Implement Reasonable Procedures to Protect the Security of Children’s Personal Information
COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Minimize what you collect in the first place. Take reasonable steps to release personal information only to service providers and third parties capable of maintaining its confidentiality, security, and integrity. Get assurances they’ll live up to those responsibilities. Hold on to personal information only as long as is reasonably necessary for the purpose for which it was collected. Securely dispose of it once you no longer have a legitimate reason for retaining it.
Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement
In general, you must get a parent’s verifiable consent before collecting personal information from their child. But there are some limited exceptions to that requirement that allow you to collect information without parental consent. Keep in mind that the kind of information you may collect under each exception is narrow. You can’t collect anything more. Also, if you collect information under one of these exceptions, you can’t use it or disclose it for any other purpose.
REASON YOU MAY COLLECT INFORMATION WITHOUT PARENTAL CONSENT | THE KIND OF INFORMATION YOU MAY COLLECT | OTHER LIMITS ON HOW YOU MAY USE THE INFORMATION | IF YOU COLLECT INFORMATION UNDER THIS EXCEPTION, WHAT YOU MUST TELL PARENTS IN YOUR DIRECT NOTICE |
---|---|---|---|
To get verifiable parental consent | child’s and parent’s name and online contact information | You must delete their contact information if you don’t get consent within a reasonable time. | You must:
|
To give voluntary notice to a parent about their child’s participation on a site or service that doesn’t collect personal information | parent’s online contact information | You must:
|
|
To respond directly to a child’s specific one-time request (for example, if the child wants to enter a contest) | child’s online contact information | You can’t use the information to contact the child again and you must delete it after you respond to the request. | No direct notice is required. |
To respond directly more than once to a child’s specific request (for example, if the child wants to receive a newsletter) | child’s and parent’s online contact information | You can’t combine this information with any other information collected from the child. | You must:
|
To protect a child’s safety | child’s and parent’s name and online contact information | You must:
|
|
To protect the security or integrity of your site or service, to take precautions against liability, to respond to judicial process, or — as permitted by law — to provide information to law enforcement | child’s name and online contact information | No direct notice is required. | |
To provide support for internal operations of your site or service.
This includes:
|
persistent identifier | You can’t use the information to contact a specific person, including through behavioral advertising, to amass a profile on a specific person, or for any other purpose.
You can’t use this exception if you collect personal information other than a persistent identifier. |
No direct notice is required. |
If you have actual knowledge that a person’s information was collected through a child-directed site, but their previous registration indicates the person is 13 or over
This exception applies only if:
|
persistent identifier | You can’t use this exception if you collect information other than a persistent identifier. | No direct notice is required. |