The Children's Online Privacy Protection Act (COPPA) is a U.S. federal privacy law that requires websites that target kids to protect their personal information.
This article explains what COPPA is, who it applies to, what it requires, and how to write and display a COPPA-compliant Privacy Policy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the Children's Online Privacy Protection Act (COPPA)?
- 2. Who Does the Children's Online Privacy Protection Act (COPPA) Apply to?
- 3. Who is Exempt from the Children's Online Privacy Protection Act (COPPA)?
- 4. What Does the Children's Online Privacy Protection Act (COPPA Require?
- 4.1. Maintain a Privacy Policy
- 4.2. Get Parental Consent
- 4.3. Respond to Parental Requests
- 4.4. Don't Collect More Personal Information Than Necessary
- 4.5. Keep Children's Personal Information Secure
- 5. How Do You Write a COPPA-Compliant Privacy Policy?
- 5.1. The Types of Personal Information You Collect
- 5.2. What You Do With the Personal Information You Collect
- 5.3. Who You Share Personal Information With
- 5.4. How You Handle Children's Personal Information
- 5.5. How You Keep Personal Information Secure
- 5.6. How Users Can Make Requests or Withdraw Consent
- 5.7. Your Contact Information
- 6. How Do You Display a COPPA-Compliant Privacy Policy?
- 6.1. Website Footer
- 6.2. Account Creation/Log-in Page
- 6.3. Email Sign-Up Area
- 7. Summary
- 8. Download Sample COPPA Privacy Policy Template
- 8.1. Sample COPPA Privacy Policy Template (HTML Text Download)
- 8.2. Sample COPPA Privacy Policy Template (PDF Download)
- 8.3. Sample COPPA Privacy Policy Template (Word DOCX Download)
- 8.4. Sample COPPA Privacy Policy Template (Google Docs)
- 8.5. More Privacy Policy Templates
What is the Children's Online Privacy Protection Act (COPPA)?
COPPA is an online privacy law that requires operators of commercial websites and online services that target children under the age of 13 to take steps to protect their personal information.
Personal information is any information that can be used to identify an individual and can include:
- Names
- Addresses
- Email addresses
- Usernames or other identifiers that could be used to contact an individual
- Phone numbers
- Social Security numbers
- Any information that is collected about a child or the child's parents that is used in combination with any of the above information
Section 6501 (8) of Children's Online Privacy Protection Act (COPPA) explains what counts as personal information under the law, including names, emails, and phone numbers:
Who Does the Children's Online Privacy Protection Act (COPPA) Apply to?
COPPA applies to anyone who runs a commercial website or online service that targets children or collects personal information from children.
Who is Exempt from the Children's Online Privacy Protection Act (COPPA)?
COPPA does not apply to:
- Certain nonprofit entities
- Commercial websites or online services that don't collect personal information from children
Commercial websites or online services that don't collect personal information from children but do use information location tools to share links to a commercial website or online service that is directed at children are also exempt from COPPA.
What Does the Children's Online Privacy Protection Act (COPPA Require?
COPPA requires operators to maintain a Privacy Policy (a legal agreement that explains how a business handles personal information) on their websites.
In addition to having a Privacy Policy, operators must also:
- Get consent from parents before collecting, using, or sharing children's personal information
- Respond to parental requests concerning their children's personal information
- Limit collection of children's personal information to that which is necessary
- Keep the personal information they collect and use secure
Section 6502 (1) of COPPA explains the law's requirements, including maintaining a Privacy Policy, responding to parental requests, and keeping personal information safe:
Let's take a deeper look at each of COPPA's requirements.
Maintain a Privacy Policy
To comply with Children's Online Privacy Protection Act (COPPA), a Privacy Policy must contain the following information:
- What information the operator collects from children
- How the operator uses information collected from children
- The operator's disclosure practices for the information it collects from children
- How a parent can request to access or have their children's personal information deleted
- How a parent can withdraw their consent for future collection of their children's personal information
Section 312.4 (d) of the Children's Online Privacy Protection Rule (a rule that implements COPPA) explains the clauses a compliant Privacy Policy must contain, including operators' contact information, a description of the types of personal information operators collect from children, and how they use the data they collect:
The menu of Pokémon's Supplemental Kids' Privacy Notice includes clauses about the types of information it collects from children and how it uses and shares that information:
Get Parental Consent
Operators must get "verifiable parental consent" before collecting, using, or disclosing children's personal information. That means that you must use a method for obtaining consent that can prove that the person providing consent is actually the child's parent.
Some of the approved methods you can use to get parental consent include:
- Consent forms that can be signed and returned via email, fax, or electronic scanning
- Credit, debit, or other online payment systems that notify the account holder when a payment is made
- Toll-free phone number
- Video conference with trained staff
- Checking a parent's government-issued ID
Operators that don't disclose children's personal information can also use email to get parental consent, as long as they inform parents that they have the right to withdraw their consent at any time.
