Last updated on 20 May 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)
The Children's Online Privacy Protection Act (COPPA) sets the rules and standards for websites and apps that provide services to children in the U.S.
The "COPPA" acronym refers to both the "Children's Online Privacy Protection Act" and "Children's Online Privacy Protection Rule." Both set forth the requirements for businesses that provide services, games, and websites specifically for children under 13 years old.
The U.S. Congress passed the COPPA Act in 1998. It's enforced by the Federal Trade Commission (FTC).
COPPA contains a list of requirements regarding the management of children's personal information once a business collects it. Other provisions of this act restrict the access that minors can have to the website or app materials, often requiring a parental birthdate verification process before access is granted.
This verification process exists primarily as a means for parents to enforce their children's' privacy interests online.
If you have actual knowledge that your website or app collects data from children under 13, you're required to comply with COPPA.
The same is true if your general audience includes children under 13, even if you use a parental verification process rather than collect information directly from children.
To play it safe, assume COPPA is relevant if you believe any user who finds your website or app is likely to be under the age of thirteen.
Once you determine that you fall under COPPA, you are bound by additional privacy requirements.
In addition to any other laws you must follow, you must also:
Many of these requirements are not much different than other privacy requirements and standards.
The main differences are:
That link from the profile page takes users to Disney Jr.'s mobile website:
From this "Privacy Center" of the Walt Disney Company, users can find another link to children's privacy provisions:
One way to do this is through a "Table of Contents" section.
However, it contains a direct link to what is likely the most important part of COPPA requirements -- parent's access to data.
The primary goal of COPPA is to empower parents with knowledge about how their children's information is collected and used.
Nick Jr. acknowledges that it collects information from children under age 13. It also indicates adherence to COPPA:
PBS Kids does not mention COPPA explicitly, however there is an acknowledgment regarding the collection and use of children's information:
Another step you may find necessary is to indicate which websites and apps fall under COPPA.
Nick Jr. offers a list of its websites that fall under COPPA requirements:
Hasbro indicates that parents can request a copy of this list by emailing Hasbro:
The purpose is to make it clear that you realize your users include children under 13 and that you collect their data.
You may also take the additional step to inform parents which of your websites, apps and games fall under COPPA.
Verifying parental consent is often the most difficult part for businesses that must comply with COPPA.
Sprout provides online games for children. Children have access to its games but the website does not collect information from them.
Sprout's games do not require a sign-in from children. Sign-in is a function of Sprout's website only for parents to use and set up an account with a username and password. This provides the needed parental consent:
Personal information regarding children, such as birthdates and locations, are only provided by parents, which also indicates consent:
Disney Jr. is also thorough when it comes to parental consent and verification.
It requests a parent's email address when children set up accounts. In some cases, credit card numbers are required. If a child's information is collected by the website, the parent receives a notification:
COPPA prohibits businesses from disclosing children's information to third parties unless it's required for the business to operate its websites or apps.
This is similar to the Hasbro example. Just as parents must be informed that data is collected, the same kind of notice must also be provided to parents if you disclose data to third parties.
Disney Jr. is slightly more involved, likely because it's a well-known provider of children's entertainment and it's located in California, which has strict privacy laws.
Hasbro is the least detailed. Its Privacy Policies incorporates its general third party disclosure provision while being clear it affects children's data as well:
User-generated content can create a challenge for many websites and apps when it comes to handling personal information in the content.
User-generated content becomes more complicated when your app or website caters to children.
It also indicates different levels of consent by parents and in some cases provides an email notification when a child's personal data is necessary. Teachers can also stand in for parents on these projects if they are linked to a school-based activity:
If you allow "child-generated content," create a process that allows for parental involvement in the content generation, or at least notice when a child generates content.
Parents can request information or deny future access to collected information and your business must provide a process for this. Failure to do so puts you in conflict with COPPA.
Disney Jr. maintains an extensive process for parental involvement. Parents can access their children's data to change it or contact Disney's Guest Services to request deletion of data:
Hasbro also makes it clear to parents that they have access to collected children's data. Review, collection, and deletion is all possible by contacting Hasbro Consumer Care:
PBS Kids describes the right of parents to access and change data:
You may wish to consider providing a separate email address for addressing children's privacy issues. Since the legal impacts of COPPA are often serious, you don't want these requests buried in a general email box.
PBS Kids takes this approach:
More specific Privacy Templates are available over our blog.