Direct notice provided to parents before collecting children's PI

Why it matters

COPPA §312.4 and §312.4(c) require a direct notice to parents before collecting personal information from children — distinct from the privacy policy, this is a direct communication to the specific parent whose child is initiating signup. Sending the consent link to the child's email rather than a separately collected parent email address means the child is effectively approving their own account, which is not parental consent by any definition. The direct notice must also include the operator's full legal name and contact information, a description of data collected, use, third-party disclosure, and parental rights — omitting any of these is an independent §312.4 violation.

Remediation

Ensure the direct notice email is sent to a separately collected parent email address and includes all FTC-required disclosures. Use this structure as a template in your email service.

Subject: [App Name] — Notice to parents: your child has requested an account

This notice is required by the Children's Online Privacy Protection Act (COPPA).

[Company Legal Name]
[Company address]
privacy@example.com

A child using [child email] has requested an account and provided your email
as their parent or guardian.

WHAT WE COLLECT FROM CHILDREN
[List each data item specifically]

HOW WE USE THIS INFORMATION
[Plain-language description]

THIRD-PARTY DISCLOSURE
We do not share children's personal information with third parties for their own use.

YOUR RIGHTS AS A PARENT
You may review, correct, or request deletion of your child's data at any time
by contacting privacy@example.com.

TO APPROVE: [Consent link — expires in 7 days]
TO DECLINE: Ignore this email. No account will be created.

Full Children's Privacy Policy: [URL]

Store the parent email separately from the child email in your pendingConsentRequest record — never send the consent link to the same address the child provided for their own account.

Detection

ID: coppa-compliance.operator-obligations.direct-notice-parents
Severity: info
What to look for: Count all relevant instances and enumerate each. COPPA requires operators to provide a direct notice to parents before collecting personal information from children. This is distinct from the privacy policy — it is a direct communication to the specific parent whose child wants to use the service. Look for the email template or notification content that is sent to the parent before consent is obtained. The direct notice must include: the full name and contact information of the operator, a description of what personal information will be collected from the child, how the information will be used, whether the information will be disclosed to third parties, and the parent's rights under COPPA. Check whether the notice is sent before any personal information is collected (not after account creation). Verify that the notice is sent only to a parent-provided email address, not to the child's email address as proxy.
Pass criteria: A direct notice is sent to the parent's email address before any personal information is collected. The notice contains the required disclosures (operator identity, data collected, use, third-party sharing, parental rights). The notice links to or reproduces the children's section of the privacy policy.
Fail criteria: No direct notice is sent to parents before data collection. The notice is sent to the child's email address rather than a parent-provided address. The notice is a generic "someone wants to create an account" email without the required COPPA disclosures.
Skip (N/A) when: The application hard-blocks all users under 13 and no parental consent workflow exists.
Detail on fail: Example: "No direct notice email found in codebase. No email template for parental notification before child account creation." or "Consent email sent to child's email address rather than a separately provided parent email address. The child effectively approves their own account.".

Remediation: Ensure the direct notice email contains all FTC-required disclosures. The FTC has published a model direct notice that operators can adapt:

Subject: [App Name] — Notice to parents: your child has requested an account

This is a required notice under the Children's Online Privacy Protection Act (COPPA).

[App Name], operated by [Company Legal Name]
[Company address]
[privacy@example.com]

A child using the email address [child email] has requested to create an account
on [App Name] and has provided your email address as their parent or guardian.

WHAT INFORMATION WE COLLECT FROM CHILDREN
If you approve this account, we will collect the following from your child:
[List specific data items]

HOW WE USE THIS INFORMATION
[Plain-language description of use]

THIRD-PARTY DISCLOSURE
[Whether and to whom the information is disclosed, or "We do not share
your child's personal information with third parties for their own use."]

YOUR RIGHTS AS A PARENT
You may review, correct, or request deletion of your child's personal information
at any time by contacting privacy@example.com.
You may also refuse to allow further collection or use of your child's information.

TO APPROVE THIS ACCOUNT: [Consent link]
TO DECLINE: Simply ignore this email. No account will be created.

