The Children’s Online Privacy Protection Act of 1998 (COPPA) is managed by the U.S. Federal Trade Commission (FTC) and has been in effect since April 2000.
COPPA is designed to protect the privacy of children in the U.S. aged 13 or under by giving parents control over their children’s online activities.
It sets out rules for how commercial organizations can collect, retain and/or share personal information when children in the U.S. access a website or online service (including apps and internet-enabled devices).
TrustArc’s expertise in COPPA compliance and data privacy
TrustArc was one of the first organizations to become a COPPA Safe Harbor organization for the FTC in 2001.
As a leader in online privacy compliance, TrustArc has always strived to set a bar for certification above the bare minimum required. This philosophy helps smooth regulatory compliance for organizations by ensuring that our services and best-practice recommendations are up-to-date and rigorous.
Our recommendations for COPPA compliance include an extra step between two key requirements set out by the FTC. Based on our experience, a detailed privacy assessment is the best way to help organizations get ahead by streamlining their privacy operations.
Adding a Step to the FTC’s COPPA Compliance Plan
We recommend you read our COPPA FAQ, which explains why COPPA was enacted and will help you determine if your organization needs to comply with COPPA.
To help organizations protect children, the FTC outlines a six-step COPPA compliance plan on its website, covering the key requirements.
- Step 1: Determine if your company is a website or online service that collects personal information from children aged 13 and under.
- Step 2: Post a privacy policy that complies with COPPA.
- Step 3: Notify parents directly before collecting personal information from their children.
- Step 4: Get parents’ verifiable consent before collecting personal information from their children.
- Step 5: Honor parents’ ongoing rights with respect to personal information collected from their children.
- Step 6: Implement reasonable procedures to protect the security of children’s personal information.
Each requirement is essential to help protect kids and give parents control of their children’s online activities.
An extra COPPA compliance step: privacy assessment
Businesses should take an extra step (between the FTC’s first and second steps) to ensure COPPA compliance:
- Conduct a comprehensive privacy assessment to review and update your organization’s privacy practices.
This assessment will give you a clear view of all the activities across your website or online service during which children’s’ personal information could potentially be collected, analyzed and/or shared.
Identifying all the tools, processes, policy documents and third-party partnerships you have in place for managing the collection of personal information will help you decide which areas you will need to improve to comply with COPPA.
How TrustArc Assessment Manager Helps Address COPPA Compliance
TrustArc Assessment Manager is a customizable tool that automates the end-to-end assessment of your organization’s privacy practices and risks.
It will streamline your privacy assessment, while accounting for all relevant privacy regulations – including COPPA – to help your organization:
- Identify gaps in privacy practices, including policies and procedures for the collection, analysis and sharing of personal information
- Record risks for your privacy team, including identifying security risks and risks associated with the types of personal information you collect (or intend to collect). Because some data tools capture more data than is needed or useful, your assessment should also consider which kinds of personal information are necessary for the activities on your site or online service
- Manage compliance-related tasks, including ensuring privacy policies and notices are compliant with current privacy regulations and providing adequate mechanisms for people to understand and exercise their privacy rights. This includes giving or withdrawing consent to the collection and use of their personal information.
Note about COPPA compliance: organizations must get verifiable consent from parents before collecting information from or about their children, and parents have rights to review and delete their children’s personal information. (Also see the section below: Is your privacy policy COPPA compliant?) - Maintain comprehensive audit trails, including records of the personal information collected, why it is collected, how it is used, where it is shared, who has access to it, all locations where it is stored and the security mechanisms for those locations, when records are updated and how long they are stored, and any records related to requests from people to review and/or delete their personal information
- Produce compliance reports to meet regulatory requirements.
Is Your Privacy Policy COPPA Compliant?
COPPA lists three key categories of information in Section 312.4(d) that must be disclosed in a privacy policy:
A clear description of what personal information is collected.
Operators need to explain what kinds of personal information they collect (see our COPPA FAQ for details), why they collect it, how the information is used and/or shared, how the information is secured, how they manage disclosure practices (including privacy mechanisms), and whether children are able to make some or all of their personal information publicly available.
A clear description of parent rights to control their children’s personal information.
Operators must explain these rights and how they can be exercised by parents, including notices to obtain verifiable parent consent, and descriptions of the procedures and mechanisms for parents to review and/or delete their children’s personal information, or prevent further collection or use of this information.
Contact information of all operators involved.
Operators must list all operators involved in collecting and/or managing personal information through the website or online service. They need to either provide contact details for all operators, or provide the name, address, telephone number and email address of an operator who will handle inquiries from parents.
Requirements for displaying a privacy policy
Your privacy policy must be clear, comprehensive and easily accessible, which means it may need to be displayed in multiple places.
- Display a clear and prominent link labeled ‘Privacy Policy’ (or similar) on the home page, landing page or screen of the website or online service.
- Display a clear and prominently labeled link in every area of the site or service where personal information is collected from children.
- Each link to the privacy policy must be displayed next to any requests for information.
- If you operate an app, your privacy policy must be displayed on the home page of the app.
- If your website or online service is aimed at a general audience and has a separate area for children (for example: kids’ activities), then the home page, landing page or screen of the children’s area must also include a prominently labeled link to your notice of information practices for the collection of children’s personal information.
Along with your privacy policy, your organization must also provide direct notice to parents about their rights and the requirement for your organization to obtain their verifiable parental consent before collecting personal information online from their children.
TRUSTe Children’s Privacy Assessment and Certification Program
The FTC oversees a safe harbor program that allows organizations to create self-regulatory guidelines for safely managing children’s personal information and submit these guidelines for approval.
TrustArc operates the TRUSTe Children’s Privacy Assessment and Certification, which allows businesses to demonstrate the child-friendly nature of their website or app, while supporting compliance with COPPA.
The program certifies COPPA compliance and meets the requirements of the TRUSTe Children’s Privacy Certification standards, which include ongoing monitoring and privacy dispute resolution.
TRUSTe certifications are conducted in three phases:
Assessment – TrustArc conducts a comprehensive privacy review, tracker scanning and findings report
Remediation and certification – TrustArc manages privacy practice changes to meet compliance, validation of privacy statements, and provision of the TRUSTe Children’s Privacy Certification Seal, along with a letter of attestation
Ongoing monitoring and guidance – TrustArc provides compliance monitoring services, including a searchable audit trail, ongoing best-practice guidance and access to our third-party dispute resolution service.