Security Requirements and Exceptions

Implement Reasonable Procedures to Protect the Security of Children’s Personal Information

COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Minimize what you collect in the first place. Take reasonable steps to release personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity. Get assurances they’ll live up to those responsibilities. Hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. Securely dispose of it once you no longer have a legitimate reason for retaining it.

Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

In general, you must get a parent’s verifiable consent before collecting personal information from their child. But there are some limited exceptions to that requirement that allow you to collect information without parental consent. Keep in mind that the kind of information you may collect under each exception is narrow. You can’t collect anything more. Also, if you collect information under one of these exceptions, you can’t use it or disclose it for any other purpose.

REASON YOU MAY COLLECT INFORMATION WITHOUT PARENTAL CONSENT THE KIND OF INFORMATION YOU MAY COLLECT OTHER LIMITS ON HOW YOU MAY USE THE INFORMATION IF YOU COLLECT INFORMATION UNDER THIS EXCEPTION, WHAT YOU MUST TELL PARENTS IN YOUR DIRECT NOTICE
To get verifiable parental consent child’s and parent’s name and online contact information You must delete their contact information if you don’t get consent within a reasonable time. You must:

  • tell parents you collected their online contact information so you can obtain their consent;
  • tell them their consent is required for the collection, use or disclosure of personal information collected from the child, and that you won’t collect, use or disclose any personal information from the child without the parent’s consent;
  • describe the additional items of personal information you intend to collect from the child and other ways for the child to disclose personal information if the parent provides consent;
  • hyperlink to your privacy policy;
  • describe the ways parents can provide verifiable consent for the collection, use or disclosure of personal information collected from the child; and
  • tell parents that if they don’t provide consent within a reasonable time, you will delete their online contact information from your records.
To give voluntary notice to a parent about their child’s participation on a site or service that doesn’t collect personal information parent’s online contact information You must:

  • tell parents you collected their online contact information to let them know about their child’s activities on a site or service that doesn’t collect personal information;
  • tell them their online contact information won’t be used for any other purpose;
  • tell them they may refuse their child’s participation and require that you delete their contact information; and
  • hyperlink to your privacy policy.
To respond directly to a child’s specific one-time request (for example, if the child wants to enter a contest) child’s online contact information You can’t use the information to contact the child again and you must delete it after you respond to the request. No direct notice is required.
To respond directly more than once to a child’s specific request (for example, if the child wants to receive a newsletter) child’s and parent’s online contact information You can’t combine this information with any other information collected from the child. You must:

  • tell parents you collected their online contact information to let them know their child has asked for multiple online communications;
  • tell parents you collected their child’s online contact information to provide the multiple communications they asked for;
  • tell parents the online contact information won’t be used for any other purpose and won’t be disclosed or combined with other information;
  • tell parents that if they don’t opt out, you may use the child’s online contact information for that purpose; and
  • hyperlink to your privacy policy.
To protect a child’s safety child’s and parent’s name and online contact information You must:

  • tell parents you collected the names and contact information to protect a child’s safety;
  • tell parents the information won’t be used or disclosed for any other purpose;
  • tell parents they may refuse to permit the use of the contact information and require you to delete it; and
  • hyperlink to your privacy policy
To protect the security or integrity of your site or service, to take precautions against liability, to respond to judicial process, or — as permitted by law — to provide information to law enforcement child’s name and online contact information No direct notice is required.
To provide support for internal operations of your site or service.

This includes:

  • maintaining or analyzing the functioning of the site,
  • performing network communications,
  • authenticating users of the site or personalizing content,
  • serving contextual ads or frequency capping,
  • protecting the security or integrity of the user or the site,
  • legal or regulatory compliance, or
  • fulfilling a child’s request under the one-time contact or multiple contact exceptions.
persistent identifier You can’t use the information to contact a specific person, including through behavioral advertising, to amass a profile on a specific person, or for any other purpose.

You can’t use this exception if you collect personal information other than a persistent identifier.

No direct notice is required.
If you have actual knowledge that a person’s information was collected through a child-directed site, but their previous registration indicates the person is 13 or over

This exception applies only if:

  • you collect only a persistent identifier and no other personal information;
  • the person affirmatively interacts with your site or service to trigger the collection; and
  • you have already conducted an age-screen of the person indicating he or she  is 13 or over.
persistent identifier You can’t use this exception if you collect information other than a persistent identifier. No direct notice is required.