Section 312.5 (b) of the Children's Online Privacy Protection Rule lists acceptable methods that operators can use to obtain parental consent, including consent forms, toll-free phone numbers, and email:
Pokémon's Supplemental Kids' Privacy Notice explains how it gets verifiable consent from parents via email when children register for its services.
Respond to Parental Requests
Operators must respond to parental requests concerning their children's personal information.
Upon request, operators must provide parents with the following:
- A description of the types of personal information collected from their children
- The option to withdraw consent for future collection or use of their children's personal information
- A way for parents to review personal information collected from their children
Section 312.6 of the Children's Online Privacy Protection Rule explains that parents have the right to access, review, and request deletion of their children's personal information:
Pokémon's Supplemental Kids' Privacy Notice lets parents know that they can log into their account or contact customer service to make requests concerning their children's personal information:
Don't Collect More Personal Information Than Necessary
You should only collect as much personal information from children as is necessary to fulfill your purposes. It is a violation of COPPA to use games, prizes, or other activities to try to get more personal information from children than is necessary for participation.
Section 312.7 of the Children's Online Privacy Protection Rule explains that operators cannot require children to provide more personal information than necessary to participate in activities:
The Walt Disney Company's Children's Privacy Policy explains that it only collects the information required for participation in its contests and sweepstakes:
Keep Children's Personal Information Secure
Operators need to maintain security measures to keep the personal information they collect from children safe, including ensuring that any third parties they share data with keep the information secure.
Section 312.8 of the Children's Online Privacy Protection Rule states that operators must keep children's personal information confidential and secure, and only share children's personal information with third parties that agree to keep the data safe:
The Walt Disney Company's Privacy Policy explains the steps it takes to keep children's personal information safe, including using an age verification system for certain features on its websites and apps, limiting the collection of children's personal information, and getting consent from parents when collecting personal information from children:
How Do You Write a COPPA-Compliant Privacy Policy?
One of the most effective ways to comply with Children's Online Privacy Protection Act (COPPA) is to maintain a clearly written, regularly updated Privacy Policy on your website.
A COPPA-compliant Privacy Policy should include the following clauses:
- What personal information you collect
- How you use the personal information you collect
- What third parties you share personal information with
- How you collect, use, and disclose children's personal information
- How you keep the personal data you collect secure
- How users can make requests regarding their (and their children's) personal information (including how to withdraw consent)
- Your contact information
Let's examine each of the clauses a COPPA-compliant Privacy Policy should contain.
The Types of Personal Information You Collect
This clause describes the types of personal information you collect, such as contact information, mailing addresses, or payment information.
Many businesses that cater to both adults and children include separate clauses in their Privacy Policies describing the types of data they collect from adult users and the personal information they collect from children.
Sesame Street's Privacy Policy contains a section that explains the types of personal information it collects, including personal information provided directly by users, such as contact and payment information:
The Privacy Policy goes on to list the types of personal information it requests from children, including names and email addresses:
What You Do With the Personal Information You Collect
Your Privacy Policy should explain your reasons for collecting personal information. Common reasons include communications, order fulfillment, and marketing purposes. You should always limit your collection of personal information to only what is needed to serve your purposes.
The Walt Disney Company's Privacy Policy lists how it uses the personal information it collects, including to provide products and services, and for communication, marketing, and customization purposes:
Who You Share Personal Information With
This clause can be used to list the categories of personal information you share with third parties and the types of third parties you share it with, such as service providers and affiliates.
Mattel's Privacy Statement describes the third parties it shares personal information with, including affiliates and service providers:
How You Handle Children's Personal Information
Maintain a clause in your Privacy Policy that specifically addresses how you treat children's personal information.
This clause can explain the types of data you collect, how you use it, whether you share children's personal information with any third parties, and how parents can exercise their and their children's privacy rights.
Paw Patrol's Privacy Policy explains the types of data it collects from children under the age of 13 and how it uses children's information. It lets users know that it may share children's information with third parties:
Cocomelon's Privacy Policy explains how parents can exercise their or their children's privacy rights, and includes an email and postal address where parents can send their requests:
How You Keep Personal Information Secure
You should explain the steps you take to keep the personal information you use safe.
The security measures you use should be proportionate to the amount and types of personal information you use. For instance, more sensitive information such as financial or health data may require stronger security procedures.
Common security measures include physical, technological, and administrative procedures and practices.
ABC National's Privacy Policy explains that it uses encryption to keep personal financial information secure:
How Users Can Make Requests or Withdraw Consent
This clause should explain how users can make requests concerning their (or their children's) personal information, including how to withdraw consent.
Khan Academy Kids' Privacy Policy tells users how they can update or delete their personal information, and explains instances in which it may be unable to delete information:
Its Privacy Policy also contains a section specifically about children's privacy. It explains how parents can change their children's names on its app and includes an email address where parents can send deletion requests:
Your Contact Information
Your Privacy Policy should include the following contact information:
- All operator's names
- Email address
- Telephone number
- Mailing address
Chuckle and Roar's Privacy Policy contains a mailing address, phone number, and email address that consumers can contact to find out more information about how the company uses their personal information:
How Do You Display a COPPA-Compliant Privacy Policy?
