Privacy policy specifically addresses children's data practices

Why it matters

COPPA §312.4 and §312.4(b) require operators whose websites or services are directed to children to post a clear and prominent link to a notice describing their information practices for children. A single sentence like 'We comply with COPPA' does not satisfy this requirement — the notice must specifically describe what is collected from children, how it is used, how parents can exercise their rights, and how consent was obtained. A generic adult privacy policy with no children's section is the most common COPPA documentation gap found in AI-built apps and is independently cited in FTC complaints alongside substantive violations.

Remediation

Add a dedicated 'Children's Privacy (COPPA Notice)' section to your privacy policy at src/app/privacy/page.tsx or the equivalent. The section must cover all five required disclosures.

## Children's Privacy (COPPA Notice)

### Information we collect from children
With verifiable parental consent, we collect: display name, email address,
date of birth. We do not collect: real name, home address, phone number,
school name, geolocation, or any information not listed above.

### How we use children's information
Only to provide and operate the service and to communicate with the parent.
We do not use children's information for advertising.

### Parental rights
Parents may review, correct, or request deletion of their child's data by
contacting privacy@example.com with subject 'Parental Data Request.'
We respond within 5 business days after verifying parent identity.

### Consent mechanism
We use the email-plus method approved by the FTC: a direct notice to the
parent's email address, requiring the parent to click a confirmation link
before we create the child's account.

Link this section from the footer on every page and ensure it is accessible without authentication.

Detection

ID: coppa-compliance.operator-obligations.children-privacy-policy
Severity: low
What to look for: Count all relevant instances and enumerate each. Find the privacy policy and look for a dedicated section or subsection about children's privacy. COPPA requires the privacy policy to clearly describe: what personal information is collected from children under 13, how the information is used, whether and how it is disclosed to third parties, and how parents can review or delete their child's data. A generic adult-oriented privacy policy with a single sentence like "we comply with COPPA" is not sufficient. The children's section must be specific to the actual data practices for child accounts. Check whether the policy is linked from every page (typically in the footer). Verify it is accessible without authentication.
Pass criteria: The privacy policy contains a dedicated section on children's privacy that specifically describes: (1) what information is collected from children, (2) how it is used, (3) how parents can review/delete the data, (4) the consent mechanism used, and (5) a contact method for parental inquiries. The policy is accessible without login and linked from all pages.
Fail criteria: The privacy policy has no children's section. Or there is a sentence acknowledging COPPA with no substantive content. Or the children's section exists but does not describe the actual data practices for child accounts.
Skip (N/A) when: The application hard-blocks all users under 13 and no child accounts are possible (verified by passing the underage-blocking check). Even then, consider whether the policy should document the age gate.
Detail on fail: Example: "Privacy policy has no section specific to children. A single sentence reads: 'We do not knowingly collect data from children under 13.' The site has no age gate and could easily attract users under 13." or "Children's section in privacy policy reads only 'We comply with COPPA.' No description of data practices, parental rights, or contact information for parental inquiries.".

Remediation: Add a substantive children's privacy section to your privacy policy:

## Children's Privacy (COPPA Notice)

### Who this section applies to
This section applies to users of [App Name] who are under 13 years of age
("children") and their parents or legal guardians.

### Information we collect from children
With verifiable parental consent, we collect the following from children:
- Display name (chosen by the child — not their real name)
- Email address (used only for account-related communication)
- Date of birth (to verify age; stored securely)

We do not collect from children: real name, home address, phone number,
school name, geolocation, or any information not listed above.

### How we use children's information
We use children's information only to:
- Provide and operate the [App Name] service
- Communicate with the parent or guardian about the account
We do not use children's information for advertising or share it with
third parties for their own use.

### Parental rights
As a parent or guardian, you have the right to:
- Review the personal information collected from your child
- Request correction of inaccurate information
- Revoke consent and request deletion of your child's account and data
- Refuse further collection or use of your child's information

To exercise any of these rights, contact us at privacy@example.com
with the subject line "Parental Data Request." We will respond within
5 business days and verify your identity before releasing any information.

### How we obtain and verify parental consent
We use [describe method, e.g., "the email-plus method approved by the FTC:
we send a direct notice to the parent's email address and require the parent
to click a confirmation link before creating the child's account."]

