If you create websites, apps or games for children under 13 years of age, you face additional requirements for your Privacy Policy agreement and your business policies on user datathan you would if you had an adult-tailored product.
The Children's Online Privacy Protection Act (COPPA) sets the rules and standards for websites and apps that provide services to children in the U.S.
This article addresses the requirements of the COPPA act and how to create a Privacy Policy that complies with these requirements. We've also put together a Sample COPPA Privacy Policy Template that you can use to help write your own.
The "COPPA" acronym refers to both the "Children's Online Privacy Protection Act" and "Children's Online Privacy Protection Rule." Both set forth the requirements for businesses that provide services, games, and websites specifically for children under 13 years old.
The U.S. Congress passed the COPPA Act in 1998. It's enforced by the Federal Trade Commission (FTC).
COPPA contains a list of requirements regarding the management of children's personal information once a business collects it. Other provisions of this act restrict the access that minors can have to the website or app materials, often requiring a parental birthdate verification process before access is granted.
This verification process exists primarily as a means for parents to enforce their children's' privacy interests online.
If you have actual knowledge that your website or app collects data from children under 13, you're required to comply with COPPA.
The same is true if your general audience includes children under 13, even if you use a parental verification process rather than collect information directly from children.
To play it safe, assume COPPA is relevant if you believe any user who finds your website or app is likely to be under the age of thirteen.
Once you determine that you fall under COPPA, you are bound by additional privacy requirements.
In addition to any other laws you must follow, you must also:
Many of these requirements are not much different than other privacy requirements and standards.
The main differences are:
COPPA provisions can be in your current Privacy Policy - as long as you clearly label these provisions in the legal agreement. If you feel safer doing so, you can also draft a separate "COPPA-Compliant Privacy Policy."
Users should find your "COPPA-Compliant Privacy Policy" the same way as they find your other agreements: Easily.
Disney Jr. created a separate COPPA Privacy Policy and it's linked at the bottom of its web pages:
Nick Jr. includes COPPA provisions in its general Privacy Policy agreement. To access the agreement and read the provisions, users can visit the link at the bottom of the page:
PBS Kids offers a more involved approach to finding the Privacy Policy and the related COPPA provisions.
Rather than maintain the Privacy Policy page on the children's page, it keeps the agreement on a page reserved for parents. Accessing the page requires first hitting the link for parents at the top of the page:
Then, once the user is in the parents' page, there are links that point to the Privacy Policy of PBS Kids:
The Privacy Policy links should be easy to find through your mobile apps as they are through your website. With Disney Jr., the Privacy Policy is linked from its Apple App Store profile page:
That link from the profile page takes users to Disney Jr.'s mobile website:
From this "Privacy Center" of the Walt Disney Company, users can find another link to children's privacy provisions:
You need to be clear that children's privacy is being addressed in your COPPA-compliant Privacy Policy.
One way to do this is through a "Table of Contents" section.
Hasbro takes this approach with its Privacy Policy. Notice the clear plain language that makes the "Children's Privacy" provisions easily found by parents in the policy:
Nick Jr. only includes a quick reference in its "Table of Contents", likely because its Privacy Policy mentions both adults and children throughout the agreement.
However, it contains a direct link to what is likely the most important part of COPPA requirements -- parent's access to data.
The primary goal of COPPA is to empower parents with knowledge about how their children's information is collected and used.
Consent from parents is required in most cases and one way to assure that consent is given is to provide a notice. This is frequently done at the beginning of a Privacy Policy agreement.
Nick Jr. acknowledges that it collects information from children under age 13. It also indicates adherence to COPPA:
PBS Kids does not mention COPPA explicitly, however there is an acknowledgment regarding the collection and use of children's information:
Another step you may find necessary is to indicate which websites and apps fall under COPPA.
Nick Jr. offers a list of its websites that fall under COPPA requirements:
Hasbro indicates that parents can request a copy of this list by emailing Hasbro:
The purpose is to make it clear that you realize your users include children under 13 and that you collect their data.
You may also take the additional step to inform parents which of your websites, apps and games fall under COPPA.
Verifying parental consent is often the most difficult part for businesses that must comply with COPPA.
Sprout provides online games for children. Children have access to its games but the website does not collect information from them.
Sprout make that clear in their Privacy Policy agreement:
Sprout's games do not require a sign-in from children. Sign-in is a function of Sprout's website only for parents to use and set up an account with a username and password. This provides the needed parental consent:
Personal information regarding children, such as birthdates and locations, are only provided by parents, which also indicates consent:
Disney Jr. is also thorough when it comes to parental consent and verification.
It requests a parent's email address when children set up accounts. In some cases, credit card numbers are required. If a child's information is collected by the website, the parent receives a notification:
Hasbro also uses the notice approach. Its Privacy Policy explains this:
COPPA prohibits businesses from disclosing children's information to third parties unless it's required for the business to operate its websites or apps.
This is similar to the Hasbro example. Just as parents must be informed that data is collected, the same kind of notice must also be provided to parents if you disclose data to third parties.
PBS Kids offers disclosure provisions that could fit into any Privacy Policy. However, notice how it addresses children directly:
Disney Jr. is slightly more involved, likely because it's a well-known provider of children's entertainment and it's located in California, which has strict privacy laws.
Disney's Privacy Policy mentions "high level verification" (which requires a parent's email address) and discusses this disclosure in detail:
Hasbro is the least detailed. Its Privacy Policies incorporates its general third party disclosure provision while being clear it affects children's data as well:
User-generated content can create a challenge for many websites and apps when it comes to handling personal information in the content.
User-generated content becomes more complicated when your app or website caters to children.
Disney's approach in its Privacy Policy is to request only the necessary information and delete any excess data in user-generated content.
It also indicates different levels of consent by parents and in some cases provides an email notification when a child's personal data is necessary. Teachers can also stand in for parents on these projects if they are linked to a school-based activity:
If you allow "child-generated content," create a process that allows for parental involvement in the content generation, or at least notice when a child generates content.
Parents can request information or deny future access to collected information and your business must provide a process for this. Failure to do so puts you in conflict with COPPA.
Disney Jr. maintains an extensive process for parental involvement. Parents can access their children's data to change it or contact Disney's Guest Services to request deletion of data:
Hasbro also makes it clear to parents that they have access to collected children's data. Review, collection, and deletion is all possible by contacting Hasbro Consumer Care:
PBS Kids describes the right of parents to access and change data:
If you don't have your business contact information anywhere in your Privacy Policy, add the information at the end of the policy. This placement is typical with most Privacy Policies.
You may wish to consider providing a separate email address for addressing children's privacy issues. Since the legal impacts of COPPA are often serious, you don't want these requests buried in a general email box.
PBS Kids takes this approach: