Jocelyn Mackie
Former civil litigation attorney. Content legal strategist at TermsFeed.
On this page
- 1. About COPPA Privacy Law
- 2. How to Create a COPPA-Compliant Privacy Policy
- 2.1. Where to Place the COPPA Privacy Policy
- 2.2. Clauses for a COPPA-Compliant Privacy Policy
- 2.2.1. Children's Privacy
- 2.2.2. Notice of COPPA obligations
- 2.2.3. Parental consent
- 2.2.4. Third party disclosure
- 2.2.5. Child-generated content
- 2.2.6. Parent enforcement rights
- 2.2.7. Contact information
- 3. Download Sample COPPA Privacy Policy Template
- 3.1. Sample COPPA Privacy Policy Template (HTML Text Download)
- 3.2. Sample COPPA Privacy Policy Template (PDF Download)
- 3.3. Sample COPPA Privacy Policy Template (Word DOCX Download)
- 3.4. Sample COPPA Privacy Policy Template (Google Docs)
- 3.5. More Privacy Policy Templates
If you create websites, apps or games for children under 13 years of age, you face additional requirements for your Privacy Policy agreement and your business policies on user data than you would if you had an adult-tailored product.
The Children's Online Privacy Protection Act (COPPA) sets the rules and standards for websites and apps that provide services to children in the U.S.
This article addresses the requirements of the COPPA act and how to create a Privacy Policy that complies with these requirements. We've also put together a Sample COPPA Privacy Policy Template that you can use to help write your own.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
About COPPA Privacy Law
The "COPPA" acronym refers to both the "Children's Online Privacy Protection Act" and "Children's Online Privacy Protection Rule." Both set forth the requirements for businesses that provide services, games, and websites specifically for children under 13 years old.
The U.S. Congress passed the COPPA Act in 1998. It's enforced by the Federal Trade Commission (FTC).
COPPA contains a list of requirements regarding the management of children's personal information once a business collects it. Other provisions of this act restrict the access that minors can have to the website or app materials, often requiring a parental birthdate verification process before access is granted.
This verification process exists primarily as a means for parents to enforce their children's' privacy interests online.
If you have actual knowledge that your website or app collects data from children under 13, you're required to comply with COPPA.
The same is true if your general audience includes children under 13, even if you use a parental verification process rather than collect information directly from children.
To play it safe, assume COPPA is relevant if you believe any user who finds your website or app is likely to be under the age of thirteen.
Once you determine that you fall under COPPA, you are bound by additional privacy requirements.
In addition to any other laws you must follow, you must also:
- Post a clear and conspicuous Privacy Policy describing your privacy practices, including those used with children,
- Develop a notice process for parents,
- Give parents the choice of consenting to the collection of children's information,
- Never disclose children's information to third parties unless it's necessary for your business to work. Make this clear to parents,
- Develop a process that allows parents to review or change a child's information or request that you delete it,
- Allow parents to prevent further use and collection of a child's information,
- Take reasonable steps to assure the security of children's information, and
- Retain information on children for only as long as necessary.
Many of these requirements are not much different than other privacy requirements and standards.
The main differences are:
- The additional parental consent and notice procedures, and
- The additional clauses that are required to be included in your Privacy Policy
How to Create a COPPA-Compliant Privacy Policy
COPPA provisions can be in your current Privacy Policy - as long as you clearly label these provisions in the legal agreement. If you feel safer doing so, you can also draft a separate "COPPA-Compliant Privacy Policy."
Where to Place the COPPA Privacy Policy
Users should find your "COPPA-Compliant Privacy Policy" the same way as they find your other agreements: Easily.
Disney Jr. created a separate COPPA Privacy Policy and it's linked at the bottom of its web pages:
Nick Jr. includes COPPA provisions in its general Privacy Policy agreement. To access the agreement and read the provisions, users can visit the link at the bottom of the page:
PBS Kids offers a more involved approach to finding the Privacy Policy and the related COPPA provisions.
Rather than maintain the Privacy Policy page on the children's page, it keeps the agreement on a page reserved for parents. Accessing the page requires first hitting the link for parents at the top of the page:
Then, once the user is in the parents' page, there are links that point to the Privacy Policy of PBS Kids:
The Privacy Policy links should be easy to find through your mobile apps as they are through your website. With Disney Jr., the Privacy Policy is linked from its Apple App Store profile page:
That link from the profile page takes users to Disney Jr.'s mobile website:
From this "Privacy Center" of the Walt Disney Company, users can find another link to children's privacy provisions:
Clauses for a COPPA-Compliant Privacy Policy
Children's Privacy
You need to be clear that children's privacy is being addressed in your COPPA-compliant Privacy Policy.
One way to do this is through a "Table of Contents" section.
Hasbro takes this approach with its Privacy Policy. Notice the clear plain language that makes the "Children's Privacy" provisions easily found by parents in the policy:
Nick Jr. only includes a quick reference in its "Table of Contents", likely because its Privacy Policy mentions both adults and children throughout the agreement.
