Web Content

Does Your Website Content Violate Child Privacy Laws?

In the United States, it’s nearly Summer. And, you know what that means: Vacation Bible School!

If your small church is like many others, you’ll likely want to share memories of the experience by capturing photos and video during the event, and publishing them to your website.

But, are you violating child privacy laws by publishing that content on your site?

That was the subject of a question posted on the Church Law & Tax website:

We recently posted our VBS SoccerCamp video (showing kids and parents) to YouTube and linked to it via our monthly newsletter (which goes out electronically). Are we in violation of COPPA laws? Should we have asked permission from each participant before posting the video? Also, our Sunday school teachers and nursery workers like to take photos of the kids and post them on church bulletin boards and create collages for the children with their pictures. Is this okay?

In response, the article cited the Children’s Online Privacy Protection Act of 1998 (“COPPA”).

Since you need a paid subscription to read the full article (and, I’m not a paid subscriber), I don’t know where the response ended.

And, unless the church planned to collect information on it’s website from children under 13, I was left wondering how or even if, COPPA applied.

Nonetheless, as a responsible Web worker, it seemed prudent to at least consider how—or even if—posting content like photos and video of children on our church websites somehow infringes on child privacy.

What is COPPA and who is covered by the rule?

Issued and enforced by the Federal Trade Commission, the primary goal of the Act is to place parents in control over what information is collected from their young children online.

COPPA was designed to protect children under age 13.

The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.  — Source: A Guide For Business and Parents and Small Entity Compliance Guide, FTC

[lightbox title=”Protecting Children’s Privacy Under COPPA” type=”iframe” href=”” width=”480″ height=”270″]Watch this short video[/lightbox] that outlines five key changes to COPPA that took effect on July 1, 2013.

In my efforts to determine the affect of the Rule on my own church’s website content, I reviewed a compliance guide published by the Federal Trade Commission entitled, A Guide For Business and Parents, and Small Entity Compliance Guide.

The guide is actually a list of frequently asked questions about COPPA. I’ve added excerpts below that I found particularly helpful.

Disclaimer: I am not a lawyer and do not play one on T.V. Therefore, this article is not meant to be construed as legal advice.

I strongly encourage you to become familiar with COPPA by reading the FTC’s Compliance Guide yourself, and  directing questions either to the FTC or to your church’s legal counsel.


Questions about COPPA

What is Personal Information?

The amended Rule defines personal information to include:

  • First and last name;
  • A home or other physical address including street name and name of a city or town;
  • Online contact information;
  • A screen or user name that functions as online contact information;
  • A telephone number;
  • A social security number;
  • A persistent identifier that can be used to recognize a user over time and across different websites or online services;
  • A photograph, video, or audio file, where such file contains a child’s image or voice;
  • Geolocation information sufficient to identify street name and name of a city or town; or
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

Does COPPA apply to information about children collected online from parents or other adults?

No.  COPPA only applies to personal information collected online from children, including personal information about themselves, their parents, friends, or other persons.  However, the Commission’s 1999 Statement of Basis and Purpose notes that the Commission expects that operators will keep confidential any information obtained from parents in the course of obtaining parental consent or providing for parental access pursuant to COPPA.  See 64 Fed. Reg. 59888, 59902 n.213.

Are websites and online services operated by nonprofit organizations subject to the Rule?

COPPA expressly states that the law applies to commercial websites and online services and not to nonprofit entities that otherwise would be exempt from coverage under Section 5 of the FTC Act.  In general, because many types of nonprofit entities are not subject to Section 5 of the FTC Act, these entities are not subject to the Rule.  However, nonprofit entities that operate for the profit of their commercial members may be subject to the Rule.  See FTC v. California Dental Association, 526 U.S. 756 (1999).  Although nonprofit entities generally are not subject to COPPA, the FTC encourages such entities to post privacy policies online and to provide COPPA’s protections to their child visitors.


So, if a church isn’t collecting personal information on its website from children under 13, and given the nonprofit exemption, does this mean that a church should ignore COPPA?

Richard Chopa, aka “the COPPA Attorney”, says, “No.”

Is there a non-profit exemption when it comes to COPPA? Yes, but a technical review of the non-profit is required to determine if a “for the profit of members” characteristic exists that will trigger a duty to comply. Even if none exists, business management teams must take into consideration the potential backlash from foregoing voluntary compliance.

While being a nonprofit may mean that our church is technically exempt from COPPA compliance, as believers, we are bound by love and ethics to safeguard child privacy and ensure the welfare of the children who visit our websites.

What can I do to protect child privacy on our website?

Helping your website visitors understand how your church collects, shares, and uses personal information is the responsibility of every website owner. So, posting online privacy policies is an important step.

The FTC offers guidance on what COPPA language should be included in your privacy policy under the amended Rule:

What information must I include in my online privacy policy?

Section 312.4(d) of the amended Rule identifies the information that must be disclosed in your online privacy policy.

