COPPA §312.4 and §312.5 require that the direct notice to parents describe what personal information will be collected and how it will be used — vague notices like 'I agree to the Terms of Service' do not satisfy this requirement. The consent must be informed: a parent who clicks 'approve' without knowing that the app collects usage events linked to their child's account, or that the display name is visible to other users, has not meaningfully consented to those specific practices. Disclosures that don't match actual collection also violate GDPR Article 13 for EU children, compounding exposure. The FTC has cited inadequate disclosure in consent notices as an independent ground for enforcement.
Low because the consent mechanism may still exist, but inadequate disclosure degrades the legal quality of that consent and creates a separate §312.4 notice obligation violation.
Rewrite the parental consent notice to enumerate each category of data collected, how it is used, whether it is shared, and what is visible to other users. Use plain language — not legal boilerplate.
Subject: [App Name] — Please review and approve your child's account
WHAT WE COLLECT FROM CHILDREN
- A display name (chosen by the child — not their real name)
- The child's email address (account communication only)
- Usage data within the app (not linked to real-world identity, not shared with advertisers)
HOW WE USE THIS INFORMATION
- To operate the account and provide the service
- We do NOT use children's data for behavioral advertising
- We do NOT share children's personal information with third parties for their own use
WHAT IS VISIBLE TO OTHERS
- The child's display name is visible to other users
- No other information is publicly visible
YOUR RIGHTS AS A PARENT
You may review, correct, or delete your child's data at any time
by contacting privacy@example.com.
Update the notice whenever you add a new data collection point to child sessions — stale consent disclosure is a §312.4 violation in its own right.
ID: coppa-compliance.parental-consent.consent-scope-limited
Severity: low
What to look for: Review the content of the parental consent notice — the email, form, or page where the parent is asked to consent. Does it clearly enumerate: what categories of personal information will be collected from the child, how that information will be used within the application, whether any information will be shared with third parties (and if so, which parties and for what purpose), and whether the child's information will be made publicly visible to other users? Check whether the consent notice is written in plain language that a non-technical parent can understand, or whether it buries the details in legal boilerplate. Verify that the consent scope matches what the application actually collects — consent to collect "display name" does not authorize collecting the child's school or home address.
Pass criteria: The parental consent notice clearly states: (1) what personal information is collected from children, (2) how it is used, (3) whether it is shared with third parties, and (4) whether any information is made publicly visible. The language is plain and accessible. The described scope matches what the application actually collects.
Fail criteria: The consent notice is a vague "I agree to the Terms of Service and Privacy Policy" without specific disclosure about what children's data is collected. The notice mentions collecting "some information" without specifying what. The scope in the consent notice does not match actual collection (e.g., consents to name only, but the app also collects usage data).
Skip (N/A) when: The application hard-blocks all users under 13 and no parental consent workflow exists.
Detail on fail: Example: "Parent consent email reads only: 'Your child has requested an account. Click here to approve.' No disclosure of what data is collected, how it is used, or whether it is shared." or "Consent notice describes collecting display name but the application also tracks usage events linked to the child's account — undisclosed in the consent request.".
Remediation: Write a specific, plain-language consent notice:
Subject: [App Name] — Please review and approve your child's account request
[Child's email address] has asked to create an account on [App Name].
Before approving, please review what we collect and how we use it:
WHAT WE COLLECT FROM CHILDREN
- A display name (chosen by the child — not their real name)
- The child's email address (used only to send account-related messages)
- Usage data within the app (pages visited, features used) — this is not linked to
a real-world identity and is not shared with advertisers
HOW WE USE THIS INFORMATION
- To operate the account and provide the service
- To improve the product (using aggregated, anonymized analytics)
- We do NOT use children's data for behavioral advertising
- We do NOT share children's personal information with third parties for their own use
WHAT IS VISIBLE TO OTHERS
- The child's display name is visible to other users
- No other information is visible publicly
YOUR RIGHTS AS A PARENT
You may review, correct, or delete your child's data at any time
by contacting privacy@example.com.
Keep the consent notice updated whenever you change what data is collected from child accounts.