Skip to main content

Data Privacy: Top 10 Tips for to Make Sure Your Business Complies with COPPA


Data Privacy Day (January 28th) is an international effort to empower individuals to take ownership of their online presence and inspire businesses to respect privacy. To celebrate, we’re sharing tips companies and small business can use to help ensure that a website or online service complies with COPPA.

1.    Draft Your Own Privacy Policy

You would be surprised how many companies cut and paste other privacy policies or templates. Unfortunately, privacy is not a one-size-fits-all type of situation. You need to draft a policy for your site or service that accurately reflects your specific privacy practices or you render the document useless. Make sure you include everything that applicable laws require. But be straight and to the point. The FTC frowns upon including unrelated or confusing information, which serves only to misdirect readers’ attention from what is important.

2.    Shout it From the Rooftop

Make sure that all your third-party service providers are aware that your product is child-targeted. Under COPPA, you are strictly liable for any information that they collect from your so make sure that they are treating the collection of user information appropriately.

3.   Respect Your Teachers

If you are providing your website or service to schools, ensure that the school receives the same notice for consent that you would provide to a parent before collecting information from children. For example, under COPPA, you must inform parents of all personal information your service collects or can be publicly disclosed by children.

4.    Less is More

When it comes to information collection, the less you collect, the better. Collect only what personal information you truly require to participate in the service you offer. Every piece of personal information you collect should have a specified business purpose. And you should list that purpose in your privacy policy.

5.    Call Me Maybe

Be sure that you list your full contact information for your company in
your privacy policy. Include your business address, phone number and an email address for an inbox that is regularly monitored. When it comes to children’s privacy, your organization needs to be readily available.

6.    Easy Way Out

Provide parents and guardians with an easily accessible method to delete a child’s personal information or opt out of future collection.

7.   No Means No

Before collecting or allowing children to disclose personal information, you must get verifiable parental consent. Do not collect any personal information from children other than a parent’s email address before you obtain parental consent.

8.    Captive Audience

Determine who your audience is: you may intend to operate a service directed to teens, but if you attract a substantial number of children, you may be required to comply with COPPA. See Section G of the COPPA FAQs.

9.    Location, Location, Location

If you collect or allow third parties to collect geolocation data you may need parental consent first. If the address collected is sufficient to identify a street name and city or town, you need parental consent.

10.  Join a Safe Harbor! 

If you’re concerned that your website or online service does not comply with COPPA, have no fear! You can join a certified Safe Harbor program to help you get into compliance with COPPA. CARU was the first FTC-approved Safe Harbor and we’re here to assist you.

If you have any questions about COPPA compliance or joining CARU’s Safe Harbor program, please email CARU at info@caru.bbb.org.

Looking to learn more about how to comply with the Children's Online Privacy Protection Act (COPPA), the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA)?  Don't miss CARU's West Coast Kids Advertising and Online Privacy Conference March 6, 2019 in Los Angeles.

About the Children's Advertising Review Unit

The Children's Advertising Review Unit (CARU) was founded in 1974 to promote responsible children's advertising as part of a strategic alliance with the major advertising trade associations and the Council of Better Business Bureaus. CARU is the children's arm of the advertising industry's self-regulation system and evaluates child-directed advertising and promotional material in all media to advance truthfulness, accuracy and consistency with its Self-Regulatory Program for Children's Advertising and relevant laws. In addition, CARU is an FTC-approved COPPA Safe Harbor, which helps companies comply with the Children’s Online Privacy Protection Act (COPPA).

For more information on CARU, email info 'at' caru (dot) bbb (dot) org
For more information about Data Privacy Day, visit Stay Safe Online.


Have your own little one? Be sure to check out our article about Tips for Parents to Keep Kids Information Safe Online.

Popular posts from this blog

20 Years Young: The History and Maturing of COPPA in a Privacy-Conscious Age

1998: A Concern for Children’s Privacy Was BornFrom the moment home computers had the capacity to connect to the Internet, children had the ability to use these technologies to access online websites and services. In the 1990s, concerns about children’s privacy and safety online arose amid fears of marketing practices around selling children’s personal information and exposing children’s information to predators.

The Children’s Advertising Review Unit (CARU), founded in 1974, has always been on the forefront of safeguarding children’s privacy. CARU is the self-regulatory arm of the children’s advertising industry, tasked with promoting truth in children’s advertising by reviewing and evaluating child-directed ads in all media to ensure they are truthful, accurate and appropriate. CARU also monitors online privacy practices as they affect children.
Before there was any legislation on the matter, CARU monitored a burgeoning Internet and observed how children’s privacy and safety were be…

Safety Tips for Parents Buying Smart and Connected Toys This Holiday Season

Teddy bears once filled with stuffing are now hard-wired with smart technology. Internet-connected toys can be fun but they can also put your family at risk if proper care is not taken when buying and using these devices.

Now, more than ever before, The Children’s Advertising Review Unit (CARU) encounters toys that may collect personal information (e.g. name, email address) from children. Unfortunately, this may be done without parents knowing it’s happening. Much like many offline experiences where parent’s permission is required before collecting or using your child’s information, the online world is the same: parental permission is required! These connected toys aren’t inherently bad; in fact, they can be highly educational and fun as long as parents are well-informed and choose wisely. But if you choose the wrong toy, there can be consequences (check out our issues we had with a recent smart toy here) Santa checks his list twice and responsible parents should too-- you may be surpr…

Key Takeaways from the 2019 CARU Conference

The CARU Conference was held this year in Marina del Rey, California (just 15 minutes from LAX Airport) at the Ritz-Carlton hotel. We kicked the day off with a movie screening of Screenagers, the award-winning film that explores family life and the struggles over social media, video games and academics. The movie shares challenges of parenting in a digital world and solutions for how to help kids safely navigate the issues. Later in the day, the film’s star and director, Delaney Ruston shared her own messy, personal experiences. While it’s true that too much screen time can have adverse effects on brain development, it’s also true that prosocial games and media can encourage kids’ good behavior as well. Dr. Ruston hopes that her film will spark a movement—that this film will get families talking about how they can aspire to lead more balanced lives. She thinks industry is up to the task and challenged them to create more cool and prosocial content. Our first keynote speaker was the Cho…