COPPA: Children's Online Privacy Protection Act

COPPA: Children's Online Privacy Protection Act

In this guide you'll learn more about COPPA, the online privacy law aimed at protecting kids, and how it applies to your website or mobile app.

We'll cover who it applies to and what you'll need to do to comply if you fall into that category, including requirements for your Privacy Policy and obtaining parental consent.


About COPPA

The Children's Online Privacy Protection Act of 1998 or simply, COPPA, was enacted in 1998 to protect the privacy of children under the age of 13. It's a US federal law and it first became effective on April 21st, 2000.

This law is applicable to US businesses, but it can apply to any foreign businesses if they collect personal information from children under 13 who are residing in the US.

COPPA is applicable if your website or mobile app is:

  • Operating under US jurisdiction
  • Running on servers that are hosted in US
  • Operated by businesses with headquarters located in the US territory

What is Personal Information

The term "Personal information" ("PI") is broadly defined, but it means every kind of data that you can use to identify an individual, and in the case of COPPA, any kind of data that can identify a child under 13. Here are a few examples:

  • First and last name
  • Email address
  • Telephone number
  • Physical address, like street name or city
  • Instant message or social media usernames
  • Geolocation information

Personal data can also mean any kind of information that when combined can identify an individual, e.g. anonymous identifiers.

What is Personal Information Collected

Collecting personal information, even from kids under 13, can be done in many ways. Regardless of how you collect this kind of data, here is what the COPPA Compliance guidelines state about what "collecting" means:

  • Requesting, prompting, or encouraging the submission of information, even if it's optional
  • Letting information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records
  • Passively tracking a child online

Note the optional keyword in this section: COPPA applies to you if you know you're collecting personal information from kids under 13, even if the information you are requesting is optional, not mandatory.

The general recommendation is not to collect personal information unless it is required for a legitimate business purpose.

Does COPPA Apply to You

COPPA doesn't apply unless you collect personal information from kids under 13. If any of the following cases apply to you, you must become compliant with COPPA:

  • Your website/app content is aimed at kids under 13 and you collect personal information from them
  • Your website/app is aimed at kids under 13, but you let other parties collect personal information from them
  • Your website/app targets a general audience, but you have knowledge that kids under 13 are using your service and that you are collecting personal information from them

The FTC defines "website or online service" in its Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business document:

  • Mobile apps that send or receive information online
  • Internet-enabled gaming platforms
  • Plug-ins
  • Advertising networks
  • Internet-enabled location-based services
  • Voice-over internet protocol services

Schools don't fall under COPPA, but third parties do.

When it comes to interactions with schools, COPPA takes on a unique function.

According to the FTC, schools do not fall under COPPA because this act does not apply to information collected by nonprofits serving educational purposes or to information collected by state governments.

COPPA applies to commercial entities. A school is considered to be part of the local government and is not functioning for commercial purposes.

However, many third-party commercial businesses, websites and mobile apps may provide services to schools and the students, and COPPA would extend to these third parties.

In cases such as these, the school can act as an intermediary between the third party and the parent, allowing the third party to obtain consent from the school district or the school rather than needing to obtain it directly from the parent.

Requirements for Third Party Websites or Mobile Apps Used By Schools

If your website or mobile app is used by students at the direction or implementation of a school, and for non-commercial, educational purposes only, your burden for meeting the requirements of COPPA is lessened.

You don't have to obtain direct verifiable parental consent before data is collected so long as 3 conditions are met:

  1. The school must have previously obtained permission from parents to act on their behalf in such matters,
  2. The website or mobile app operator must comply with all other COPPA requirements, and
  3. The website or mobile app service must be provided solely for the educational benefit of the students and/or the school, and not for commercial purposes.

For example, an online homework help service, or web-based testing modules would be acceptable, but a website or mobile app that tries to sell school supplies to students would not be.

