COPPA Privacy Policy Template
If you run a website or online service aimed at U.S. minors under 13 years of age, then you need to comply with the Children's Online Privacy Protection Act (COPPA). The Act is designed to protect children's personal data when they use the internet or play mobile apps and games.
In other words, having a Privacy Policy isn't enough. You need to include extra clauses explaining how you protect children's data and how it's processed.
But who needs to comply with COPPA, and what are the Privacy Policy requirements? Before we go over these questions, let's be clear on how COPPA works and why it matters.
- 1. COPPA Explained
- 2. Why COPPA Matters
- 3. Who Needs to Comply With COPPA
- 4. COPPA Compliance
- 5. How to Write a COPPA-Compliant Privacy Policy
- 5.1. Writing a Privacy Policy
- 5.2. How to Create a Privacy Policy for Your Website
- 5.3. Children's Clause
- 5.4. The Information You Collect
- 5.5. Cookies and Third Parties
- 5.6. Contact Details
- 5.7. Parental Rights
- 6. Where to Display Your COPPA Privacy Policy
- 7. Getting Consent to Your COPPA Privacy Policy
- 8. Updating Your Privacy Policy
- 9. Protecting Personal Information
- 10. Penalties for Non-Compliance
- 11. Conclusion
COPPA Explained
Technically, COPPA refers to two privacy laws:
- Children's Online Privacy Protection Act
- Children's Online Privacy Protection Rule
The general rule, though, is pretty simple: If you collect personal data from US children, you need parental consent first. By "collecting" data, we're referring to activities like:
- Using tracking cookies
- Showing someone's personal data to the public e.g. on a public profile page
- Asking users to submit information to create an account or profile, or make a purchase
You also need to take extra precautions to keep the data safe and secure.
But what actually is "personal data"? It's basically any data you can use to identify a specific child. It's defined in Section 6501(8) of the Act as:
"The term "personal information" means individually identifiable information about an individual collected online, including-
(A) a first and last name;
(B) a home or other physical address including street name and name of a city or town;
(C) an e-mail address;
(D) a telephone number;
(E) a Social Security number;
(F) any other identifier that the Commission determines permits the physical or online contacting of a specific individual; or
(G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph."
It applies if you're handling personal data belonging to a U.S. child, wherever you're based. You may also need to comply with stricter rules depending on your location, but we're only concerned with COPPA in this article.
What services are included in the rules? There's no comprehensive list, but here are some examples:
- Apps
- Websites
- "Smart" toys connected to the internet
- Gaming platforms
The service needs to be commercial. In other words, if you're a charity, you're not bound by COPPA. But if your service is commercial in nature at all, even if it's free to use, it's covered in section 6501(10).
Why COPPA Matters
We know that complying with COPPA means you need to:
- Get parental permission before collecting minor data (under-13s)
- Take steps to protect this data
But why do we need the Act? There are a few reasons:
- Parents have a right to control access to their child's personal information
- They also want to know what services their child uses, and they want to know you take privacy seriously
- It's important to help children stay safe and protected online
COPPA goes some way to keeping minors safe while allowing them access to the digital world.
Who Needs to Comply With COPPA
You only need to comply with COPPA if you handle personal data belonging to under-13s, or you know children use your website, even if they're not your target audience.
This is confirmed by the Federal Trade Commission:
But what is "actual" knowledge? Well, if a 12-year-old lies about their age and accesses your website without your knowledge, you're not bound by COPPA. However, if you later find out that minors are using your platform, you need to change your Privacy Policy and comply with the Act.
How do you confirm if your website or service is directed at children, though? It all depends on factors like:
- Tone, speech patterns and language used
- Type of music, slogans, and logos
- The site content and how easy it is to use
- Age of the models you use to market your products
- Use of animated or cartoon characters around the website
Let's take a look at two examples.
The first is Sesame Street. The website is colorful and you can see various cartoon characters. The graphics are fun, and the game avatars are obviously aimed at children:
On the other hand, here's Parker Pen. It's stylish and sophisticated, but based on the colors, the product, and the language, it's not likely to appeal to children:
What happens if someone lies about their age? Don't worry. You don't need to ask someone to confirm their age to use your service. And if you do ask people to enter their age before accessing your website, you're allowed to rely on the information they provide.
The FTC confirms this:
In other words, you're allowed to assume any age information you're provided is accurate until you're told otherwise.
If you don't collect any personal information at all, and you're sure COPPA doesn't apply, you should put up a brief notice confirming this. Here's an example from Starfall:
COPPA Compliance
To comply, you should do four things:
- Write a COPPA-compliant Privacy Policy and post it somewhere obvious
- Post a Direct Notice telling parents about your data policies
- Get parental consent before capturing a child's personal information
- Tell parents if your Privacy Policy changes in a significant way
How to Write a COPPA-Compliant Privacy Policy
First, you need to update your Privacy Policy (or write one).
The Privacy Policy must do two things:
- Tell parents how you protect a child's data
- Explain what rights parents have over this information
You must also publish the Privacy Policy somewhere obvious on your website, but we'll cover this later.
Writing a Privacy Policy
To comply with privacy laws around the world, every Privacy Policy must include certain clauses. Basically, you should:
- Explain what information you collect, how you get it, and why you need it
- Confirm whether you use cookies, or share data with third parties
- Tell people where they can contact you for more information
- Explain that users can opt out of data collection at any time
A COPPA Privacy Policy needs these clauses as well as:
- An explanation of how you handle a child's personal data
- Details of what rights parents have over this data
It's also vital you use language throughout your Privacy Policy that's easy enough for children to understand.