For our full Children's Privacy Policy: [URL]

External references

coppa · §312.4 — Notice to parents — direct notice required; must be sent before collection; specifies required content

coppa · §312.4(c) — Direct notice — must be sent directly to parent, not embedded in general terms

coppa · §312.5 — Verifiable parental consent — direct notice is the prerequisite step for obtaining consent

gdpr · Art. 8(2) — Conditions applicable to child's consent — controller makes reasonable efforts to verify consent holder is parent

Why it matters

Remediation

Ensure the direct notice email is sent to a separately collected parent email address and includes all FTC-required disclosures. Use this structure as a template in your email service.

Subject: [App Name] — Notice to parents: your child has requested an account

This notice is required by the Children's Online Privacy Protection Act (COPPA).

[Company Legal Name]
[Company address]
privacy@example.com

A child using [child email] has requested an account and provided your email
as their parent or guardian.

WHAT WE COLLECT FROM CHILDREN
[List each data item specifically]

HOW WE USE THIS INFORMATION
[Plain-language description]

THIRD-PARTY DISCLOSURE
We do not share children's personal information with third parties for their own use.

YOUR RIGHTS AS A PARENT
You may review, correct, or request deletion of your child's data at any time
by contacting privacy@example.com.

TO APPROVE: [Consent link — expires in 7 days]
TO DECLINE: Ignore this email. No account will be created.

Full Children's Privacy Policy: [URL]

Store the parent email separately from the child email in your pendingConsentRequest record — never send the consent link to the same address the child provided for their own account.

Detection

ID: coppa-compliance.operator-obligations.direct-notice-parents
Severity: info
What to look for: Count all relevant instances and enumerate each. COPPA requires operators to provide a direct notice to parents before collecting personal information from children. This is distinct from the privacy policy — it is a direct communication to the specific parent whose child wants to use the service. Look for the email template or notification content that is sent to the parent before consent is obtained. The direct notice must include: the full name and contact information of the operator, a description of what personal information will be collected from the child, how the information will be used, whether the information will be disclosed to third parties, and the parent's rights under COPPA. Check whether the notice is sent before any personal information is collected (not after account creation). Verify that the notice is sent only to a parent-provided email address, not to the child's email address as proxy.
Pass criteria: A direct notice is sent to the parent's email address before any personal information is collected. The notice contains the required disclosures (operator identity, data collected, use, third-party sharing, parental rights). The notice links to or reproduces the children's section of the privacy policy.
Fail criteria: No direct notice is sent to parents before data collection. The notice is sent to the child's email address rather than a parent-provided address. The notice is a generic "someone wants to create an account" email without the required COPPA disclosures.
Skip (N/A) when: The application hard-blocks all users under 13 and no parental consent workflow exists.
Detail on fail: Example: "No direct notice email found in codebase. No email template for parental notification before child account creation." or "Consent email sent to child's email address rather than a separately provided parent email address. The child effectively approves their own account.".

Remediation: Ensure the direct notice email contains all FTC-required disclosures. The FTC has published a model direct notice that operators can adapt:

Subject: [App Name] — Notice to parents: your child has requested an account

This is a required notice under the Children's Online Privacy Protection Act (COPPA).

[App Name], operated by [Company Legal Name]
[Company address]
[privacy@example.com]

A child using the email address [child email] has requested to create an account
on [App Name] and has provided your email address as their parent or guardian.

WHAT INFORMATION WE COLLECT FROM CHILDREN
If you approve this account, we will collect the following from your child:
[List specific data items]

HOW WE USE THIS INFORMATION
[Plain-language description of use]

THIRD-PARTY DISCLOSURE
[Whether and to whom the information is disclosed, or "We do not share
your child's personal information with third parties for their own use."]

YOUR RIGHTS AS A PARENT
You may review, correct, or request deletion of your child's personal information
at any time by contacting privacy@example.com.
You may also refuse to allow further collection or use of your child's information.

TO APPROVE THIS ACCOUNT: [Consent link]
TO DECLINE: Simply ignore this email. No account will be created.

For our full Children's Privacy Policy: [URL]

External references

coppa · §312.4 — Notice to parents — direct notice required; must be sent before collection; specifies required content

coppa · §312.4(c) — Direct notice — must be sent directly to parent, not embedded in general terms

coppa · §312.5 — Verifiable parental consent — direct notice is the prerequisite step for obtaining consent

gdpr · Art. 8(2) — Conditions applicable to child's consent — controller makes reasonable efforts to verify consent holder is parent

Direct notice provided to parents before collecting children's PI

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Direct notice provided to parents before collecting children's PI

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History