Other COPPA requirements mentioned in point 2 above include the following:

  1. The website or mobile app operator must give all of the required notices to the school
  2. The website or mobile app operator must make options and information available to the parents of the students with regard to how the collected data will be used, disclosed, and retained

Below is an example from Funbrain's Privacy Policy that very adequately references COPPA and tells readers what policies are set in place to keep children who use this service safe and secure. Funbrain is which marketed toward very young children:

Funbrain Privacy Policy: Excerpt of COPPA clause

The first statement under the introduction references parental verifiable consent on the website by stating that, "We will NOT knowingly collect, use or distribute personal information from children under the age of 13 without prior verifiable consent from a parent or guardian."

This is the backbone of COPPA and should be included in and followed in every Privacy Policy for any website or mobile app that is either used by or directed towards children under the age of 13.

Edutopia makes it easy to find the relevant section of its Privacy Policy by providing a linked table of contents and a separate section for how children under 13 are handled by the website:

Edutopia Quick Reference Chapters

In this case, Edutopia.com doesn't collect any data from children under the age of 13 and therefore doesn't seek verifiable parental consent.

Including language like this is a great option if your website or mobile app has no reason to collect data from users, or specifically from users who are determined to be under 13.

Here's the company's simple and definitive clause:

Edutopia Privacy Policy: Children clause for COPPA

Some websites or mobile apps take it a step further and actually require direct parental consent before a child can use the service, regardless of whether the school has obtained parental consent.

How to Comply with COPPA

You need to comply with COPPA regardless of what type of online business you operate. The FTC made a video available on YouTube, called Protecting Children's Privacy Under COPPA, that briefly discusses children's privacy:

It also discloses a list of requirements in its COPPA FAQ document:

Screenshot of list of requirements for COPPA in FTC FAQ

These requirements are as follows:

  1. Post a clear, comprehensive Privacy Policy that tells how you collect information from children
  2. Provide notice to parents directly and obtain verifiable parental consent before collecting personal information from children (with limited exceptions)
  3. Allow parents to limit the disclosing of information to third parties (unless necessary)
  4. Give parents access to their child's personal informaiton so they can review, edit or delete it
  5. Allow parents to restrict the use or further collection of personal information from their children
  6. Take reasonable steps towards security, confidentiality and maintenance of personal information
  7. Only retain collected informatoin for as long as necessary to complete the purpose which it was collected for

The first step in complying with this law is to have a Privacy Policy agreement.

Your Privacy Policy needs to clearly mention how you collect and store personal information from kids under 13. This includes you, as a website operator, but also third parties you may use to run your business that might get this data from you (such as ad networks).

The link to this legal agreement must be placed on all your webpages and it's recommended to make it more prominently visible than other links.

Note how the Privacy Policy link here is sligtly separate from other links and is in a more bold font that really makes it stand out:

Funbrain website footer with Privacy Policy link

Do not try to hide your link to the agreement or make the link less visible or hard to find.

If your website or mobile app is both for the general audience and for kids, you can split your Privacy Policy into two sections: one section may address the general audience and the second one, the kids, like Mattel has done here:

Matel Privacy Policy with notice of Children's Privacy Statement

The Privacy Policy must be clear, easy to read and you are required to include the following in it:

Personal Information Collection and Use

You need to include what type of information you collect from kids: name, address, email, hobbies etc. and how, such as directly from the kids (via forms) or passively (via cookies).

Next, you need to describe how you are going to use that information. You may use it for marketing purposes or notifying kids about some certain competitions that match their hobbies or interests or letting them know about winners of a contest and awards, etc.

Edmodo does this by adding two separate "personal information" clauses to its Privacy Policy, with one addressing children specifically:

Edmondo Privacy Policy: Children's Personal Information clause for COPPA

Then you need to state if personal data from kids are being disclosed to any third parties. You need to list all third parties that your website or mobile app is using and how they use that information, like ad networks.