Children's Online Privacy Protection Act (COPPA) requires operators to maintain conspicuous and clearly labeled links to their Privacy Policies in the following areas:
- Website home page or landing page, and
- Any location where children's personal information is collected
Some places you can display links to your Privacy Policy include within your website footer, on your account creation or log-in page, or in your email sign-up area.
Website Footer
Putting a link to your Privacy Policy within your website footer helps ensure that users can access it no matter what page of your website they are on.
Hulu includes a link to its Privacy Policy within its website footer, along with links to information about ads, US users' privacy rights, TV parental guidelines, its subscriber agreement, a site map, and a link that users can click on to opt out of the sale or sharing of their personal information:
Account Creation/Log-in Page
You should put a link to your Privacy Policy on your account creation and log-in pages so that users can read your Privacy Policy before signing up for or logging into an account.
TIME for Kids' login page includes links to its Terms of Use agreement and Privacy Policy:
Email Sign-Up Area
Some websites provide access to newsletters or freebies in exchange for an email address. You should put a link to your Privacy Policy within your email sign-up form so that users can easily access it before submitting their email addresses.
Crayola uses an age gate so that users under age 13 can't sign up for its freebies, and includes links to its Terms of Use agreement and Privacy Policy within the sign-up form:
ABCmouse puts a link to its Privacy Policy under its email submission button:
Summary
Children's Online Privacy Protection Act (COPPA) is an online privacy law that protects children's personal information. It applies to the operators of commercial websites and online services that target children or collect children's personal information.
COPPA doesn't apply to certain nonprofits or commercial websites that aren't targeted at children but use information location tools to refer or share links to commercial websites that are directed at children.
COPPA and the associated Children's Online Privacy Protection Rule require operators to:
- Maintain a Privacy Policy
- Get parental consent before collecting, using, or disclosing children's personal information
- Respond to parental requests concerning their children's personal information
- Limit collection of children's personal information to that which is strictly necessary
- Keep children's personal information secure
One of the most effective ways to comply with COPPA is to maintain a Privacy Policy on your website.
A COPPA-compliant Privacy Policy should contain the following clauses:
- The types of personal information you collect
- Your reasons for collecting personal information
- Third parties you share personal information with
- What you do with children's personal information
- How you keep personal information secure
- How users can make requests regarding their and their children's personal information
- Your contact information
You should clearly label and conspicuously display links to your Privacy Policy on your website's home page and/or landing page and anywhere you collect personal information from children.
Common places to put Privacy Policy links include:
- Website footer
- Account creation and sign-in pages
- Email sign-up area
Download Sample COPPA Privacy Policy Template
Generate a Privacy Policy in just a few minutes
Our Sample COPPA Privacy Policy is available for download, for free. The template includes these sections:
- Definitions
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- Detailed Information on the Processing of Your Personal Data
-
Children's Privacy
- Information Collected from Children Under the Age of 13
- Parental Access
- Links to Other Websites
- Changes to Privacy Policy
- Contact Information
Sample COPPA Privacy Policy Template (HTML Text Download)
You can download the Sample COPPA Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages.
Sample COPPA Privacy Policy Template (PDF Download)
Download the Sample COPPA Privacy Policy Template as a PDF file
Sample COPPA Privacy Policy Template (Word DOCX Download)
Download the Sample COPPA Privacy Policy Template as a Word DOCX file
Sample COPPA Privacy Policy Template (Google Docs)
Download the Sample COPPA Privacy Policy Template as a Google Docs document
More Privacy Policy Templates
More specific Privacy Templates are available on our blog.
Sample Privacy Policy Template | A Privacy Policy Template for all sorts of websites, apps and businesses. |
Sample Mobile App Privacy Policy Template | A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store. |
Sample GDPR Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with GDPR. |
Sample CCPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with CCPA. |
Sample California Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA). |
Sample Virginia VCDPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA. |
Sample PIPEDA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA. |
Sample Ecommerce Privacy Policy Template | A Privacy Policy Template for ecommerce businesses. |
Small Business Privacy Policy Template | A Privacy Policy Template for small businesses. |
Privacy Policy for Google Analytics (Sample) | A Privacy Policy Template for businesses that use Google Analytics. |
Sample CalOPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CalOPPA. |
Sample SaaS Privacy Policy Template | A Privacy Policy Template for SaaS businesses. |
Sample COPPA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's COPPA. |
Sample CPRA Privacy Policy Template | A Privacy Policy Template for businesses that need to comply with California's CPRA. |
Blog Privacy Policy Sample | A Privacy Policy Template for blogs. |
Sample Email Marketing Privacy Policy Template | A Privacy Policy Template for businesses that use email marketing. |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.