After determining that your company is covered by COPPA, the next step is to post a privacy policy. It must clearly and comprehensively describe how personal information collected online from kids under 13 is handled. The notice must describe not only your practices, but also the practices of any others collecting personal information on your site or service — for example, plug-ins or ad networks.
Include a link to your privacy policy on your homepage and anywhere you collect personal information from children. If you operate a site or service directed to a general audience, but have a separate section for kids, post a link to your privacy policy on the homepage of the kids’ part of your site or service.
Make those links clear and prominent. Consider using a larger font or a different color type on a contrasting background. A fineprint link at the bottom of the page or a link that isn’t distinguishable from other links on your site won’t do the trick.
To comply with COPPA, your privacy policy should be clear and easy to read. Don’t add any unrelated or confusing information. Here’s what your policy must include:
All Parties Collecting Personal Information
Name each third party operator, such as an advertising network or social network plug-in, that collects or maintains children’s personal information through your site or service. For each, include a name and contact information (address, telephone number, and email address). If more than one is collecting information, it’s okay to give contact information for only one as long as that company will respond to all inquiries from parents about your site or service’s practices. Even so, you still have to list all third parties in your privacy policy.
The Information You Collect and How it’s Used
Your policy must describe:
- the types of personal information collected from children (for example, name, address, email address, hobbies, etc.);
- how the personal information is collected — directly from the child or passively, say, through cookies;
- how the personal information will be used (for example, for marketing to the child, notifying contest winners, or allowing the child to make information publicly available through a chat room); and
- whether you disclose personal information collected from kids to third parties. If you do, your privacy policy must list the types of businesses you disclose information to (for example, ad networks) and how they use the information.
Description of Parental Rights
Your privacy policy must tell parents:
- that you won’t require a child to disclose more information than is reasonably necessary to participate in an activity;
- that they can review their child’s personal information, direct you to delete it, and refuse to allow any further collection or use of the child’s information;
- that they can agree to the collection and use of their child’s information, but still not allow disclosure to third parties unless that’s part of the service (for example, social networking); and
- the procedures to follow to exercise their rights.
