Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act puts parents in control.  The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.  For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13. 

Violations can result in law enforcement actions, including civil penalties, so compliance counts.

Here’s a step-by-step plan for determining if your company is covered by COPPA — and what to do to comply with the Rule.

Table of Contents

• Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
• Step 2: Post a Privacy Policy that Complies with COPPA.
• Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
• Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
• Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
• Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information and Implement Data Retention and Deletion Procedures.

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.

COPPA doesn’t apply to everyone operating a website or other online service.  Put simply, COPPA applies to operators of websites and online services that collect personal information from kids under 13. Here’s a more specific way of determining if COPPA applies to you.  You must comply with COPPA if:

Your website or online service is directed to children under 13 and you collect personal information from them.

OR

Your website or online service is directed to children under 13 and you let others collect personal information from them.

OR

Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.

OR

Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information directly from users of a website or service directed to children under 13.

To determine if you’re covered by COPPA, look at how the Rule defines some key terms.

“Website or online service”

In addition to websites, online services covered by the Rule include:

• mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads)
• internet-enabled gaming platforms
• plug-ins
• advertising networks
• internet-enabled location-based services
• voice-over internet protocol services
• connected toys or other Internet of Things devices.

“Directed to children under 13”

The FTC looks at a variety of factors to see if a site or service is directed to children under 13, including the subject matter of the site or service, visual and audio content, the use of animated characters or other child-oriented activities and incentives, the age of models, the presence of child celebrities or celebrities who appeal to kids, ads on the site or service that are directed to children, and evidence about the age of the actual or intended audience, including marketing or promotional materials or plans, representations to consumers or to third parties, reviews by users or third parties, and the age of users on similar websites or services. If your site or service is “directed to children under 13” based on those factors but doesn’t target children as its primary audience — a “mixed audience” site or service — you may choose to apply COPPA protections only to users under age 13. If that’s what you decide to do, you must not collect personal information from any users without first collecting age information or using another means that is reasonably calculated to determine whether a visitor is a child. For users who say they are under age 13, unless an exception applies, don’t collect any personal information until you have obtained verifiable parental consent.

“Personal information”

Each of these is considered personal information under COPPA:

• first and last name;
• home or other physical address, including street name and city or town;
• online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, video chat identifier, or a mobile telephone number (a Rule exception allows you to collect a mobile number without first obtaining parental consent, if you use it only to send text messages to a parent to seek parental consent);
• screen name or user name where it functions as online contact information;
• telephone number;
• a government-issued identifier, such as a Social Security, State identification card, birth certificate, or passport number;
• a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
• a photo, video, or audio file containing a child’s image or voice;
• geolocation information sufficient to identify a street name and city or town;
• a biometric identifier that can be used for the automated or semi-automated recognition of an individual; or
• other information about the child or parent that is collected from the child and is combined with one of these identifiers.

“Collect”

Under COPPA, you’re collecting information if you:

• request, prompt, or encourage the submission of information, even if it’s optional;
• let information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records; or
• passively track a child online.

If another company collects personal information through your child-directed site or service — through an ad network or plug-in, for example — you’re responsible for complying with COPPA.  If you have actual knowledge that you’re collecting personal information directly from users of a child-directed site or service, you’re responsible for complying with COPPA, too.

Step 2: Post a Privacy Policy that Complies with COPPA.

Assuming you’re covered by COPPA, the next step is to post a privacy policy.  It must clearly and comprehensively describe how personal information collected online from kids under 13 is handled.  The notice must describe not only your practices, but also the practices of any others collecting personal information on your site or service — for example, plug-ins or ad networks.

Include a link to your privacy policy on your homepage and anywhere you collect personal information from children.  If you operate a site or service directed to a general audience, but have a separate section for kids, post a link to your privacy policy on the homepage of the kids’ part of your site or service.

Make those links clear and prominent. Consider using a larger font or a different color type on a contrasting background. A fine print link at the bottom of the page or a link that isn’t distinguishable from other links on your site won’t do the trick.

To comply with COPPA, your privacy policy should be clear and easy to read. Don’t add any unrelated or confusing information. Here’s what your policy must include:

• A list of all operators collecting personal information. Name each third party operator, such as an advertising network or social network plug-in, that collects or maintains children’s personal information through your site or service. For each, include a name and contact information (address, telephone number, and email address). If more than one is collecting information, it’s okay to give contact information for only one as long as that company will respond to all inquiries from parents about your site or service’s practices. Even so, you still have to list all third parties in your privacy policy.
• A description of the personal information collected and how it’s used. Your policy must describe:
  • the types of personal information collected from children (for example, name, address, email address, etc., and information combined with those identifiers such as hobbies);
  • how the personal information will be used (for example, for marketing to the child, notifying contest winners, or allowing the child to make information publicly available); and
  • whether you disclose personal information collected from kids to third parties and if so, the identities and specific categories of third parties (for example, ad networks) and the purposes for the disclosures. Know that in certain circumstances service providers are not considered “third parties.”
• Your data retention policy. Your privacy policy must set forth the purposes for which you collect children’s personal information, the business need to retain it, and a timeframe for deletion. You cannot retain personal information collected from a child indefinitely.
• A description of parental rights. Your privacy policy must tell parents that  the parent can review or delete the child’s personal information and refuse to permit further collection or use of that information, and state the procedures for doing so.