However, it contains a direct link to what is likely the most important part of COPPA requirements -- parent's access to data.
Notice of COPPA obligations
The primary goal of COPPA is to empower parents with knowledge about how their children's information is collected and used.
Consent from parents is required in most cases and one way to assure that consent is given is to provide a notice. This is frequently done at the beginning of a Privacy Policy agreement.
Nick Jr. acknowledges that it collects information from children under age 13. It also indicates adherence to COPPA:
PBS Kids does not mention COPPA explicitly, however there is an acknowledgment regarding the collection and use of children's information:
Another step you may find necessary is to indicate which websites and apps fall under COPPA.
Nick Jr. offers a list of its websites that fall under COPPA requirements:
Hasbro indicates that parents can request a copy of this list by emailing Hasbro:
The purpose is to make it clear that you realize your users include children under 13 and that you collect their data.
You may also take the additional step to inform parents which of your websites, apps and games fall under COPPA.
Parental consent
Verifying parental consent is often the most difficult part for businesses that must comply with COPPA.
Sprout provides online games for children. Children have access to its games but the website does not collect information from them.
Sprout make that clear in their Privacy Policy agreement:
Sprout's games do not require a sign-in from children. Sign-in is a function of Sprout's website only for parents to use and set up an account with a username and password. This provides the needed parental consent:
Personal information regarding children, such as birthdates and locations, are only provided by parents, which also indicates consent:
Disney Jr. is also thorough when it comes to parental consent and verification.
It requests a parent's email address when children set up accounts. In some cases, credit card numbers are required. If a child's information is collected by the website, the parent receives a notification:
Hasbro also uses the notice approach. Its Privacy Policy explains this:
Third party disclosure
COPPA prohibits businesses from disclosing children's information to third parties unless it's required for the business to operate its websites or apps.
This is similar to the Hasbro example. Just as parents must be informed that data is collected, the same kind of notice must also be provided to parents if you disclose data to third parties.
PBS Kids offers disclosure provisions that could fit into any Privacy Policy. However, notice how it addresses children directly:
Disney Jr. is slightly more involved, likely because it's a well-known provider of children's entertainment and it's located in California, which has strict privacy laws.
Disney's Privacy Policy mentions "high level verification" (which requires a parent's email address) and discusses this disclosure in detail:
Hasbro is the least detailed. Its Privacy Policies incorporates its general third party disclosure provision while being clear it affects children's data as well:
Child-generated content
User-generated content can create a challenge for many websites and apps when it comes to handling personal information in the content.
User-generated content becomes more complicated when your app or website caters to children.
Disney's approach in its Privacy Policy is to request only the necessary information and delete any excess data in user-generated content.
It also indicates different levels of consent by parents and in some cases provides an email notification when a child's personal data is necessary. Teachers can also stand in for parents on these projects if they are linked to a school-based activity:
If you allow "child-generated content," create a process that allows for parental involvement in the content generation, or at least notice when a child generates content.
Parent enforcement rights
Parents can request information or deny future access to collected information and your business must provide a process for this. Failure to do so puts you in conflict with COPPA.
Disney Jr. maintains an extensive process for parental involvement. Parents can access their children's data to change it or contact Disney's Guest Services to request deletion of data:
Hasbro also makes it clear to parents that they have access to collected children's data. Review, collection, and deletion is all possible by contacting Hasbro Consumer Care:
PBS Kids describes the right of parents to access and change data:
Contact information
If you don't have your business contact information anywhere in your Privacy Policy, add the information at the end of the policy. This placement is typical with most Privacy Policies.
You may wish to consider providing a separate email address for addressing children's privacy issues. Since the legal impacts of COPPA are often serious, you don't want these requests buried in a general email box.
PBS Kids takes this approach:
You can adjust your current Privacy Policy to address COPPA requirements with a few adjustments.
Download Sample COPPA Privacy Policy Template
Generate a Privacy Policy in just a few minutes
Our Sample COPPA Privacy Policy is available for download, for free. The template includes these sections:
- Definitions
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- Detailed Information on the Processing of Your Personal Data
-
Children's Privacy
- Information Collected from Children Under the Age of 13
- Parental Access
- Links to Other Websites
- Changes to Privacy Policy
- Contact Information
Sample COPPA Privacy Policy Template (HTML Text Download)
You can download the Sample COPPA Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages.
Sample COPPA Privacy Policy Template (PDF Download)
Download the Sample COPPA Privacy Policy Template as a PDF file
Sample COPPA Privacy Policy Template (Word DOCX Download)
Download the Sample COPPA Privacy Policy Template as a Word DOCX file
Sample COPPA Privacy Policy Template (Google Docs)
Download the Sample COPPA Privacy Policy Template as a Google Docs document
More Privacy Policy Templates
More specific Privacy Templates are available on our blog.
Sample Privacy Policy Template | A Privacy Policy Template for all sorts of websites, apps and businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample Virginia VCDPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA. |
Sample PIPEDA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy Template for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy Template for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy Template for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy Template for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy Template for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy Template for businesses that use email marketing. |