Children’s Online Privacy Protection Act (“COPPA”) Notice

Effective Date: September 5, 2025

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. The Children’s Online Privacy Protection Act of 1998 and its rules (collectively, “COPPA”) require us to inform parents and legal guardians (as used in this policy, “parents” or “you”) about our practices for collecting, using, and disclosing personal data from children under the age of 13 (“children” or “child”). This notice (“COPPA Notice”) provides additional details regarding the practices described in the Children’s Privacy section of our Privacy Notice.

This COPPA Notice only applies to the data collection practices of CMU websites and services directed to children under the age of 13 (“Services”) and supplements the Privacy Notice. Capitalized terms not defined in this COPPA Notice are otherwise defined in the Privacy Notice.

  1. CONTACT INFORMATION

If you have any questions or concerns about this COPPA Notice, the personal information we have collected about your child, or if you would like to exercise any of the rights discussed herein, please contact us at:

Email: [email protected]
Phone: 412-268-3291
Mail: Carnegie Mellon University, Attention: Child Protection Operations / Office of Human Resources, 5004 Forbes Avenue, Pittsburgh, PA 15213

  1. Parental Consent

We do not knowingly collect personal information from children under 13 unless and until we have obtained verifiable parental consent or unless an exception to COPPA’s parental consent requirement applies.

If a parent chooses not to provide consent, or withdraws consent later, the child’s access to certain features or areas of the Services may be restricted or disabled.

We take special precautions to protect the privacy of children using our Services. If you have a question about whether a particular Service is directed to children, please contact us by sending an email at [email protected] or calling us at 412-268-3291.

  1. Information We Collect from Children

When a child uses or attempts to use the Services, we may collect or receive a limited amount of personal information, either directly from the child, or the parent.

We endeavor to collect only as much information as is reasonably necessary for the child to participate in an activity. The types of information we may collect include:

  • First and Last Name (optional)
  • Parent or Guardian Email Address
  • Mailing Address, Email Address, and Phone Number
  • Date of Birth
  • Unique User ID

In connection with your child’s use of the Services and to help us improve our Services, we may also ask for certain information that is not personally identifiable, such as:

  • School Name
  • School Address
  • School City/District
  • School Grade

We store a child’s username and password on our system when the child registers for the Services. We may also store the IP address from which the child accesses the Services in connection with the child’s use of the Services.

We use cookies, and other similar technology, to collect information when children use our Service such as the amount of time children spend on learning activities available through the Services, the actions performed by children such as logging in and out, and the pages children visit.

  1. How we use the information

We use the information collected from children for internal purposes only, as permitted by COPPA, such as:

  • Account Creation & Management: Creating an account or user profile, verifying the child’s age, and obtaining parental consent.
  • Service Functionality: Enabling use of the Services and personalized settings. This may include communicating with the child multiple times through email or other forms of communication such as video conferencing technology.
  • Analytics & Improvements: Understanding how players interact with the Services to improve features, optimize performance, and enhance user experience.
  • User Support: Processing and responding to inquiries or requests for technical assistance.
  • Legal Compliance & Safety: Detecting security incidents, preventing fraud, and complying with legal obligations, including COPPA.

Note that CMU staff and volunteers are able to access and view the time children spend on learning activities. This information may also be used for analytical and security purposes by CMU.

We may use the non-personally identifiable data we collect to improve the Services and to deliver a better and more personalized experience.

  1. HOW WE SHARE OR DISCLOSE INFORMATION

We do not share, sell, rent, or transfer children’s personal data other than as described in this section.

Some Services allow children to make information, including personal data, available for other children participating in the same Services, CMU staff, and volunteers to view online. In certain limited circumstances, the Services may include features that allow children to publicly post their information, including personal data. In these circumstances, CMU requires parental consent prior to posting the child’s information publicly. We do not control the types of information your child can make available or publicly post. We encourage parents to educate their children about safety online and to carefully monitor their children's use of social features to ensure they do not disclose their personal information through them.

We may disclose aggregated data about many of our users, and data that does not identify any individual or device. In addition, we may disclose children’s personal data: 

  • to third parties we use to provide or support our Services, such as Zoom (for video conferencing) and Canvas (for eLearning);
  • in connection with third parties that collect data on our behalf in connection with the Services, such as Qualtrics, Survey Monkey, Prolific, and Google Forms;
  • if we are required to do so by law or legal process, such as to comply with any court order or subpoena or to respond to any government or regulatory request;  
  • if we believe disclosure is necessary or appropriate to protect the rights, property, or safety our company, our customers or others, including to protect the safety of a child, protect the safety and security of the Services; or enable us to take precautions against liability; or
  • to law enforcement agencies or for an investigation related to public safety.

In addition, if the CMU is involved in a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the CMU’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding or event, we may transfer the personal data we have collected or maintain to the buyer or other successor.

  1. PARENTS’ RIGHTS

Access, Review, Update, and Deletion of Information

Parents have the right to access, review, delete, update, and prevent further collection of their child’s personal information at any time. To do so, please contact us at the email or phone number listed in Section 1. We may require you to verify your identity to ensure the security of the child’s account.

Withdrawal of Consent

Parents may withdraw consent at any time by contacting us. Upon withdrawal, we will promptly delete the child’s personal information from our records, unless retention is required by law. Revoking consent may limit the child’s access to certain features within the Services.

  1. DATA SECURITY AND RETENTION

Security Measures

We employ reasonable security measures (technical, administrative, and physical) designed to protect children’s personal information from unauthorized access, disclosure, alteration, and destruction.

Data Retention

CMU retains personal data in a form which permits identification of a child for as long as necessary to provide the Services in which the child is participating, or for other business purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. We are required by law to keep some types of information for certain periods of time (e.g., statute of limitations). When personal information is no longer needed, we take reasonable steps to securely delete or de-identify it.

  1. INTERNATIONAL DATA TRANSFERS (IF APPLICABLE)

If you are located outside of the country where our servers or our service providers are located, please note that we may transfer personal information across international borders. We take steps to ensure that such transfers comply with applicable data protection laws and that appropriate safeguards are in place. For more information on our data transfer controls please review the Privacy Notice.