Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Show

Children’s Online Privacy Protection Act

Children’s Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. § 6501,et seq. (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , addresses the collection, use, and disclosure of personal information about children collected from children through websites or other online services. The regulation that implements COPPA (16 CFR Part 312) was issued in November 1999 by the Federal Trade Commission (FTC) and became effective in April 2000. It was further revised and updated in January 2013 (with a minor technical change in December 2013). NCUA is granted enforcement authority under the Act for federal credit unions. Highlights of the act include:

  • Details what a website (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)  operator must include in a privacy policy
  • When and how to seek verifiable consent from a parent or guardian
  • What responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing to those under 13
  • Children under 13 can legally give out personal information with their parents' permission

You can find the full text of COPPA here (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

You can find the full text of the FTC regulation that implement COPPA here (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .


Associated Risks

Compliance risk can occur when the credit union fails to implement the necessary controls to comply with COPPA.

Transaction risk can occur when the credit union does not have adequate internal controls in place and as a result suffers a loss.

Reputation risk can occur when the credit union incurs damaging publicity as a result of failure to comply with COPPA.

Strategic risk can occur when the credit union incurs fines as a result of failure to co mply with COPPA.

Examination Objectives

  • To assess the quality of the credit union’s compliance management policies and procedures for implementing COPPA, specifically, for ensuring consistency between the notice about policy and practice and what it actually does.
  • To determine the degree of reliance that can be placed on the credit union’s internal controls and procedures for monitoring compliance with COPPA.
  • To determine the credit union’s compliance with COPPA, specifically, in meeting the following requirements:
    • Privacy Notice–Providing, on the website or online service, a clear, complete, and underst and able written notice of its information-collection practices with regard to children that describes how the credit union collects, uses, and discloses the information;
    • Parental Consent–Obtaining, through reasonable efforts and with limited exceptions, verifiable parental consent prior to the collection, use, or disclosure of personal information from children;
    • Right of Parental Review–Providing a parent, upon request, with the means of reviewing the personal information collected from his or her child and the means with which to refuse its further use or maintenance, complying with any direction or request of a parent concerning his or her child’s personal information;
    • Prohibition of Child Conditioning–Limiting collection of personal information for a child’s online participation in a game, prize offer, or other activity to personal information that is reasonably necessary for the activity; and
    • Confidentiality–Establishing and maintaining reasonable procedures to protect the confidentiality, security, and integrity of the personal information collected from children.
  • To initiate effective corrective actions when violations of law are identified or when policies or internal controls are deficient.

Examination Procedures

Initial Procedures

  1. From direct observation of the credit union’s website or online service and through discussions with appropriate management officials, ascertain whether the operator is subject to COPPA by determining if it operates a website or online service that:
    1. Is directed at children that collects, uses, or discloses personal information from children; or,
    2. Knowingly collects or maintains personal information from children.

Note: Stop here if the operator does not currently operate a website that is directed to children or does not knowingly collect personal information about children. In these cases the operator is not subject to COPPA, and no further examination for COPPA is necessary.

  1. Determine if the operator is participating in an FTC-approved self-regulatory program (§ 312.11 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    1. If it is, obtain a copy of the program and supporting documentation, such as reviews or audits that demonstrate the credit union’s compliance with the program. If the self-regulatory authority (SRA) determined that the operator was in compliance with COPPA at the most recent review or audit or has not yet made a determination, no further examination for COPPA is necessary. If, on the other hand , the SRA determined that the operator was not in compliance with COPPA and the operator has not taken appropriate corrective action, continue with the remaining procedures.
    2. If the operator is not participating in a FTC-approved self-regulatory program, continue with the remaining procedures.
  1. Determine, through a review of available information, whether the credit union’s internal controls are adequate to ensure compliance with COPPA. Consider the following:
    1. Organization chart, to determine who is responsible for the credit union’s compliance with COPPA;
    2. Process flowcharts, to determine how the credit union’s COPPA compliance is planned for, evaluated, and achieved;
    3. Policies and procedures that relate to COPPA compliance;
    4. Methods of collecting or maintaining personal information from the website or online service;
    5. List of data elements collected from any children and a description of how the data are used and protected;
    6. List of data elements collected from any children that are disclosed to third parties, and any contracts or agreements with those third parties governing the use of that personal information;
    7. Complaints regarding the treatment of data collected from a child; and
    8. Internal checklists, worksheets, and other review documents.
  1. Review applicable audit and compliance review material, including workpapers, checklists, and reports, to determine whether:
    1. The procedures address the COPPA provisions applicable to the operator;
    2. Effective corrective action occurred in response to previously identified deficiencies;
    3. The audits and reviews performed were reasonable and accurate;
    4. Deficiencies, their causes, and the effective corrective actions are consistently reported to management or members of the board of directors; and
    5. The frequency of the compliance review is satisfactory.
  1. Review, as available, a sample of complaints that allege the inappropriate collection, sharing, or use of data from a child to determine whether there are any areas of concern.
  1. Based on the results of the foregoing, determine the depth of the examination review, focusing on the areas of particular risk. The procedures to be employed depend on the adequacy of the credit union’s compliance management system and the level of risk identified.

