FTC COPPA FAQs - Do I have to disclose in my privacy policy and direct notices to parents the collection of “cookies,” “GUIDs,” “IP addresses,” or other passive information collection technologies on or through my site?

Compliance > COPPA
Q:  Do I have to disclose in my privacy policy and direct notices to parents the collection of  “cookies,” “GUIDs,” “IP addresses,” or other passive information collection technologies on or through my site?
 
A:  The amended Rule defines “personal information” to include identifiers, such as a customer number held in a cookie, an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different websites or online services, even where such identifier is not paired with other items of personal information.  Therefore, you will need to disclose in your privacy policy (see FAQ C.2), and in your direct notice to parents (see FAQ C.11), your collection, use or disclosure of such persistent identifiers unless (1) you collect no other “personal information,” and (2) such persistent identifiers are collected on or through your site or service solely for the purpose of providing “support for the internal operations” of your site or service.  For more detailed information about activities considered support for internal operations, see FAQs I.5-8, below. 
   
 
 ADDITIONAL INFORMATION:
This information was obtained from the FTC’s webpage on “Complying with COPPA:  Frequently Asked Questions.”   https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions
 

Add Feedback