Establishing; obtaining; and managing verifiable parental consent (VPC) before collecting; using; or disclosing child PII.

• Consent Method Validation - VPC.1

  Validate that the VPC method used is reasonably calculated to ensure the person consenting is the parent; consistent with FTC-approved methods.

• Identity Verification - VPC.2

  Verify the identity of the person providing consent before granting access to PII or fulfilling a request.

• Consent Recordkeeping - VPC.3

  Maintain and securely store records of all VPC obtained; including the method used and date.

• Consent Revocation Process - VPC.4

  Provide parents with a clear; verifiable mechanism to revoke consent and prevent further collection.

Controls limiting the volume; type; and circumstances of PII collection.

• Data Minimization - DCC.1

  Limit the collection of PII to only that which is reasonably necessary to participate in a given activity.

• Purpose Specification - DCC.2

  Collect PII only for the specific purposes disclosed in the direct notice and privacy policy.

• Age Screening - DCC.3

  Implement effective age-screening mechanisms to identify users under the age of 13.

• Prohibited Data Monitoring - DCC.4

  Prohibit the use of persistent identifiers (e.g.; cookies; IP addresses) for behavioral tracking without VPC.

Providing clear; accurate; and accessible information to parents and the public.

• Privacy Policy Requirements - NPD.1

  Ensure the public privacy policy is clear; comprehensive; and prominently located.

• Direct Notice to Parents - NPD.2

  Deliver direct notice to the parent before collecting; using; or disclosing the child's PII.

• Policy Update Notifications - NPD.3

  Provide a new notice and obtain fresh VPC upon any material change to data practices.

• Transparency Mechanisms - NPD.4

  Provide a clear and accessible means for parents to contact the operator with inquiries or concerns.

Restricting how PII is processed and shared with third parties.

• Data Use Limitation - DUS.1

  Ensure PII is used only for the purpose for which VPC was obtained or an exception applies.

• Third-Party Vendor Compliance Checks - DUS.2

  Contractually require service providers to comply with COPPA and maintain reasonable security.

• Prohibited Advertising - DUS.3

  Prohibit the use of PII to retarget; behaviorally advertise; or build profiles on children.

• Content Moderation Controls - DUS.4

  Ensure PII collected for user-generated content (UGC) is handled securely and responsibly.

Maintaining reasonable security to protect PII from loss; alteration; or unauthorized access.

• Access Control - DSP.1

  Implement and enforce least-privilege access controls for systems storing child PII.

• Encryption - DSP.2

  Use encryption to protect child PII both in transit and at rest.

• Secure Storage - DSP.3

  Ensure PII is stored securely with appropriate physical and environmental safeguards.

• Incident Response - DSP.4

  Establish and execute a comprehensive incident response plan for PII security breaches.

Managing the lifecycle of PII; including retention; deletion; and parental requests.

• Retention Schedule Definition - DRD.1

  Define and enforce a formal schedule for the retention and destruction of child PII.

• Automatic Deletion Processes - DRD.2

  Implement automated or scheduled processes for the secure; timely deletion of PII.

• Parent Deletion Requests - DRD.3

  Comply with verifiable parental requests to delete their child's PII.

• Verification Logs - DRD.4

  Maintain logs documenting the secure deletion and destruction of PII.

Facilitating the parent's right to review and control their child's PII.

• Parent Access Portal - PAR.1

  Provide a secure and verified mechanism for parents to review the PII collected from their child.

• Data Correction Requests - PAR.2

  Establish a process to address parental requests to correct errors in the child's PII.

• Identity Verification for Access - PAR.3

  Verify the identity of the parent before granting PII access or fulfilling rights requests.

• Transparency Mechanisms - PAR.4

  Provide parents with confirmation and status updates on all rights requests.

Regularly assessing the effectiveness of COPPA compliance efforts.

• Internal COPPA Audits - MAC.1

  Conduct periodic internal audits or self-assessments of COPPA compliance.

• Vendor & Third-Party Audits - MAC.2

  Conduct regular audits of third-party vendors handling child PII.

• Continuous Monitoring - MAC.3

  Implement ongoing technical and process monitoring for COPPA control effectiveness.

• Training and Awareness - MAC.4

  Provide mandatory and regular COPPA training for all relevant employees.

Applying Privacy by Design principles to new and existing features.

• Child-safe Default Settings - PFD.1

  Ensure all product settings default to the most privacy-protective option.

• Feature Risk Assessment - PFD.2

  Conduct a COPPA-focused Privacy Impact Assessment (PIA) for all new features or products.

• UI/UX for Children - PFD.3

  Ensure the user interface/experience (UI/UX) does not manipulate or deceive children into providing PII.

• Workflow Controls - PFD.4

  Implement technical hard stops to prevent PII collection before VPC confirmation.