Parent Rights Section

Your Privacy Policy must include a parent rights section to comply with COPPA. This section informs parents that:

  • You don't disclose information about kids under 13 more than it is necessary to participate in a certain activity
  • That they can review the already submitted information about their kids and how to contact you to delete it or to refuse to allow any future collection and use of their kids' information
  • That they (the parents) can agree to collection and use of kids' information, but they can refuse the collection and use of it to third parties that your business might be using
  • The instructions on how to do the above

Here's an example from Funbrain. The clause includes multiple contact methods for parents to reach out to request information or actions to be taken with their childrens' data:

Funbrain Privacy Policy: Excerpt of COPPA parental rights clause

Direct Notice

COPPA requires that a company gives "direct notice" to parents before it starts to collect information from kids under 13.

This means that you should not gather information from children until parents give their approval for the collection and use of it.

In some circumstances, COPPA allows a very narrow personal information category to be collected without giving direct notice to parents, but the data collected under these exceptions can not be disclosed to third parties.

COPPA's Six-Step Compliance Plan explains these circumstances:

  • To get verifiable parental consent
  • To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information
  • To respond directly to a child's specific one-time request (for example, if the child wants to enter a contest)
  • To protect the security or integrity of your website or mobile app
  • To provide support for internal operations
  • To protect a child's safety

COPPA requires that verifiable parental consent is obtained from a website or mobile app before you can collect any personal information about a child and that notice of data collection practices is provided.

It defines certain methods of how you can get a verifiable consent from parents:

  • Sign a form and send it back to the company's address via fax, mail or electronic scan
  • Call a toll-free number operated by the company
  • Connect with trained personnel via video conference
  • Provide the company with copy of a form of government issued ID that the company can check against a database (but the identification pictures must be deleted from the company's records after the verification process is done)

Verifiable parental consent is typically somewhat complicated to obtain.

A parent may have to submit a government-issued ID and have the data run against a database for verification, or sign a consent form returned to the consent seeker by standard postal mail. Verifying the identity of the parent, as well as verifying that the person is actually the parent of the child can be a process in itself.

Below is an example of a pop-up window that when used on a website is a great way to try to screen out children under the age of 13 and know that consent is needed.

Age Verification for COPPA Method

"Email Plus" method

If you only collect information from kids for internal usage, you can use a less complicated method to get parent consent called the "email plus" method. This method works like this:

  • The company sends out an email to the parent
  • The parent must respond to that email with their consent
  • The company confirms the consent by sending a confirmation (which can be done via email, letter or a phone call)

Under the "email plus" method you need to let parents know that they can revoke their consent for the collecting and use of their kid's personal information.

However, note that this method can only be used when limited information is collected for purposes of internal marketing. "Limited information" normally refers to a child's first name or child's and parent's e-mail address etc.

If your business must comply with COPPA and the "Email Plus" method isn't an option for you, here is a checklist of common scenarios where you may be allowed to collect certain personal information without needing to first obtain parental consent.

This checklist can also help you tell what information you are allowed to collect and how you are allowed to use it.

Remember: You cannot collect anything more than what is listed, and you can only use the information in an exact way and for the exact purpose described.

Exception 1: To get parental consent

If you're trying to reach out to a parent to get their consent to collect their child's personal information, you are only allowed to collect the child's and parent's name and online contact information and nothing else.

This information can only be used to try to get the parent's consent.

If you don't hear back from the parent within a reasonable time, you must fully delete your records of the contact information.

Exception 2: To inform a parent that a child uses a site/app but no personal information is collected

You may only get the parent's online contact information and can only use it to communicate that one bit of information to the parent.

Make sure you include the following information in your message to the parent to stay compliant with COPPA:

  • You got their online contact information so you could let him/her know about their child's participation on your site/mobile app
  • Your site/mobile app doesn't collect personal information
  • Their email address that you now have won't be used for any other purpose
  • Include a link to your Privacy Policy
  • Let the parent know that he/she can email you back and refuse that you allow their child to use your site/mobile app and request to have the contact information deleted

Exception 3: For a one-time request made by a child

If a child is able to contact you for something such as entering a contest or asking a question, you are only allowed to collect the online contact information for the child (such as an email address.)