How to Create a Privacy Policy for Your Website
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
Let's look at real clauses from COPPA-compliant Privacy Policies.
Children's Clause
You don't need a separate Children's Privacy Policy, but you should highlight child-specific clauses in your Policy. That way, parents can easily jump to the sections they're most concerned about.
National Geographic Kids has a section titled "Children":
The company also makes a few child-specific statements explaining how it handles data from a child. Namely, it only collects it for very specific purposes, and consent is obtained before the data is collected:
Sesame Street also has a clear section dedicated to kids. Helpfully, COPPA is referred to specifically, and the fundamental ways in which data from minors is protected is set out:
The Information You Collect
Specify the type of data you collect and why it's necessary. You can keep the clause a little broad so you can collect as much data as possible, but keep this in mind: You shouldn't ever collect more data than necessary for a set purpose.
Sesame Street uses the phrase "examples of personal information." By keeping the clause general, the company isn't limited to these specific parameters. However, the language is clear enough for parents and kids to understand what data will probably be collected, and why:
There's no need for a long, complex clause. It should be easy to understand by children themselves.
You should also clearly set out how you use the data, like National Geographic Kids does here:
Cookies and Third Parties
Be transparent about who you share data with, and whether you use cookies. This is especially important when you're handling data belonging to under-13's. It's vital you only share it responsibly.
Here's a short but excellent clause from Sesame Street for this purpose:
Again, using broad language like "such as" means there will not be restrictions to using data for analytics purposes. It's all about striking a balance between giving enough information without being so specific that you're restricting your legitimate interests.
Contact Details
Make it easy for people to contact you about your Privacy Policy. All you need to include are a few methods of contact (one should be free, if possible), like PBS Kids does here:
Parental Rights
Parents have rights over what happens to their child's data online. Namely, they can tell you to stop collecting data or delete what you already have.
To comply with COPPA, National Geographic Kids highlights this right in its Privacy Policy:
There's also a right for parents to:
- Review what data you hold
- Amend the data
- Request a copy
Again, National Geographic Kids sets out these rights in a clear, concise way, highlighting how parents can exercise them:
Now that you know what important clauses and information to include in your COPPA Privacy, let's look at the best places to display your Privacy Policy.
Where to Display Your COPPA Privacy Policy
It's not as simple as just posting a link to your Privacy Policy in a footer. For COPPA compliance, it needs to be really obvious.
Funbrain posts an obvious link on the homepage that's separate from the other links:
And Pixar actually separates it's Children's Privacy Policy from its general Privacy Policy:
In both cases, they're really obvious and distinguishable from other links.
Getting Consent to Your COPPA Privacy Policy
Although you've posted a Privacy Policy, you still need verifiable consent to data collection. But how do you verify consent? There are a few steps to follow:
- Use checkboxes to confirm someone has read your Privacy Policy and agrees to your data collection practices
- Ask kids to provide a parent's email address. That way, you can assume it's the parent consenting rather than the child.
Checkboxes allow someone to take a positive, affirmative step to agree to your Privacy Policy. You should place these boxes at key places on your website where you collect personal data, such as when someone sets up an account.
Here's an example from Hamleys:
National Geographic Kids requests that those under 16 years of age provide a parent's email address before they can open an account. While National Geographic can't prove the email address belongs to a parent, they're taking reasonable steps to get verifiable consent:
All you can do is take reasonable steps. If you don't want to ask for an email address, you can also:
- Ask for a contact number to call the parent
- Confirm a parent's credit or debit card before it's used for payment
Updating Your Privacy Policy
When you materially change your Privacy Policy, parents should be notified by email or by a notice on your website.
By material, we mean changing the clauses around the data you collect and where it's shared. But if you're unsure whether it's a material change or not, send parents an email or notice telling them about the change anyway.
PBS confirms this is what it does in its Privacy Policy:
Protecting Personal Information
There's one final thing you should do to comply with COPPA, and that's take reasonable steps to protect the personal data in your care. But what's classed as reasonable?
There's no "right" answer to this, but here are some suggestions:
- Limit who can access the data
- Ensure you encrypt data, where possible
- Keep antivirus and antimalware tools up-to-date
Remember, what's reasonable for a large company isn't proportionate for an independent website, so the FTC considers this on a case-by-case basis.
Penalties for Non-Compliance
Complying with COPPA isn't optional. If you don't follow the Act:
- Parents can submit a complaint to the FTC
- You may be fined up to $42,530 for each infraction
COPPA non-compliance damages your reputation and costs money. So it's always best to comply even if you're not 100% sure the Act applies.
Conclusion
Do you run a website or online service aimed at children under 13 years of age? Then you'll need a COPPA-compliant Privacy Policy.
Your Privacy Policy must contain clauses explaining:
- Why you collect data, and who you share it with
- What methods you use to collect and store information
- The rights parents have over their child's data
- Any special steps you're taking to protect sensitive information
Aside from this, you must also do the following:
- Tell parents you're collecting their child's personal data
- Get verifiable permission to collect data beforehand
- Post your Privacy Policy somewhere obvious on your website
- Alert parents if you're changing your Privacy Policy in a way that affects data collection or usage