In certain circumstances you can collect a narrow class of personal information, such as audio files containing a child’s voice, without getting parental consent. In those circumstances you may still have to give parents notice in your privacy policy.

Step 3: Notify Parents Directly About Your Information Practices Before Collecting Personal Information from Their Kids.

COPPA requires that you give parents “direct notice” of your information practices before collecting information from their kids. In addition, if you make a material change to the practices parents previously agreed to, you have to send an updated direct notice.

The notice should be clear and easy to read. Don’t include any unrelated or confusing information. The notice must tell parents:

• that you collected their online contact information for the purpose of getting their consent;
• that you want to collect personal information from their child;
• that their consent is required for the collection, use, and disclosure of the information;
• the specific personal information you want to collect, how you intend to use the information, and how (and for what purposes) it might be disclosed to others;
• a link to your online privacy policy;
• how the parent can give their consent; and
• that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.

If you disclose kids’ personal information to third parties, you need to identify those parties — or the specific categories of third parties — and the purposes for the disclosure. You also need to give the parent the option to give consent to other practices without consenting to disclosure of the child’s information, unless that disclosure is integral to your site or service.

In certain circumstances you can collect a narrow class of personal information without getting parental consent — see Step 4. But you may still have to give parents direct notice of your practices. 

Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.

Before collecting, using or disclosing personal information from a child, you must get their parent’s verifiable consent. How do you get that?  COPPA leaves it up to you, but it’s important to choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent. If you have actual knowledge that you’re collecting personal information directly from a site or service that is directed to children, you may get consent directly or through the child-directed site or service.

Acceptable methods include having the parent:

• sign a consent form and send it back to you via fax, mail, or electronic scan;
• use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
• call a toll-free number staffed by trained personnel;
• connect to trained personnel via a video conference;
• provide a copy of a form of government-issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process;
• answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
• submit a photo of a driver’s license or other photo ID that you verify is authentic. You then compare that photo to a second photo submitted by the parent that you use facial recognition technology to confirm matches the first photo. You must delete the photos from your records after confirming the match.

If you will use a child’s personal information only for internal purposes and won’t disclose it, you may send an email or text message to the parent and have them respond with their consent. Then you must send a confirmation to the parent via that same method — or confirm through a letter or phone call. You must also let the parent know they can revoke their consent any time. 

You must give parents the option of allowing the collection and use of their child’s personal information without agreeing to disclosing that information to third parties. You also need to obtain separate verifiable parental consent for third-party disclosures, unless that disclosure is integral to your site or service. If you make changes to the collection, use, or disclosure practices the parent already agreed to, you must send the parent a new notice and get their consent.

Section 312.5 of the COPPA Rule sets out narrow exceptions to the general rule that you must get parental consent before collecting personal information from kids. For example, you can collect online contact information to respond to a specific request from a child, such as to answer a question posed by the child. Even if you fall within an exception to the consent requirement, you still may have notice requirements.

Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.

Even if parents have agreed that you may collect information from their kids, parents have ongoing rights — and you have continuing obligations.

If a parent asks, you must:

• give them a way to review the personal information collected from their child;
• give them a way to revoke their consent and refuse the further use or collection of personal information from their child; and
• delete their child’s personal information.

Any time you’re communicating with a parent about personal information already collected from their child, take reasonable steps to ensure you’re dealing with the child’s parent. At the same time, make sure the method you use to give parents access to information collected from their kids isn’t unduly burdensome on the parent. It may be okay to terminate a service to a child if the parent revokes consent, but only if the information at issue is reasonably necessary for the child’s participation in that activity.

Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information and Implement Retention and Deletion Procedures.

COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. You need to have a written information security program and implement safeguards that are appropriate to the sensitivity of the personal information, your size and complexity, and the nature and scope of your activities. Take reasonable steps to release personal information only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of the information. Get written assurances they’ll live up to those responsibilities.

You also need to establish and maintain a written data retention and deletion policy for personal information collected from children. Minimize what you collect in the first place. Hold on to personal information only as long as is reasonably necessary for the specific purpose for which it was collected and not indefinitely. Securely dispose of it once you no longer have a legitimate reason for retaining it. Include your data retention policy in your privacy policy.

Looking for more about the Children’s Online Privacy Protection Rule? Visit the Children’s Privacy page of the FTC’s Business Center. For additional advice, read Complying with COPPA: Frequently Asked Questions. Email us at COPPAhotline@ftc.gov if you have other questions.