Remember: You cannot use this online contact information for anything other than responding to that one-time request, and you must delete the online contact information after the request has been addressed.

Exception 4: For multiple requests by a child

If a child wants to communicate with you multiple times, such as by signing up for your monthly newsletter, you can collect both the child's and parent's online contact information, but nothing more.

You have to contact the parent and let them know the following:

  • You collected their online contact information so you could let them know that their child has asked you for multiple online communications
  • You collected the child's online contact information to use for these communications
  • The child's online contact information won't be used for any other purpose and won't be given to anyone else
  • That, as the parent, they have the ability to not allow the child to receive the communication
  • Include a link to your Privacy Policy

Exception 5: To protect the safety of a child

If there's a situation where a child's safety may be at risk, such as an abduction in your area of a child who was known to frequently visit a certain website, you may collect a child's name, the parent's name, and both of their online contact information.

You have to contact the parent and let them know the following:

  • You collected this information in order to protect the safety of a child
  • The information won't be used in any other way or disclosed for any other purpose
  • Include a link to your Privacy Policy
  • Give the parent the right to not allow you to use the contact information and request that you delete it

Exception 6: To protect the security, integrity, and liability of your service or respond to legal proceedings

You are allowed to collect the name and online contact information of a child who uses your site if you are legally required to, or must do so for judicial, security, or liability issues. Remember, you are not allowed to collect any other piece of information from the child for this exception aside from the name and contact information.

You are very limited in how you can use this information. You cannot use the information to contact the person, to create a profile, or for advertising purposes.

Exception 7: To help with your internal operations

A cookie number, IP address, or another persistent identifier can be collected from visitors to a site, even children under 13, when the information is used for things such as authentication of users to a site, personalizing content, legal or regulatory compliance, etc.

This information is impersonal to the child and is solely related to there being a visitor to the site or service, regardless of age.

Absolutely no other information may be collected for these purposes aside from the persistent identifier. You cannot use this information to directly contact the child in any way.

Exception 8: If you know someone misrepresented age on registration, claiming to be over 13 when not

This exception only applies if the following three requirements are met:

  1. Only a persistent identifier was collected from the child. No personal information, such as name or email address was collected
  2. The child was actually using your site or service, which was why the persistent identifier was collected
  3. In a previously-conducted age-screening of the child, he/she indicated being 13 or older

If this happens, you can keep the persistent identifier collected, but cannot collect other personal information without consent from a parent.

How to Comply with COPPA

There are no separate rules of how to comply with COPPA for websites than those that apply to a mobile app. All operators that are collecting data from kids under 13 must follow the same rules as mentioned above and to adapt the privacy functionalities to the medium they operate in.

However, there are slight differences in how to comply depending on which platform you're on.

Websites must comply with COPPA just as any mobile app is required to do so. That applies even if your website is an online game for kids.

UpToTen's Privacy Policy is positioning the "Parent Consent" at the top of its page directly:

UpToTen Privacy Policy

"In compliance with COPPA (Children's Online Privacy Protection Act) and all European legislation currently in force, only the parents and legal guardians are permitted to give personally identifiable information concerning of child 12 and under: To comply with these laws, we have created the UpToTen User Account.

Through the UpToTen User Account, the child's parent or legal guardian can send all the information concerning their child(ren) that is necessary for the subscription process. The information we ask for allows us to deliver a personalized and fulfilling experience for club members.

Through the UpToTen User Account, the child's parent or legal guardian has immediate access to and complete control over the personally identifiable information UpToTen holds concerning them. The parent / guardian can modify or delete that information at any time through the UpToTen User Account."

