COPPA Compliance Checklist for Websites

Srushti IyerLaw

COPPA compliance checklist for websites
COPPA Compliance Checklist for Websites

COPPA Compliance Checklist for Websites

The Children’s Online Privacy Protection Act of 1998 (COPPA) imposes certain requirements on online service providers that seek to collect personal information of children. This article is in continuation with my previous article that elaborated COPPA’s privacy policy and parental consent requirements. In this article, I will be discussing a step-by-step procedure for online services to demonstrate COPPA compliance. With Indian Personal Data Protection Bill in the pipeline, COPPA compliance can help Indian businesses in ensuring that they are on the right path.

Federal Trade Commission (FTC) has prescribed a list of six steps for complying with COPPA compliance requirements. These steps are:

  1. Check if your website or online service collects information from children below the age of 13 years.
  2. Ensure your company has a clearly visible privacy policy that fulfils COPPA compliance requirements.
  3. Ensure that your company takes parental consent before collecting any information from a child.
  4. Parental consent taken in the third step is verifiable as required by COPPA.
  5. Provide clear communication to parents regarding their rights related to their children’s data and inform the parents that they respect all the decisions made by the parents for their children’s data.
  6. Ensure that you have implemented reasonable security practices for your website to protect children’s information.
Step 1: Check if your website or online service collects information from children below the age of 13 years.

COPPA does not apply to all the websites that exist on the internet. It applies to websites that

  • do not have age-restrictions when users sign up.
  • are offering services tending to children and collecting their personal data.
  • have an ad plugin that collects personal information specifically about children.

Companies can use various age-verification techniques to know the exact age of their users. I have discussed some of these techniques here.

Step 2: Ensure your company has a clearly visible privacy policy that fulfils COPPA requirements.

We have discussed COPPA privacy policy requirements in detail in this article. Apart from these requirements, a privacy policy must contain:

  • information about third-parties with whom the processing of personal data is delegated;
  • types of personal data being collected and the manner of collection; and
  • rights of parents/guardians on their children’s personal data.
Step 3: Ensure that your company takes parental consent before collecting any information from a child.

Before collecting personal data of children, companies must give clear and concise notice to parents for receiving parental consent. This notice must not contain any irrelevant or confusing content. This notice should inform the parents that:

  • their contact information has been collected for the purpose of parental consent;
  • the website seeks to collect their child’s personal information;
  • parental consent is necessary for collecting and disclosing personal information of children;
  • the parental consent notice is linked to the company’s privacy policy; and
  • if parents do not give their consent in a reasonable amount of time, the website will automatically delete their contact information.

This notice should also mention the ways through which parents can provide their consent.

Step 4: Parental consent taken in the third step is verifiable as required by COPPA.

COPPA does not list any exhaustive method to obtain verifiable parental consent. However, some of the acceptable methods are:

  • Parents sign a consent form and send it back to the company through fax, postal service, or email.
  • The service requires a credit/debit card or similar online payment systems that are bound to notify the parents about a transaction.
  • Parents call a toll free number staffed by trained professionals.
  • Websites ask for some kind of hard identification from parents, provided that companies delete this information after the verification process completes.
  • Parents answer knowledge-based challenge questions that would be difficult for kids to answer.
  • Parents submit a driver’s license or any other photo identity card for comparison with another photo using facial recognition technology.
Step 5: Clear communication between the website and parents.

A website shall inform the parents about any updates in its privacy policy. The communication shall also include:

  • methods available with parents to review their child’s personal information collected by the website;
  • methods for revoking the parental consent, or refuse further use or processing of their children’s personal information; and
  • their rights related to personal data of their children, including deletion.
Step 6: Ensure that you have implemented reasonable security practices for your website to protect children’s information.

COPPA expects companies to implement reasonable security practices for their websites. The idea behind COPPA is to give the highest priority to the best interests of children. The same should reflect in security practices adopted by a company. COPPA requires companies to not to retain data for a period longer than actually required. Further, it also restricts the sharing of personal information only with those third-parties who are capable of maintaining confidentiality, integrity, and availability of such information.

Ending notes

Some businesses may perceive COPPA compliance to be difficult and complicated. However, it has immeasurable benefits in the long-term when we talk about the online safety of children. In the last two decades, FTC has passed many landmark rulings that have shaped how companies collect and process personal information of children. I will be discussing some of these rulings in my next article. Meanwhile, I hope that once PDPB becomes an act and comes into effect, the Indian data protection authority will prescribe similar requirements for Indian companies.


Interested in contributing to our blog and knowledge base? Write to us at [email protected] and elaborate on how you can help us in creating a safer cyber space.

Featured Image Credits: Image by Chuck Underwood from Pixabay