COPPA Privacy Policy Template

by Jennifer L. Legal writer.
COPPA Privacy Policy Template

If you run a website or online service aimed at U.S. minors under 13 years of age, then you need to comply with the Children's Online Privacy Protection Act (COPPA). The Act is designed to protect children's personal data when they use the internet or play mobile apps and games.

In other words, having a Privacy Policy isn't enough. You need to include extra clauses explaining how you protect children's data and how it's processed.

But who needs to comply with COPPA, and what are the Privacy Policy requirements? Before we go over these questions, let's be clear on how COPPA works and why it matters.


COPPA Explained

Technically, COPPA refers to two privacy laws:

  • Children's Online Privacy Protection Act
  • Children's Online Privacy Protection Rule

The general rule, though, is pretty simple: If you collect personal data from US children, you need parental consent first. By "collecting" data, we're referring to activities like:

  • Using tracking cookies
  • Showing someone's personal data to the public e.g. on a public profile page
  • Asking users to submit information to create an account or profile, or make a purchase

You also need to take extra precautions to keep the data safe and secure.

But what actually is "personal data"? It's basically any data you can use to identify a specific child. It's defined in Section 6501(8) of the Act as:

"The term "personal information" means individually identifiable information about an individual collected online, including-
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph."

It applies if you're handling personal data belonging to a U.S. child, wherever you're based. You may also need to comply with stricter rules depending on your location, but we're only concerned with COPPA in this article.

What services are included in the rules? There's no comprehensive list, but here are some examples:

  • Apps
  • Websites
  • "Smart" toys connected to the internet
  • Gaming platforms

The service needs to be commercial. In other words, if you're a charity, you're not bound by COPPA. But if your service is commercial in nature at all, even if it's free to use, it's covered in section 6501(10).

Why COPPA Matters

We know that complying with COPPA means you need to:

  • Get parental permission before collecting minor data (under-13s)
  • Take steps to protect this data

But why do we need the Act? There are a few reasons:

  • Parents have a right to control access to their child's personal information
  • They also want to know what services their child uses, and they want to know you take privacy seriously
  • It's important to help children stay safe and protected online

COPPA goes some way to keeping minors safe while allowing them access to the digital world.

Who Needs to Comply With COPPA

Who Needs to Comply With COPPA

You only need to comply with COPPA if you handle personal data belonging to under-13s, or you know children use your website, even if they're not your target audience.

This is confirmed by the Federal Trade Commission:

FTC: COPPA FAQ: Who is covered by Coppa excerpt

But what is "actual" knowledge? Well, if a 12-year-old lies about their age and accesses your website without your knowledge, you're not bound by COPPA. However, if you later find out that minors are using your platform, you need to change your Privacy Policy and comply with the Act.

How do you confirm if your website or service is directed at children, though? It all depends on factors like:

  • Tone, speech patterns and language used
  • Type of music, slogans, and logos
  • The site content and how easy it is to use
  • Age of the models you use to market your products
  • Use of animated or cartoon characters around the website

Let's take a look at two examples.

The first is Sesame Street. The website is colorful and you can see various cartoon characters. The graphics are fun, and the game avatars are obviously aimed at children:

Screenshot of Sesame Street website homepage

On the other hand, here's Parker Pen. It's stylish and sophisticated, but based on the colors, the product, and the language, it's not likely to appeal to children:

Parker Pen product description

What happens if someone lies about their age? Don't worry. You don't need to ask someone to confirm their age to use your service. And if you do ask people to enter their age before accessing your website, you're allowed to rely on the information they provide.

The FTC confirms this:

FTC: COPPA FAQ: Will COPPA prevent children from lying about their age excerpt

In other words, you're allowed to assume any age information you're provided is accurate until you're told otherwise.

If you don't collect any personal information at all, and you're sure COPPA doesn't apply, you should put up a brief notice confirming this. Here's an example from Starfall:

Starfall: Agree to cookies and Privacy Policy notice

COPPA Compliance

To comply, you should do four things:

  • Write a COPPA-compliant Privacy Policy and post it somewhere obvious
  • Post a Direct Notice telling parents about your data policies
  • Get parental consent before capturing a child's personal information
  • Tell parents if your Privacy Policy changes in a significant way

How to Write a COPPA-Compliant Privacy Policy

How to Write a COPPA-Compliant Privacy Policy

First, you need to update your Privacy Policy (or write one).

The Privacy Policy must do two things:

  • Tell parents how you protect a child's data
  • Explain what rights parents have over this information

You must also publish the Privacy Policy somewhere obvious on your website, but we'll cover this later.

Writing a Privacy Policy

To comply with privacy laws around the world, every Privacy Policy must include certain clauses. Basically, you should:

  • Explain what information you collect, how you get it, and why you need it
  • Confirm whether you use cookies, or share data with third parties
  • Tell people where they can contact you for more information
  • Explain that users can opt out of data collection at any time

A COPPA Privacy Policy needs these clauses as well as:

  • An explanation of how you handle a child's personal data
  • Details of what rights parents have over this data

It's also vital you use language throughout your Privacy Policy that's easy enough for children to understand.

Let's look at real clauses from COPPA-compliant Privacy Policies.

Children's Clause

You don't need a separate Children's Privacy Policy, but you should highlight child-specific clauses in your Policy. That way, parents can easily jump to the sections they're most concerned about.

