A Beginner's Guide to Reading Privacy Policies

Apr 15, 2021, 09:00 AM by Cameryn Gonnella, Compliance Manager, Children’s Advertising Review Unit

Let’s be honest: reading a privacy policy can be downright frustrating. A New York Times analysis of 150 privacy policies found that most of the policies analyzed took more than 10 minutes each to read and required a reading ability above college-level.  

Why are privacy policies so long and complicated? Privacy policies act as a contract between a company and its users. If a company handles information in a way that is inconsistent with what its privacy policy states, it could be liable under Section 5 of the FTC Act, which prohibits deceptive or unfair practices.  

But when it comes to websites directed to children, privacy policies should not be long and complicated. A federal law called the Children’s Online Privacy Protection Act (COPPA) requires companies to be clear about how they handle information collected from children. Not only is a clear and prominent privacy policy (or notice) required by COPPA, but the whole point of the law is to put parents and guardians in control of what information is collected from their children online.  

BBB National Programs’ Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices. 


Step 1: Know What to Look For 

COPPA applies to all commercial online services directed to children, including services ranging from websites to mobile apps, to internet-connected “smart toys.” The privacy policies of the services your child interacts with may look very different depending on what they are for. Regardless of what the service is, COPPA requires all privacy policies include the following standard information: 

  • What types of information is collected from children and what is it used for 
  • Whether a child can make their personal information publicly available on the service
  • Whether the service shares the child’s information with third parties and what those third parties use the information for
  • That a parent has the right to review of have deleted, or stop further collection of, the child’s information
  • The names and contact information of each operator that collects or handles children’s personal information on the service 


Step 2: Know Where to Look 

Start at the beginning. Most privacy policies have a short introductory paragraph that identifies the company that operates the service and explains what the service is or does. If a company has multiple services, for example an app developer with multiple apps, this section should tell you which service (or app) the policy applies to. Additionally, privacy policies typically have a table of contents to help you find the specific information you need.  

To find the standard information required by COPPA, start by looking for any sections of the privacy policy that address children. The children’s section should say whether the online service is intended for use by children — or acknowledge that children under 13 may use it — and if so, what its practices are for handling children’s personal information. Sometimes, online services will have an entirely separate privacy policy for children’s information.  

We know that children have a way of using websites or apps that are not intended for them to use – it is just a fact of life. If you read a privacy policy and find that the service is not intended for children, carefully read the sections of the policy that cover what information is collected, why it is collected, and if it is shared with third parties, then with whom. Knowing that information will help you make a more informed decision about whether you want to let your child continue using a service. 

Another form of privacy policy, called a short-form privacy policy, is used to highlight only the key information about a service. It might be shorter, but it should still contain the information you are looking for. The policy should clearly list the what, the why, and the who(m) of an online service’s information practices, which can help you quickly understand exactly what a company does with any information it may collect.  


Step 3: Ask Questions 

The privacy policy alone may not answer all the questions you have about an online service. You can check for the service’s contact information at the end of the privacy policy, or in any sections labeled “Control” or “Choices.” Child-directed services should provide an email or phone number in addition to a mailing address because COPPA requires it.  

As a parent or guardian, COPPA gives you the power to contact online services directly to manage your child’s personal information. So, if you have a question, do not hesitate to reach out to them directly. If you have trouble finding a service’s contact information or have other questions about something you see in a privacy policy, you can also email CARU at infocaru@bbbnp.org.  

Suggested Articles


The Critical Components for Self-Regulation in Direct Selling

Direct selling – when done correctly – can benefit distributors and consumers. Unfortunately, it only takes a few bad actors to compromise the integrity of an entire industry. The direct selling industry faces difficult and important challenges in enhancing consumer and regulatory confidence in the marketing of its products and services. Successful and effective self-regulation has often been described as a marathon and not a sprint and, as such, requires ongoing commitment and participation from the industry. DSSRC has been encouraged by the engagement and receptivity of the industry to our self-regulatory efforts, as well as the public support expressed by government agencies like the FTC and leaders such as the DSA to make the space a better one for salesforce members and the consumers they reach.
Read more

Truth-in-Advertising: Who Makes the Rules?

It is a common misunderstanding that the National Advertising Division (NAD) creates or establishes standards for the U.S. advertising industry. NAD does not make the rules, but instead serves as one arm of the U.S. system of independent advertising self-regulation to hold companies to established standards for claim substantiation. Substantiation standards may be set by laws, guidance documents, or industry organizations. This post outlines how NAD looks to those different sources for guidance when reviewing advertising claims.
Read more

Turning Lemons into Lemon-Aid – How to Navigate a Vehicle Warranty Claim During the Pandemic

The COVID-19 pandemic has affected all aspects of our lives, from the ability to socialize to the ability to work. Keeping up with routine vehicle maintenance, for many who have been moving around less since the pandemic began, has become less routine. So, what happens when you discover an issue with your vehicle? To make sure your vehicle gets fixed, follow these guidelines and, if your vehicle cannot be fixed, we at BBB AUTO LINE have some guidelines for that, too.
Read more

Call to Action: Improve Green Marketing and Avoid Greenwashing

Green marketing can be a strong marketing tool for companies to differentiate their sustainable approach to business and help consumers choose more sustainable products. But with the variety and volume of green marketing today, does it? Are environmental claims supported so that consumers can make choices that help the planet? While some observers call for more rigorous standards, governmental guidelines regulating environmental marketing already exist. Industry self-regulation also plays an important role in leveling the playing field on green marketing so that consumer purchases align with their environmental goals.
Read more