In my last post, I discussed how to determine if your website or mobile app collects personal information from children under the age of 13, which would make it subject to the Children’s Online Privacy Protection Act (COPPA). In today’s post, I’ll discuss posting a privacy policy that complies with COPPA. Such a policy has to clearly describe how personal information collected from children under age 13 is handled. Not only must this privacy policy describe how you handle the information, it has to describe the information handling practices of others that collect personal information through your site or app (such as plug-in services or advertising networks).
In a previous post, I discussed general principles for privacy policies. For example, you should provide a prominent link to your privacy policy on your website, ideally using a larger font or different color. Companies subject to COPPA need to go further, by posting a link to the privacy policy wherever they collect personal information from children under the age of 13. For example, if your website is designed for a general audience, but you have a separate section for kids, there should be a link to the privacy policy on the homepage, as well as on the main page for the kids’ section.To comply with COPPA, your privacy policy must include three things:
- A list of all operators collecting personal information;
- A description of the personal information collected and how it is used; and
- A description of parental rights.
List of Operators
You will need to provide a list of all operators, including third parties, that collect personal information from kids. The list must include the name and contact information for each operator. If you have several operators collecting information, you can provide contact information for only one, as long as that operator agrees to respond to all inquiries from parents about your site or service’s practices. You will still have to list the names of all the other operators, however.
Description of Personal Information Collected
The policy must also describe:
- The types of personal information collected from children (such as name, address, e-mail address, hobbies, etc.)
- How the information is collected (for example, is it collected actively by filling out a form, or passively, through cookies?)
- How the information will be used (marketing to the child, notifying winners of contests, allowing the child to make information publicly available through a forum or chat room, etc.)
- Whether any personal information is disclosed to third parties, and if so, what kinds of third parties and how they use the information.
Description of Parental Rights
Finally, the policy must describe the rights parents have with respect to your collection of personal information:
- That you won’t require a child to disclose any more information that is reasonably necessary to participate in an activity
- That parents can review their child’s personal information, and direct you to delete it, and refuse to allow any further collection or use of personal information from their child
- That parents can agree to the collection and use of their child’s personal information, but still refuse to allow disclosure to third parties unless that is a part of the service (for example, social networks)
- The procedures parents need to follow to exercise these rights.
As the various requirements for a privacy policy show, you must put a great deal of thought into how your website or service operates, in order to make the proper disclosures. In addition, there is a substantial amount of programming involved, so that parents can properly exercise their rights to delete personal information or limit its collection and use.
In the next installment, I will discuss the issues of parental notification and consent.
Follow me on Twitter @PaulHSpitz