Controls & Evidence
COPPA readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Mechanisms and procedures ensuring verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
Requirements
- Obtain verifiable parental consent before collecting PI from children under 13 (16 CFR § 312.5)
- Implement acceptable consent methods: credit card transaction, signed consent form, free-call/video-call verification, knowledge-based Q&A, government ID check (§ 312.5(b))
- Obtain new consent before any material change in PI collection, use, or disclosure practices (§ 312.5(a)(2))
- Allow schools or teachers to provide consent for educational use under the school authorization exception (§ 312.5(c)(4))
Evidence Examples
| Artifact | Owner | Frequency |
| Parental consent flow documentation with screenshots of each consent method offered | Product lead | Annually and on design change |
| Consent transaction log showing method used, timestamp, and parent identifier | Engineering lead | Continuous (system-generated) |
| Consent method validation test results (e.g., credit card micro-charge, video call recordings) | Compliance lead | Quarterly |
| Material change notification records sent to previously consenting parents | Legal | Event-driven |
Online and direct notice obligations ensuring parents are fully informed about PI collection practices before consent is sought.
Requirements
- Post a clear, prominent online notice (privacy policy) containing all disclosures required by 16 CFR § 312.4(b)
- Provide direct notice to parents before collecting PI from their child, describing the information to be collected and how it will be used (§ 312.4(c))
- Place a clear and prominent link to the privacy policy on the home page and at each point where PI is collected from children (§ 312.4(a))
- Include in the online notice: operator identity and contact information, categories of PI collected, purposes of collection, third-party disclosure practices, and a description of parental rights (§ 312.4(b))
Evidence Examples
| Artifact | Owner | Frequency |
| Published privacy policy with COPPA-specific disclosures marked and last-reviewed date | Legal | Annually and on practice change |
| Direct notice template(s) sent to parents prior to PI collection | Product lead | Annually and on design change |
| Site audit report confirming privacy policy links on home page and all PI collection points | QA lead | Quarterly |
Restrictions ensuring operators collect only the minimum personal information reasonably necessary for a child's participation in an activity.
Requirements
- Do not condition a child's participation in an activity on disclosure of more PI than is reasonably necessary for that activity (16 CFR § 312.7)
- Limit PI collection to what is reasonably necessary for the child's participation in the specific game, prize offer, or other activity (§ 312.7)
- Do not engage in behavioral advertising directed at children or use children's PI for behavioral profiling without specific parental consent (§ 312.5)
Evidence Examples
| Artifact | Owner | Frequency |
| Data collection audit mapping each PI field to the specific activity requiring it | Product lead | Quarterly |
| Feature-level PI necessity justification document | Privacy lead | Annually and on feature launch |
| Advertising and analytics configuration review showing behavioral ad exclusions for child users | Engineering lead | Quarterly |
Operator obligations for third parties that collect or receive children's personal information on the operator's behalf.
Requirements
- Maintain operator liability for PI collection by third parties acting on the operator's behalf (16 CFR § 312.8)
- Include contractual restrictions limiting third-party use of children's PI to the purpose for which it was disclosed (§ 312.8)
- Monitor third-party compliance with COPPA requirements through periodic assessments (§ 312.8)
- Review ad networks, analytics providers, and SDKs embedded in child-directed services for COPPA compliance
Evidence Examples
| Artifact | Owner | Frequency |
| Third-party vendor register listing all parties receiving children's PI with contractual COPPA clauses | Legal | Quarterly |
| SDK and ad network audit report for child-directed applications | Engineering lead | Semi-annually |
| Third-party compliance questionnaire responses and assessment results | Compliance lead | Annually |
| Contractual amendments restricting third-party PI use to disclosed purposes | Legal | Event-driven (on contract renewal or new vendor) |
Policies and procedures governing how long children's personal information is retained and ensuring timely, secure deletion.
Requirements
- Retain children's PI only as long as reasonably necessary to fulfill the purpose for which it was collected (16 CFR § 312.10)
- Establish and follow documented retention schedules for all categories of children's PI
- Honor parental requests to delete their child's PI within a reasonable timeframe (§ 312.6(a)(2))
- Securely dispose of children's PI that is no longer needed using methods that prevent reconstruction (§ 312.10)
Evidence Examples
| Artifact | Owner | Frequency |
| Data retention schedule listing PI categories, retention periods, and deletion triggers | Privacy lead | Annually |
| Parental deletion request log with response timestamps and completion confirmation | Customer support lead | Continuous (system-generated) |
| Secure disposal certification or audit trail for expired children's PI | Engineering lead | Quarterly |
Participation in FTC-approved self-regulatory safe harbor programs that provide an alternative compliance framework under COPPA.
Requirements
- If participating, enroll in an FTC-approved COPPA safe harbor self-regulatory program (16 CFR § 312.11)
- Comply with all guidelines and requirements established by the safe harbor program (§ 312.11(b))
- Submit to the program's audit, monitoring, and disciplinary procedures (§ 312.11(b)(3))
- Ensure the safe harbor program submits annual reports to the FTC on member compliance (§ 312.11(d))
Evidence Examples
| Artifact | Owner | Frequency |
| Safe harbor program enrollment certificate or membership confirmation | Compliance lead | Annually (on renewal) |
| Safe harbor program audit report or compliance assessment results | Compliance lead | Annually |
| Internal checklist mapping safe harbor program guidelines to operational controls | Privacy lead | Annually |
Mechanisms for determining user age and restricting access to child-directed features or triggering COPPA protections.
Requirements
- Implement an age gate mechanism on child-directed services to identify users under 13 (16 CFR § 312.2)
- Apply the 'actual knowledge' standard for general audience sites that are not directed to children but become aware a user is under 13 (§ 312.2)
- Use age-neutral screening that does not encourage or facilitate children entering a false age to circumvent protections
- Deploy persistent age gate cookies or equivalent mechanisms to prevent children from re-entering a different age to bypass the gate
Evidence Examples
| Artifact | Owner | Frequency |
| Age gate implementation documentation with UX flow screenshots | Product lead | Annually and on design change |
| Age-neutral design review confirming no leading language or 'just enter a birthdate over 13' patterns | UX lead | Annually |
| Persistent age gate cookie or session mechanism test results | QA lead | Quarterly |
Framework for schools and teachers to provide consent on behalf of parents for educational technology use under COPPA's school authorization exception.
Requirements
- Allow schools or teachers to consent on behalf of parents when PI collection is solely for educational purposes (16 CFR § 312.5(c)(4))
- Prohibit any commercial use of PI collected under the school consent exception
- Limit retention of school-consented PI to the period reasonably necessary for the educational purpose
- Define and enforce clear scope boundaries for what constitutes 'educational purpose' under the exception
Evidence Examples
| Artifact | Owner | Frequency |
| School consent agreement template with educational-purpose-only restrictions | Legal | Annually |
| Data use audit confirming school-consented PI is not used for commercial purposes | Compliance lead | Semi-annually |
| Retention schedule specific to school-consented PI with deletion confirmations | Engineering lead | Annually (end of school year) |
| Scope boundary documentation defining permitted vs. prohibited uses of school-consented data | Privacy lead | Annually |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.