 and 17.4, describe that app developers must comply with applicable children's privacy statutes:

17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children's privacy statutes but must include some useful functionality or entertainment value regardless of the user's age

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children's privacy statutes.

The new guidelines for mobile developers updating their apps to iOS 7 with users as children under aged 13 are:

  • The apps submitted to App Store must include a Privacy Policy
  • The apps can not include behavioral advertising (that also applies to using any ad network that in return is using behavioral advertising techniques),
  • Any app must ask for parental permission before allowing children to "link out of the app or engage in commerce."

The new rules impose a new "Parental Gating" technique that can get iPhone or iPad apps rejected by Apple's team if they don't implement this.

The guidelines are mentioning that special parental precautions must be implemented before you link outside of your app or if the child will be clicking on any links that may lead to in-app purchases.

These cases are:

  • Link to In App Purchases or Store
  • More Apps or Share Link
  • Link to Social Networks (Facebook, Twitter, etc)
  • Link to any service outside the app

Apple's new rules for iOS 7 specify that all mobile apps for children under 13 must have a Privacy Policy and they need to be made specifically for children falling inside one of three age brackets:

  • Under 5
  • Ages 6-8
  • Age 9-11

4.3.1. iOS 7 Kids Section Compliance

iOS developers are implementing various techniques to make sure that kids aren't clicking on links that aren't meant to be addressed to them, e.g. buying in-app purchases. Some of these methods are:

  • asking math questions, e.g. what is 20-5?
  • a press & hold technique to enter the parents' section with or without based on time, e.g. hold for 3 seconds or just press & hold

Moms With Apps is showcasing various screenshots of iOS apps that are implementing these techniques to prevent kids from entering special sections of an app.

Moms With Apps Screenshot

4.4. For Windows apps

Microsoft Windows Store is currently not imposing any rules on having a Privacy Policy for any Windows mobile apps when they are published in Windows Store, but keep in mind that a Privacy Policy is required by law if you collect personal details and COPPA still applies to your Windows mobile app, regardless if Microsoft is requesting it or not in addition.

In the App Developer Agreement, Microsoft is just informing mobile developers that they are responsible for informing their users of the Privacy Policy of the mobile app.

You can add a Privacy Policy to your Windows app by following these instruction steps:

  • Log into your Windows Phone Dev Center account
  • Add the link to your Privacy Policy in the Privacy URL field

5. Summary

This is a summary of what you need to do in order to be compliant with COPPA and its 2013 changes:

  • You must have a Privacy Policy on your website or mobile app, accessible at any time
  • Follow COPPA's compliance guidelines on how to design your website or mobile app to get parents consent when needed
  • You need to check what personal data third parties are receiving from you
  • Implement "parental gate" techniques for your iOS, Android or Windows apps to prevent kids from accessing special section of your app, e.g. in-app purchases
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.