If you’re an app or website owner whose service is knowingly collecting, using, or disclosing personal information from children under 13, then there are some special regulations that you are legally required to follow under the vast majority of legislations. “Personal information” within this context refers to the child’s name, location, any contact information, identification information (eg. social security number), device identifiers, IP address, photo, video or audio containing the child’s image or voice.
While this guide will separate US and EU law for your convenience, it should be noted that both cases the regulatory bodies have made it clear that the requirements of these laws will apply as long as you have or target users located in the region that these regulations are from. This means that it doesn’t matter if your business or servers are located in the region or not, the laws will still apply to you.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (eg. control questions). Even after consenting, parents must also have the option to disallow disclosure to third parties if so desired, unless such disclosures are part of the service (for example, social networking).
A central requirement of this Act is having a COPPA-compliant privacy policy in place. You can read more about compliance in the sections below and learn more about COPPA here.
Under EU GDPR regulations, consent is one of the Lawful Reasons for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service. You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
If using another lawful reason as the basis for processing a child’s data, you must consider factors such as the child’s competence to understand and agree to the processing, and the interests and fundamental rights of the child. Furthermore, if you target children over the age of 13, you must write clear and age-appropriate privacy notices for them so that they understand what they’re consenting to.
The right to erasure is particularly relevant in cases where a person gave consent to processing when they were a child. When processing the data of children, the law requires that you take appropriate measures to ensure that their data is safeguarded.
Learn more about considerations regarding children under EU law on our guide to minors and the GDPR and on ICO’s website.
Here’s 1 Thing you Have to Know.
Describe the types of personal information processed online from children, the purpose and the way it’s handled.
List all operators processing personal information. Name each third party operator involved in the processing including social plugins, widgets, and ad networks.
Describe parental rights in relation to their child’s data and the procedures to follow to exercise these rights.
Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children.
Provide parents access to their child’s personal information to review and/or have the information deleted.
Give parents the opportunity to withdraw consent and prevent further processing of a child’s personal information.
Maintain the confidentiality, security, and integrity of data collected from children. This includes taking reasonable steps to ensure that such data is only released to third-parties capable of maintaining its confidentiality and security.
Ensure that you keep personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected. When no longer necessary, be sure to delete the information using secure measures to protect against its unauthorized access or use.
Do not make a child’s ability to access an online activity dependent on the child providing more information than what is reasonably necessary for the activity.
In terms of compliance with child data protection laws, one of the first logical steps is making sure that your privacy policy meets its legal obligations. With this in mind, we’ve built a solution that implements the strictest regulations from the major legislations into one inclusive yet easy-to-read policy.
While you’re separately required to implement methods to collect, record and verify parental consent, our privacy policy solution makes it easy for you to meet your disclosure obligations by allowing you to comprehensively disclose and define necessary details in a legally compliant way; we’ve also specifically included an additional, comprehensive COPPA clause to further simplify the process.
The process is straightforward and intuitive, simply click to add your services > fill out your web/app owner and contact details > embed.
Congratulations! Your policy has been created. Simply check that all the details are correct, then:
Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal and third-party requirements. Our privacy policies also come with the option to include a cookie policy which is necessary to include if your website or app is using cookies.
You can read more about our policy generator and features here and read about our full range of solutions here.
