Former civil litigation attorney. Content legal strategist at TermsFeed.
On this page
- 1. About COPPA Privacy Law
- 2.2.1. Children's Privacy
- 2.2.2. Notice of COPPA obligations
- 2.2.3. Parental consent
- 2.2.4. Third party disclosure
- 2.2.5. Child-generated content
- 2.2.6. Parent enforcement rights
- 2.2.7. Contact information
The Children's Online Privacy Protection Act (COPPA) sets the rules and standards for websites and apps that provide services to children in the U.S.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
About COPPA Privacy Law
The "COPPA" acronym refers to both the "Children's Online Privacy Protection Act" and "Children's Online Privacy Protection Rule." Both set forth the requirements for businesses that provide services, games, and websites specifically for children under 13 years old.
The U.S. Congress passed the COPPA Act in 1998. It's enforced by the Federal Trade Commission (FTC).
COPPA contains a list of requirements regarding the management of children's personal information once a business collects it. Other provisions of this act restrict the access that minors can have to the website or app materials, often requiring a parental birthdate verification process before access is granted.
This verification process exists primarily as a means for parents to enforce their children's' privacy interests online.
If you have actual knowledge that your website or app collects data from children under 13, you're required to comply with COPPA.
The same is true if your general audience includes children under 13, even if you use a parental verification process rather than collect information directly from children.
To play it safe, assume COPPA is relevant if you believe any user who finds your website or app is likely to be under the age of thirteen.
Once you determine that you fall under COPPA, you are bound by additional privacy requirements.
In addition to any other laws you must follow, you must also:
- Develop a notice process for parents,
- Give parents the choice of consenting to the collection of children's information,
- Never disclose children's information to third parties unless it's necessary for your business to work. Make this clear to parents,
- Develop a process that allows parents to review or change a child's information or request that you delete it,
- Allow parents to prevent further use and collection of a child's information,
- Take reasonable steps to assure the security of children's information, and
- Retain information on children for only as long as necessary.
Many of these requirements are not much different than other privacy requirements and standards.
The main differences are:
- The additional parental consent and notice procedures, and
That link from the profile page takes users to Disney Jr.'s mobile website:
From this "Privacy Center" of the Walt Disney Company, users can find another link to children's privacy provisions:
One way to do this is through a "Table of Contents" section.
However, it contains a direct link to what is likely the most important part of COPPA requirements -- parent's access to data.
Notice of COPPA obligations
The primary goal of COPPA is to empower parents with knowledge about how their children's information is collected and used.
Nick Jr. acknowledges that it collects information from children under age 13. It also indicates adherence to COPPA:
PBS Kids does not mention COPPA explicitly, however there is an acknowledgment regarding the collection and use of children's information:
Another step you may find necessary is to indicate which websites and apps fall under COPPA.
Nick Jr. offers a list of its websites that fall under COPPA requirements:
Hasbro indicates that parents can request a copy of this list by emailing Hasbro:
The purpose is to make it clear that you realize your users include children under 13 and that you collect their data.
You may also take the additional step to inform parents which of your websites, apps and games fall under COPPA.
Verifying parental consent is often the most difficult part for businesses that must comply with COPPA.
Sprout provides online games for children. Children have access to its games but the website does not collect information from them.
Sprout's games do not require a sign-in from children. Sign-in is a function of Sprout's website only for parents to use and set up an account with a username and password. This provides the needed parental consent:
Personal information regarding children, such as birthdates and locations, are only provided by parents, which also indicates consent:
Disney Jr. is also thorough when it comes to parental consent and verification.
It requests a parent's email address when children set up accounts. In some cases, credit card numbers are required. If a child's information is collected by the website, the parent receives a notification:
Third party disclosure
COPPA prohibits businesses from disclosing children's information to third parties unless it's required for the business to operate its websites or apps.
This is similar to the Hasbro example. Just as parents must be informed that data is collected, the same kind of notice must also be provided to parents if you disclose data to third parties.
Disney Jr. is slightly more involved, likely because it's a well-known provider of children's entertainment and it's located in California, which has strict privacy laws.
Hasbro is the least detailed. Its Privacy Policies incorporates its general third party disclosure provision while being clear it affects children's data as well:
User-generated content can create a challenge for many websites and apps when it comes to handling personal information in the content.
User-generated content becomes more complicated when your app or website caters to children.
It also indicates different levels of consent by parents and in some cases provides an email notification when a child's personal data is necessary. Teachers can also stand in for parents on these projects if they are linked to a school-based activity:
If you allow "child-generated content," create a process that allows for parental involvement in the content generation, or at least notice when a child generates content.
Parent enforcement rights
Parents can request information or deny future access to collected information and your business must provide a process for this. Failure to do so puts you in conflict with COPPA.
Disney Jr. maintains an extensive process for parental involvement. Parents can access their children's data to change it or contact Disney's Guest Services to request deletion of data:
Hasbro also makes it clear to parents that they have access to collected children's data. Review, collection, and deletion is all possible by contacting Hasbro Consumer Care:
PBS Kids describes the right of parents to access and change data:
You may wish to consider providing a separate email address for addressing children's privacy issues. Since the legal impacts of COPPA are often serious, you don't want these requests buried in a general email box.
PBS Kids takes this approach:
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- Detailed Information on the Processing of Your Personal Data
- Information Collected from Children Under the Age of 13
- Parental Access
- Links to Other Websites
- Contact Information
More specific Privacy Templates are available on our blog.