Verification Procedures

  1. Review the notice describing the credit union’s information practices with regard to children to determine whether it is clearly and prominently placed on the website and contains all information required by the regulation. (§ 312.4 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
  1. Obtain a sample of data collected from children, including data shared with third parties, if applicable, and determine whether:
    1. The operator has established and maintained reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from a child; (§§ 312.3 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 312.8 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    2. Data are collected, used, and shared in accordance with the credit union’s website notice; (§§ 312.3 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 312.4 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    3. Parental permission was obtained prior to the use, collection, or sharing of personal information, including consent to any material change in such practices; and (§ 312.5(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    4. Data are collected, used, and shared in accordance with parental consent. (§§ 312.5 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 312.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
  1. Through testing or management’s demonstration of the website or online service and a review of a sample of parental consent forms or other documentation, determine whether the operator has a reasonable method for verifying that the person providing the consent is the child’s parent. (§ 312.5(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
  1. Review a sample of parental requests for personal information provided by their children, and verify that the operator:
    1. Provided, upon request, a description of the specific types of personal information collected; (§ 312.6(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    2. Complied with a parent’s instructions concerning the collection, use, maintenance, or disclosure of his or her child’s personal information; (§ 312.6(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    3. Allowed a parent to review any personal information collected from the child; and (§ 312.6(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
    4. Verified that the person requesting personal information is a parent of the child; (§ 312.6(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
  1. Through testing or management’s demonstration of the website or online service, verify that the operator does not condition a child’s participation in a game, offering of a prize, or another activity on the child’s disclosure of more personal information than is reasonably necessary to participate in the activity. (§ 312.7 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

 


Children’s Online Privacy Protection Act
(COPPA)
Checklist

General Requirements

Item Description

YES

NO

N/A

1 Does the credit union’s website or online service include a notice of what information is collected from children, how it uses the information, and its disclosure practices for the information? (§ 312.3(a)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
2 Does the credit union’s website or online service credit union’s obtain verifiable parental consent prior to any collection, use and /or disclosure of personal information from children? (§ 312.3(b)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
3 Does the credit union’s website or online service provide a reasonable means for a parent to review personal information collected from a child and refuse to allow its further use? (§ 312.3(c)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
4 Does the credit union’s website or online service not require a child to participate in a game, offer a prize, or other activity in return for disclosing more personal information than is reasonably necessary to participate in the activity? (§ 312.3(d)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
5 Did the credit union establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children? (§ 312.3(e)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

 