While the original Rule required operators to provide extensive categories of information in their online privacy notices, the amended Rule now takes a shorter, more streamlined approach to cover the information collection and use practices most critical to parents.  Under the amended Rule, the online notice must state the following three categories of information:

  • The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
  • A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
  • That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so. See 16 C.F.R. § 312.4(d) (“notice on the Web site or online service”).

By streamlining the Rule’s online notice requirements, the Commission hopes to encourage operators to provide clear, concise descriptions of their information practices, which may have the added benefit of being easier to read on smaller screens (e.g., those on smartphones or other Internet-enabled mobile devices).

Examples of COPPA language in church website privacy policies

Finding churches who have either posted COPPA-only privacy policies or included COPPA-related language into their website’s global privacy policy was easy.

Check out Berean Baptist Church, The City Church, and First Baptist Church of New Richmond.

No Privacy Policy? No problem.

You could spend a few hundred dollars hiring an attorney to draft privacy and terms of service policies for your church’s website. But, I can save you that.

If your small church website is running on WordPress, get ready to do your happy dance!

I’ve tested three plugins that promise to make easy work of creating Privacy Policy and Term of Service pages for your website.

The one I fell in love with is not only absolutely FREE, but one-half of the development team is a lawyer-turned-plugin developer.

I’m using the Legull plugin for WordPress to create these important pages for my church’s website.

This plugin is super-easy to use. Just answer a few questions about your website and, in minutes, you’ll have  comprehensive website policies that explain to your visitors what information you collect, how you use it, and who has access to it.

The policies are fully editable, so you’ll have no problem adding in your unique language for COPPA compliance.

(And, it should be unique. Please, don’t simply copy and paste another church’s policy language. At best, the language may not be accurate, appropriate, or adequate to cover your website’s activities. At worst, you’ll be infringing on copyright, plagiarizing content—basically, stealing.)

Erin McClarty offers this best practice for creating your privacy policy,

Make sure the policy is tailored to your specific organization. All the policies and procedures addressed should be actual policies and procedures your non-profit has implemented and used.

Do I need to get permission to post photos of children on our website?

Good question. COPPA and child privacy aside, I tend to agree with the perspective of United Methodist Communications concerning children and photographs,

[Taking] this issue of protecting users’ and members’ privacy further, we turn to the hot topic of the times: children and photographs. Do you need permission to post pictures of children, or anyone else, on your website? Well, that depends. Legally, any picture that you take in public that contains recognizable images of people, regardless of age, can be displayed on your website without obtaining permission. Ethically, and especially as people of faith, it is strongly recommended that you go the extra mile and gain at least verbal, if not written, permission from parents when using a recognizable image of their child up through age 17. Oftentimes, churches simply include a check box on standard permission forms where parents can say yes or no to allowing images or recordings of their children to be displayed on the website or used in print pieces, etc.

So, what’s the bottom line?

If you want to publish those amazing VBS memories—or any other photos or video of your people, and especially children—on your church’s website, here’s a recipe for success:

  • Prepare a privacy policy for your church’s website (if you’re using WordPress, the Legull plugin is a handy utensil)
  • Add a dash of COPPA language
  • Fold in a plan to get verbal or written permission to display images or recordings of your people online
  • Mix well with prayer

What about you?

Have you published a privacy policy on your church website?

Do you ask permission to display images or video of your folks online?

What steps has your church taken to safeguard child privacy online?

5 replies on “Does Your Website Content Violate Child Privacy Laws?”

I installed the plug-in for my church but had a couple of immediate problems:
When it asks for the owner do I just repeat the name of the church?
When it asks for the type of entity it says either individual, partnership, corporation, limited liability company, or sole proprietor. A church is none of that right?

Thanks for stopping by, Chris!

Yes, where the plugin asks for Owner, type in the name of your church. As for the type of entity, you will need to find that out from your church. In the U.S., although churches aren’t required to form as “business” entities, many do.

In an article written for Enrichment Journal, John Joseph offered this advice for people who are unsure of their church’s status:

If you are not sure of the status of your church, there is a way to find out.

It is important to determine if your church is incorporated since the courts may hold individual members in unincorporated churches personally responsible for liabilities of the church. This puts the responsibility on church leadership to verify incorporation. Contact your secretary of state and obtain the phone number of the Division of Corporations to verify your church’s current status as a corporation. Usually you can get this information over the phone.

If the church is incorporated, order a Certificate of Status for the church and a certified copy of your Charter or Articles of Incorporation. These documents verify the current status of the church. It is important to maintain these documents as permanent records. If your church is current, that is good news.

The Division of Corporations may inform you that at one time the church filed the articles, but is no longer in good standing with the state. This can happen for two reasons: Your church status may have lapsed because it failed to pay the annual fee or file the annual report. If this is the case, an attorney can assist with the process to get reinstated. A small reinstatement fee may be required.

You can read the full article here.

With a quick search at my state’s website, I discovered that my church is incorporated. Try Googling [name of state] state business search (e.g. “washington state business search”) to find the website your state provides for conducting business searches.

Leave a Reply