UpToTen's agreement continues with specific sections that are guiding the parents to learn what personal information is collected, how and so on:

  • What sort of information is collected by this site ?
  • Concerning children (who therefore have the legal status of minor)
  • Concerning people who have reached the age of majority
  • Security
  • General Conditions that apply to our Privacy Policy

Mattel's Privacy Statement details all the important information a parent needs to know about the data collected:

Screenshot of Mattel's Children's Privacy Statement intro

Avokiddo includes a cute heart icon with a note that the apps the company offers are compliant with both COPPA and the GDPR, which helps let parents know right away that the company cares about privacy:

Avokiddo is COPPA compliant

Your Privacy Policy can use fun colors and graphics to get your information across while still maintaining a style that's attractive to children, like Electric Eggplant has done here:

Screenshot of Electric Eggplant's Privacy Policy intro

To recap, if you have a website that collects data from kids under 13:

  • Have an extensive Privacy Policy that explains what is being collected, why is it being collected and by whom.
  • Provide direct notice to parents about your collection and use of kids' under 13 personal information
  • Get a parent verifiable consent before you start collecting the information
  • Optionally, you can use the "email plus" method of getting the consent if you collect minimum information from kids and for internal use only. You must disclose this in your Privacy Policy
  • Include a parents' right section where parents can find instruction on their rights over their kids' collected data, how they can contact you to delete or refuse your collection and use of data

For Android Apps

Google Play requires that apps in the Designed for Families program include a Privacy Policy:

Google Play Console Help: Privacy Policy section

Developers "must link to a privacy policy on your app's store listing page and within your app" and the Privacy Policy must be available on an active URL, apply to the app and specifically cover user privacy issues.

For iOS Apps

Apple's App Store Review Guidelines includes a clause dedicated to complying with COPPA, the GDPR and other equivalents of laws that have components that protect children. This clause requires that "apps in the Kids Category or those that collect, transmit, or have the capability to share personal information...from a minor must include a privacy policy":

Apple App Store Review Guidelines: Kids clause for COPPA

There are some other requirements here from Apple when it comes to kid's apps:

  • Apps intended for kids can't include third-party advertising or use third-party analytics
  • These apps can only ask for a birthdate and parental contact information to comply with laws and must include some sort of functionality and entertainment when asking
  • The Parental Gate Requirement must be met by some apps

Apple App Store Review Guidelines: Kids Category clause for COPPA

The new rules impose a new "Parental Gating" technique that can get iPhone or iPad apps rejected by Apple's team if they don't implement this.

The guidelines are mentioning that special parental precautions must be implemented before you link outside of your app or if the child will be clicking on any links that may lead to in-app purchases.

These cases are:

  • Link to in-app purchases or store
  • More Apps or Share links
  • Link to social networks (Facebook, Twitter, etc)
  • Link to any service outside the app

iOS developers are implementing various techniques to make sure that kids aren't clicking on links that aren't meant to be addressed to them, e.g. buying in-app purchases. Some of these methods are:

  • Asking math questions, e.g. what is 20-5?
  • A press & hold technique to enter the parents' section with or without based on time, e.g. hold for 3 seconds or just press & hold

Here's an example from Apple itself:

Apple Parental Gates example of simple instructions - COPPA

Moms With Apps is showcasing various screenshots of iOS apps that are implementing these techniques to prevent kids from entering special sections of an app:

Moms With Apps Screenshot

You can even disclose your Parental Gate in your Privacy Policy, as Avokiddo has done here:

Avokiddo Privacy Policy: Parental Gate clause for COPPA

To summarize what you need to do in order to be compliant with COPPA:

  • You must have a Privacy Policy on your website or mobile app, accessible at any time
  • Follow COPPA's compliance guidelines on how to design your website or mobile app to get parents consent when needed
  • Implement "parental gate" techniques for your mobile apps to prevent kids from accessing special section of your app, e.g. in-app purchases

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.

Don't miss our next article!

Subscribe to our email newsletter.