Direct Notice to Parent and Notice on Website or Online Service

Item Description

YES

NO

N/A

6 Does the operator make reasonable efforts to ensure that a parent of the child receives the notice? (§ 312.4(b)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
7 Does the operator make reasonable efforts, taking into account available technology, to ensure that the parent of a child receives direct notice of the operator’s practices with regard to the collection, use, or disclosure of personal information from the child? (§ 312.4(c)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
7A Where an operator seeks to obtain a parent’s verifiable consent prior to collection, use, or disclosure of a child’s personal information, does the direct notice:      
7Ai State that the operator has collected the parent’s online contact information from the child, and if such is the case, the name of the child or the parent, in order to obtain the parent’s consent;      
7Aii State that the parent’s consent is required for the collection, use, or disclosure of such information, and that the operator will not collect, use, or disclose any personal information from the child if the parent does not provide such consent;      
7Aiii Set forth the additional items of personal information the operator intends to collect from the child, or the potential opportunities for the disclosure of personal information, should the parent provide consent;      
7Aiv Contain a hyperlink to the operator’s online notice of its information practices (i.e., its privacy policy);      
7Av Provide the means by which the parent can provide verifiable consent to the collection, use, and disclosure of the information; and      
7Avi State that if the parent does not provide consent within a reasonable time from the date the direct notice was sent, the operator will delete the parent’s online contact information from its records? (§ 312.4(c)(1)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
7B Where an operator voluntarily seeks to provide notice to a parent of a child’s online activities that do not involve the collection, use, or disclosure of personal information, does the direct notice:      
7Bi State that the operator has collected the parent’s online contact information from the child in order to provide notice to, and subsequently update the parent about, a child’s participation in a website or online service that does not otherwise collect, use, or disclose a child’s personal information;      
7Bii State that the parent’s online contact information will not be used or disclosed for any other purpose;      
7Biii State that the parent may refuse to permit the child’s participation in the website or online service and may require the deletion of the parent’s online contact information, and how the parent can do so; and      
7Biv Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(2)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
7C Where an operator intends to communicate with the child multiple times via the child’s online contact information and collects no other information, does the direct notice:      
7Ci State that the operator has collected the child’s online contact information from the child in order to provide multiple online communications to the child;      
7Cii State that the operator has collected the parent’s online contact information from the child in order to notify the parent that the child has registered to receive multiple online communications from the operator;      
7Ciii State that the online contact information collected from the child will not be used for any other purpose, disclosed, or combined with any other information collected from the child;      
7Civ State that the parent may refuse to permit further contact with the child and require the deletion of the parent’s and child’s online contact information, and how the parent can do so;      
7Cv State that if the parent fails to respond to this direct notice, the operator may use the online contact information collected from the child for the purpose stated in the direct notice; and      
7Cvi Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(3)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
7D Where the operator’s purpose for collecting a child’s and a parent’s name and online contact information is to protect a child’s safety and the information is not used or disclosed for any other purpose, does the direct notice:      
7Di State that the operator has collected the name and the online contact information of the child and the parent in order to protect the safety of a child;      
7Dii State that the information will not be used or disclosed for any purpose unrelated to the child’ safety;      
7Diii State that the parent may refuse to permit the use, and require the deletion, of the information collected, and how the parent can do so;      
7Div State that if the parent fails to respond to this direct notice, the operator may use the information for the purpose stated in the direct notice; and      
7Dv Provide a hyperlink to the operator’s online notice of its information practices? (§ 312.4(c)(4)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8 Does the notice on website or online service state:      
8A The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from any children through the website or online service, or the same information for one operator who will respond to all inquiries along with the names of all operators; (§ 312.4(d)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8B A description of what information the operator collects from a child, including whether the operator enables children to make their personal information publicly available; (§ 312.4(d)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8C How the information is or may be used; and (§ 312.4(d)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8D That a parent may review and have the child’s personal information deleted, may refuse to permit further collection or use of the child’s information, and is provided with the procedures for doing so? (§ 312.4(d)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8E If the information is disclosed to third parties, determine whether:      
8Ei The third parties have agreed to maintain the confidentiality, security, and integrity of the information (§ 312.8); (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and ,      
8Eii The parent has the option to consent to the collection and use of the information without consenting to the disclosure of the information to third parties. (§ 312.5(a)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
8F That the operator is prohibited from conditioning a child’s participation in an activity on the disclosure of more information than is reasonably necessary to participate in such activity. (§ 312.7) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

 

Parental Consent

Item Description

YES

NO

N/A

9 Does the operator obtain the consent of the parent prior to any collection, use, or disclosure of personal information from any children, outside the exceptions listed in section 312.5(c)? (§ 312.5(a)(1)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
10 If changes to the policy on collecting, using, or disclosing data on children occurred, does the operator request and review updated consent forms or documentation and determine whether parental permission is still in effect? (§ 312.5(a)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
11 Does the operator have a reasonable method for verifying that the person providing the consent is the child’s parent? (§ 312.5(b)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

 

Right of Parent to Review Personal Information Provided by a Child

Item Description

YES

NO

N/A

12 Does the operator respond to parental requests to review information provided by their children by providing:      
12A A description of the specific types of personal information collected (§ 312.6(a)(1)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
12B The opportunity for the parent to refuse to permit the further use or collection of personal information and to direct the operator to delete the child’s personal information (§ 312.6(a)(2)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
12C Procedures for reviewing any personal information collected from the child (§ 312.6(a)(3)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      
12D Adequate procedures to ensure that those persons requesting information are parents of the child in question (§ 312.6(a)(3)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

 

Prohibition against Conditioning a Child’s Participation on Collection of Personal Information

Item Description

YES

NO

N/A

13 Does the operator refrain from conditioning a child’s participation in a game, the offering of a prize, or another activity on the child’s disclosure of more personal information than necessary to participate? (§ 312.7) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

 

Confidentiality, Security, and Integrity of Personal Information Collected from a Child

Item Description

YES

NO

N/A

14 Does the operator maintain reasonable policies and procedures for protecting a child’s personal information from loss, misuse, unauthorized access, or disclosure? (§ 312.8) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)      

Footnotes

Last modified on