External references

coppa · §312.4 — Notice to parents — detailed notice requirements for children's privacy policy content

coppa · §312.4(b) — Content of the notice — policy must state operator identity, data collected, use, and parental rights

gdpr · Art. 13 — Information to be provided — parallel transparency obligation for privacy policies

nist:rev5 · PT-2 — Purpose Specification — privacy policy documents lawful purpose for data collection

Why it matters

Remediation

Add a dedicated 'Children's Privacy (COPPA Notice)' section to your privacy policy at src/app/privacy/page.tsx or the equivalent. The section must cover all five required disclosures.

## Children's Privacy (COPPA Notice)

### Information we collect from children
With verifiable parental consent, we collect: display name, email address,
date of birth. We do not collect: real name, home address, phone number,
school name, geolocation, or any information not listed above.

### How we use children's information
Only to provide and operate the service and to communicate with the parent.
We do not use children's information for advertising.

### Parental rights
Parents may review, correct, or request deletion of their child's data by
contacting privacy@example.com with subject 'Parental Data Request.'
We respond within 5 business days after verifying parent identity.

### Consent mechanism
We use the email-plus method approved by the FTC: a direct notice to the
parent's email address, requiring the parent to click a confirmation link
before we create the child's account.

Link this section from the footer on every page and ensure it is accessible without authentication.

Detection

ID: coppa-compliance.operator-obligations.children-privacy-policy
Severity: low
What to look for: Count all relevant instances and enumerate each. Find the privacy policy and look for a dedicated section or subsection about children's privacy. COPPA requires the privacy policy to clearly describe: what personal information is collected from children under 13, how the information is used, whether and how it is disclosed to third parties, and how parents can review or delete their child's data. A generic adult-oriented privacy policy with a single sentence like "we comply with COPPA" is not sufficient. The children's section must be specific to the actual data practices for child accounts. Check whether the policy is linked from every page (typically in the footer). Verify it is accessible without authentication.
Pass criteria: The privacy policy contains a dedicated section on children's privacy that specifically describes: (1) what information is collected from children, (2) how it is used, (3) how parents can review/delete the data, (4) the consent mechanism used, and (5) a contact method for parental inquiries. The policy is accessible without login and linked from all pages.
Fail criteria: The privacy policy has no children's section. Or there is a sentence acknowledging COPPA with no substantive content. Or the children's section exists but does not describe the actual data practices for child accounts.
Skip (N/A) when: The application hard-blocks all users under 13 and no child accounts are possible (verified by passing the underage-blocking check). Even then, consider whether the policy should document the age gate.
Detail on fail: Example: "Privacy policy has no section specific to children. A single sentence reads: 'We do not knowingly collect data from children under 13.' The site has no age gate and could easily attract users under 13." or "Children's section in privacy policy reads only 'We comply with COPPA.' No description of data practices, parental rights, or contact information for parental inquiries.".

Remediation: Add a substantive children's privacy section to your privacy policy:

## Children's Privacy (COPPA Notice)

### Who this section applies to
This section applies to users of [App Name] who are under 13 years of age
("children") and their parents or legal guardians.

### Information we collect from children
With verifiable parental consent, we collect the following from children:
- Display name (chosen by the child — not their real name)
- Email address (used only for account-related communication)
- Date of birth (to verify age; stored securely)

We do not collect from children: real name, home address, phone number,
school name, geolocation, or any information not listed above.

### How we use children's information
We use children's information only to:
- Provide and operate the [App Name] service
- Communicate with the parent or guardian about the account
We do not use children's information for advertising or share it with
third parties for their own use.

### Parental rights
As a parent or guardian, you have the right to:
- Review the personal information collected from your child
- Request correction of inaccurate information
- Revoke consent and request deletion of your child's account and data
- Refuse further collection or use of your child's information

To exercise any of these rights, contact us at privacy@example.com
with the subject line "Parental Data Request." We will respond within
5 business days and verify your identity before releasing any information.

### How we obtain and verify parental consent
We use [describe method, e.g., "the email-plus method approved by the FTC:
we send a direct notice to the parent's email address and require the parent
to click a confirmation link before creating the child's account."]

External references

coppa · §312.4 — Notice to parents — detailed notice requirements for children's privacy policy content

coppa · §312.4(b) — Content of the notice — policy must state operator identity, data collected, use, and parental rights

gdpr · Art. 13 — Information to be provided — parallel transparency obligation for privacy policies

nist:rev5 · PT-2 — Purpose Specification — privacy policy documents lawful purpose for data collection

Privacy policy specifically addresses children's data practices

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Privacy policy specifically addresses children's data practices

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History