National Geographic Kids has a section titled "Children":

National Geographic Kids Privacy Policy: Table of Contents - Children section highlighted

The company also makes a few child-specific statements explaining how it handles data from a child. Namely, it only collects it for very specific purposes, and consent is obtained before the data is collected:

National Geographic Kids Privacy Policy: Children clause

Sesame Street also has a clear section dedicated to kids. Helpfully, COPPA is referred to specifically, and the fundamental ways in which data from minors is protected is set out:

Sesame Street Privacy Policy: Children clause

The Information You Collect

Specify the type of data you collect and why it's necessary. You can keep the clause a little broad so you can collect as much data as possible, but keep this in mind: You shouldn't ever collect more data than necessary for a set purpose.

Sesame Street uses the phrase "examples of personal information." By keeping the clause general, the company isn't limited to these specific parameters. However, the language is clear enough for parents and kids to understand what data will probably be collected, and why:

Sesame Street Privacy Policy: Information We Request on our Children's Platforms clause

There's no need for a long, complex clause. It should be easy to understand by children themselves.

You should also clearly set out how you use the data, like National Geographic Kids does here:

National Geographic Kids Privacy Policy: How we use your information clause

Cookies and Third Parties

Be transparent about who you share data with, and whether you use cookies. This is especially important when you're handling data belonging to under-13's. It's vital you only share it responsibly.

Here's a short but excellent clause from Sesame Street for this purpose:

Sesame Street Privacy Policy: Service Providers clause

Again, using broad language like "such as" means there will not be restrictions to using data for analytics purposes. It's all about striking a balance between giving enough information without being so specific that you're restricting your legitimate interests.

Contact Details

Make it easy for people to contact you about your Privacy Policy. All you need to include are a few methods of contact (one should be free, if possible), like PBS Kids does here:

PBS Kids Privacy Policy: Contact clause

Parental Rights

Parents have rights over what happens to their child's data online. Namely, they can tell you to stop collecting data or delete what you already have.

To comply with COPPA, National Geographic Kids highlights this right in its Privacy Policy:

National Geographic Kids Privacy Policy: Your Right to Withdraw Consent clause

There's also a right for parents to:

  • Review what data you hold
  • Amend the data
  • Request a copy

Again, National Geographic Kids sets out these rights in a clear, concise way, highlighting how parents can exercise them:

National Geographic Kids Privacy Policy: Your Other Rights and Choices clause

Now that you know what important clauses and information to include in your COPPA Privacy, let's look at the best places to display your Privacy Policy.

Where to Display Your COPPA Privacy Policy

Where to Display Your COPPA Privacy Policy

It's not as simple as just posting a link to your Privacy Policy in a footer. For COPPA compliance, it needs to be really obvious.

Funbrain posts an obvious link on the homepage that's separate from the other links:

Funbrain website footer with Privacy Policy highlighted

And Pixar actually separates it's Children's Privacy Policy from its general Privacy Policy:

Pixar website footer with Children's Privacy Policy link highlighted

In both cases, they're really obvious and distinguishable from other links.

Getting Consent to Your COPPA Privacy Policy

Although you've posted a Privacy Policy, you still need verifiable consent to data collection. But how do you verify consent? There are a few steps to follow:

  • Use checkboxes to confirm someone has read your Privacy Policy and agrees to your data collection practices
  • Ask kids to provide a parent's email address. That way, you can assume it's the parent consenting rather than the child.

Checkboxes allow someone to take a positive, affirmative step to agree to your Privacy Policy. You should place these boxes at key places on your website where you collect personal data, such as when someone sets up an account.

Here's an example from Hamleys:

Hamleys Create Account checkbox to agree to Terms and Conditions and Privacy Policy

National Geographic Kids requests that those under 16 years of age provide a parent's email address before they can open an account. While National Geographic can't prove the email address belongs to a parent, they're taking reasonable steps to get verifiable consent:

National Geographic Kids Create Account form with parent email address highlighted

All you can do is take reasonable steps. If you don't want to ask for an email address, you can also:

  • Ask for a contact number to call the parent
  • Confirm a parent's credit or debit card before it's used for payment

Updating Your Privacy Policy

When you materially change your Privacy Policy, parents should be notified by email or by a notice on your website.

By material, we mean changing the clauses around the data you collect and where it's shared. But if you're unsure whether it's a material change or not, send parents an email or notice telling them about the change anyway.

PBS confirms this is what it does in its Privacy Policy:

PBS Kids Privacy Policy: Changes to the Privacy Policy clause

Protecting Personal Information

There's one final thing you should do to comply with COPPA, and that's take reasonable steps to protect the personal data in your care. But what's classed as reasonable?

There's no "right" answer to this, but here are some suggestions:

  • Limit who can access the data
  • Ensure you encrypt data, where possible
  • Keep antivirus and antimalware tools up-to-date

Remember, what's reasonable for a large company isn't proportionate for an independent website, so the FTC considers this on a case-by-case basis.

Penalties for Non-Compliance

Complying with COPPA isn't optional. If you don't follow the Act:

  • Parents can submit a complaint to the FTC
  • You may be fined up to $42,530 for each infraction

COPPA non-compliance damages your reputation and costs money. So it's always best to comply even if you're not 100% sure the Act applies.

Conclusion

Do you run a website or online service aimed at children under 13 years of age? Then you'll need a COPPA-compliant Privacy Policy.

Your Privacy Policy must contain clauses explaining:

  • Why you collect data, and who you share it with
  • What methods you use to collect and store information
  • The rights parents have over their child's data
  • Any special steps you're taking to protect sensitive information

Aside from this, you must also do the following:

  • Tell parents you're collecting their child's personal data
  • Get verifiable permission to collect data beforehand
  • Post your Privacy Policy somewhere obvious on your website
  • Alert parents if you're changing your Privacy Policy in a way that affects data collection or usage
Last updated on 30 October 2020

Article categories

Jennifer L.

Legal writer.