Evaluate the methods and purpose of information collection
3
Ensure the parental notification about the collection, use and disclosure of information
4
Provide a parental consent procedure for the collection of information from children
5
Approval: Parental Consent Procedure
6
Ensure child's access to personal data
7
Enable parents to delete child's information on request
8
Update privacy policy to reflect current practices
9
Ensure the accuracy of the privacy policy
10
Approval: Privacy Policy
11
Create a mechanism for parents to review collected information
12
Train staff in COPPA compliance procedures
13
Implement data security measures
14
Check for third-party data sharing practices
15
Restrict information sharing with third parties unless necessary
16
Approval: Third Party Information Sharing
17
Monitor for changes in the law regarding COPPA compliance
18
Periodic review of compliance procedures
19
Approval: Overall COPPA Compliance
20
Document all steps and procedures for compliance evidence
Define the type of user information gathered
Identify and classify the different types of user information that is collected by the organization. This includes personal information such as names, ages, addresses, and contact details, as well as demographic information and online activities. Understanding the types of information helps in formulating appropriate COPPA compliance measures.
Evaluate the methods and purpose of information collection
Analyze the methods and purposes for which user information is collected. This includes examining the website or app features, registration process, surveys, contests, social media integration, and communication channels used. Evaluating the methods and purposes ensures compliance with COPPA guidelines regarding informed consent and appropriate user disclosures.
Ensure the parental notification about the collection, use and disclosure of information
Implement mechanisms to provide parents with clear and concise notifications about the organization's collection, use, and disclosure of user information. This includes explaining the purpose of data collection, the types of information collected, and any potential third-party involvement. Notify parents through email, pop-up notifications, or website announcements.
1
Email
2
Website pop-up
3
Announcement
Provide a parental consent procedure for the collection of information from children
Establish a clear and easy-to-follow parental consent procedure that complies with COPPA regulations. This procedure should require verifiable parental consent, such as through a signed form, digital consent process, or use of a credit card. Include detailed instructions for parents on how to provide consent for the collection of their child's information.
Approval: Parental Consent Procedure
Will be submitted for approval:
Provide a parental consent procedure for the collection of information from children
Will be submitted
Ensure child's access to personal data
Implement a process that allows children to access and review their personal data. This includes providing a secure online account or profile where children can view the information collected about them. Also, include instructions on how children can request changes or updates to their personal data.
Enable parents to delete child's information on request
Develop a procedure that enables parents to request the deletion of their child's information. This procedure should be user-friendly and should include clear instructions on how to initiate the deletion process. Ensure that all child information is permanently deleted from the organization's databases upon parental request.
Update privacy policy to reflect current practices
Review and update the organization's privacy policy to accurately reflect the current practices and procedures implemented for COPPA compliance. Ensure that the privacy policy clearly outlines the types of information collected, the purposes for collection, the method of consent, and the rights of parents and children in relation to their personal data.
Ensure the accuracy of the privacy policy
Regularly review and verify the accuracy of the organization's privacy policy. This includes conducting internal audits and assessments to ensure that the privacy policy aligns with the actual information collection and disclosure practices. Update the privacy policy as necessary to address any discrepancies or changes in data handling procedures.
Approval: Privacy Policy
Will be submitted for approval:
Update privacy policy to reflect current practices
Will be submitted
Ensure the accuracy of the privacy policy
Will be submitted
Create a mechanism for parents to review collected information
Establish a process that allows parents to review the information collected about their child. This may include providing access to an online portal, sending periodic summaries of the collected data, or offering support through customer service channels. Ensure that parents can easily request further details or clarifications.
1
Online portal access
2
Periodic summaries
3
Customer support
Train staff in COPPA compliance procedures
Educate all relevant staff members on the procedures and guidelines for COPPA compliance. Conduct training sessions and provide informational resources, such as handbooks or online courses, to ensure that staff members understand their roles and responsibilities in protecting children's privacy. Monitor staff compliance regularly.
1
Understanding COPPA regulations
2
Identifying children's information
3
Proper data handling practices
4
Obtaining parental consent
5
Recognizing and reporting privacy breaches
Implement data security measures
Put in place appropriate data security measures to protect the collected information from unauthorized access, use, disclosure, alteration, or destruction. This may include implementing encryption protocols, restricted access controls, firewall protection, regular data backups, and secure storage systems.
1
Encryption protocols
2
Restricted access controls
3
Firewall protection
4
Regular data backups
5
Secure storage systems
Check for third-party data sharing practices
Conduct an assessment of any third-party entities with which user information is shared or disclosed. This includes advertising networks, analytics providers, social media platforms, and other service providers. Verify that these third parties have adequate COPPA compliance measures in place and do not use the information for unauthorized purposes.
1
Advertising networks
2
Analytics providers
3
Social media platforms
4
Service providers
5
None
Restrict information sharing with third parties unless necessary
Minimize the sharing of user information with third-party entities unless necessary for the operation or improvement of the organization's services. Evaluate the necessity and legality of sharing information with each third party, ensuring compliance with COPPA regulations. Obtain explicit consent from parents before sharing information with third parties.
Approval: Third Party Information Sharing
Will be submitted for approval:
Check for third-party data sharing practices
Will be submitted
Restrict information sharing with third parties unless necessary
Will be submitted
Monitor for changes in the law regarding COPPA compliance
Stay updated on any changes or amendments to COPPA regulations and ensure ongoing compliance. Assign a responsible person or team to monitor regulatory updates and assess the impact on the organization's practices. Regularly review the COPPA official website, consult legal resources, or subscribe to relevant industry newsletters.
Periodic review of compliance procedures
Conduct periodic reviews of the organization's COPPA compliance procedures to ensure ongoing effectiveness. This includes evaluating the implementation of the various tasks outlined in this checklist, assessing staff adherence to procedures, and identifying any areas for improvement or corrective action.
Approval: Overall COPPA Compliance
Will be submitted for approval:
Periodic review of compliance procedures
Will be submitted
Document all steps and procedures for compliance evidence
Maintain comprehensive documentation of all steps and procedures implemented to ensure COPPA compliance. This documentation serves as evidence of compliance efforts in the event of an audit or investigation. Keep records of staff training, consent procedures, privacy policy updates, third-party agreements, and any other relevant documentation.
