The FTC created the following checklist for COPPA Compliance. This checklist was published as a part of the guide FTC, You, Your Privacy Policy and COPPA <www.ftc.gov/bcp/conline/edcams/coppa/index.html>.
- - -
Your website's privacy policy must accurately represent your site's information practices. That is, you must deliver what your privacy policy promises. The policy also should be well-organized, concise and easy to understand. This will help ensure that parents will have all the information they need to make decisions about giving consent.
Use this checklist to help identify the elements that your website's privacy policy needs to be COPPA-compliant. It addresses issues related to the placement, content and style of your privacy policy. The person completing the checklist should be knowledgeable about your website's information practices and have a copy of your site's policy handy for review.
But you also may want to ask someone who isnt familiar with your information practices to read your privacy policy and help you answer the following questions. Should a question in the checklist identify an issue in your privacy policy that needs correction, it will refer you to the appropriate part of Section 1 for guidance.
Location
(1) Is there a link to your privacy policy on the hompage of your website or on the homepage of the children's area of your website?
[] If YES, go to the next question.
[] If NO, place a link to your privacy Policy in the appropriate places.
(2) Are the links to your privacy policy near each other and every place on your website where you collect personal information from children?
[] If YES, go to the next question.
[] If NO, review the areas where your collect personal information from children and put links to your privacy policy near each of these places.
(3) Does the link to your privacy policy stand out so that the website visitor can located it easily?
[] If YES, describe how the link stands out:
[] If NO, change your link by using contracting colors, changing the font or type size or creating a noticeable icon.
(4) Is the link in a different color, a different font, or a larger type size?
[] If YES, go to the next question.
[] If NO, change it so it is prominent and stands out.
(5) Is the link to your privacy policy labeled clearly so a visitor can tell what it is?
[] If YES, record the label of your link:
[] If NO, change the link to your privacy policy so that a casual visitor can tell what it is.
CONTENT
(6) Does your privacy policy include the names of all the website operators who collect or maintain personal information from children through your site?
[] If YES, go to the next question.
[] If NO, revise your privacy policy to include the name of each operator.
(7) Does your privacy policy provide mailing addresses for all the website operators who collect or maintain personal information through your site?
[] If YES, go to the next question?
[] If NO, does the privacy policy provide contact information (mailing address, telephone number and email address) for one operator who, in turn, will respond to inquiries from parents on behalf of the other operators?
[] If YES, go to question 10.
[] If NO, review your privacy policy to include full contact information for each operator who collects or maintains personal information from children through your website, of for one operator who will respond to all inquiries.
(8)Does your privacy policy provide the telephone number for all website operators who collect or maintain personal information through your site?
[] If YES, go to the next question.
[] If No, review your privacy policy to include telephone numbers for all operators.
(9) Does your privacy policy provide the email addresses of all website operators who collect or maintain personal information through your site?
[] If YES, go to the next question.
[] If NO, revise your privacy policy so it includes email addresses.
(10) Does your privacy policy state each type of personal information (full name, email address, mailing address, phone number, etc.) that you collect from children?
[] If YES, go to the next question.
[] If NO, revise your privacy policy so it tells each type of personal information the site collects.
(11) Is your statement of the types of personal information collected descriptive? Is it specific enough to let parents know the kinds of personal information you will be collecting from their children?
[] If YES, go to the next question.
[] If NO, revise the statement to be more descriptive.
12. Does your privacy policy tell parents whether personal information is collected actively - that is, from the child - or passively - for example, through the use of cookies?
[] If YES, go to the next question.
[] If NO, revise the privacy policy to tell parents how your website collects personal information from children.
13. Does your privacy policy tell parents how your website will use the personal information that it collects?
[] If YES, go to the next question.
[] If NO, revise the privacy policy so it gives parents that information.
14. Does your website share or disclose children's personal information with third parties?
[] If YES, go to the next question.
[] If NO, go to question 19.
15. Does your privacy policy state what kinds of businesses the third parties are engaged in?
[] If YES, go to the next question.
[] If NO, revise the privacy policy.
16. Does your privacy policy tell parents the general purposes the third parties will use their children's personal information for?
[] If YES, go to the next question.
[] If NO, revise the privacy policy.
17. Does your privacy policy state whether the third parties that your site shares personal information with have agreed to maintain the confidentiality, security and integrity of the information?
[] If YES, go to the next question.
[] If NO, revise the privacy policy to address whether the third parties have agreed.
18. Does your privacy policy tell parents they can agree to the collection and use of their child's personal information by your site without agreeing to you disclosing the information to third parties?
[] If YES, go to question 20.
[] If NO, revise the privacy policy to tell parents they have the right to consent to your site's collection and use of their child's personal information, while saying no to your disclosure of the information to third parties.
19. Does your privacy policy clearly state that your website does not disclose personal information to third parties?
[] If YES, go to the next question.
[] If NO, revise the language in your privacy policy to explain that the website doesn't share children's personal information with third parties.
20. Does your privacy policy state that your site cannot condition a child's participation in an activity on the child's disclosure of more personal information than is reasonably necessary to participate in the activity?
[] If YES, go to the next question.
[] If NO, add appropriate language to your privacy policy.
21. Does your privacy policy let parents know that they can review the personal information that your website has collected from their child?
[] If YES, go to the next question.
[] If NO, revise the privacy policy to tell parents they have the right to review the information the site has collected from their child.
22. Does your privacy policy tell parents how they can review their child's personal information?
[] If YES, go to the next question.
[] If NO, revise the privacy policy to let parents know how to review their child's personal information.
23. A. Does your privacy policy tell parents they can have their child's personal information deleted from your site?
[] If YES, go to the next question.
[] If NO, revise the language in the privacy policy.
B. Does your privacy policy tell parents how they can have their children's personal information deleted from your site?
[] If YES, go to the next question.
[] If NO, revise the privacy policy.
24. A. Does your privacy policy tell parents that they can stop your website from further collecting or using the additional personal information from your child?
[] If YES, go to the next question.
[] If NO, revise the privacy policy as appropriate.
B. Does your privacy policy tell parents how they can stop the further collection and use of their child's personal information?
[] If YES, go to the next question.
[] If NO, revise the privacy policy.
Style
25. Is your privacy policy clear and understandable? Easy to read? Consider testing it with potential readers.
[] If YES, go to the next question.
[] If NO, rewrite and simplify the privacy policy so the parents of your visitors would be likely to find it easy to read and understand.
26. Does your privacy policy give a complete description of your information practices? Does it explain all the personal information you collect? Does it spell out how you will use the information?
[] If YES, go to the next question.
[] If NO, review the privacy policy and add information to make the description complete.
27. Does your privacy policy include any contradictory, confusing or ambiguous language?
[] If YES, edit the policy.
[] If NO, go to the next question.
28. Does your privacy policy contain any material or content that doesn't relate to your information practices?
[] If YES, edit the policy so it focuses on your information practices.
[] If NO, go to the next question.
29. Is your privacy policy well-organized and easy to follow?
[] YES.
[] NO. It's time to reorganize the information in the policy to make it easier to follow. Consider using a question and answer format.
30. Do your practices reflect the promises you make in your privacy policy?
[] YES. Keep up the good work.
[] NO. Go back to square one.
