Notify Parents Directly Before Collecting Personal Information From Children
COPPA requires that you give parents “direct notice” of your information practices before collecting information from their kids. In addition, if you make a material change to the practices parents previously agreed to, you have to send an updated direct notice.
The notice should be clear and easy to read. Don’t include any unrelated or confusing information. The notice must tell parents:
- that you collected their online contact information for the purpose of getting their consent;
- that you want to collect personal information from their child;
- that their consent is required for the collection, use, and disclosure of the information;
- the specific personal information you want to collect and how it might be disclosed to others;
- a link to your online privacy policy;
- how the parent can give their consent; and
- that if the parent doesn’t consent within a reasonable time, you’ll delete the parent’s online contact information from your records.
In certain circumstances, it’s okay under COPPA to collect a narrow class of personal information without getting parental consent. But you may still have to give parents direct notice of your activities.
Obtain Parents’ Verifiable Consent Before Collecting Personal Information From Children
Before collecting, using or disclosing personal information from a child, you must get their parent’s verifiable consent. How do you get that? COPPA leaves it up to you, but it’s important to choose a method reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent. If you have actual knowledge that you’re collecting personal information from a site or service that is directed to children, you may get consent directly or through the child-directed site or service.
Acceptable methods include having the parent:
- sign a consent form and send it back to you via fax, mail, or electronic scan;
- use a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder;
- call a toll-free number staffed by trained personnel;
- connect to trained personnel via a video conference;
- provide a copy of a form of government issued ID that you check against a database, as long as you delete the identification from your records when you finish the verification process;
- answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer; or
- verify a picture of a driver’s license of other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology.
If you will use a child’s personal information only for internal purposes and won’t disclose it, you may use a method known as “email plus.” Under that method, send an email to the parent and have them respond with their consent. Then you must send a confirmation to the parent via email, letter, or phone call. If you use email plus, you must let the parent know they can revoke their consent anytime.
You must give parents the option of allowing the collection and use of their child’s personal information without agreeing to disclosing that information to third parties. If you make changes to the collection, use, or disclosure practices the parent already agreed to, you must send the parent a new notice and get their consent.
Honor Parents’ Ongoing Rights Regarding Personal Information Collected From Children
Even if parents have agreed that you may collect information from their kids, parents have ongoing rights — and you have continuing obligations. If a parent asks, you must:
- give them a way to review the personal information collected from their child;
- give them a way to revoke their consent and refuse the further use or collection of personal information from their child; and
- delete their child’s personal information.
Any time you’re communicating with a parent about personal information already collected from their child, take reasonable steps to ensure you’re dealing with the child’s parent. At the same time, make sure the method you use to give parents access to information collected from their kids isn’t unduly burdensome on the parent. Under COPPA, it may be okay to terminate a service to a child if the parent revokes consent, but only if the information at issue is reasonably necessary for the child’s participation in that activity.
