The youth sports club's guide to COPPA compliance

What COPPA is — and when it applies to you

COPPA is a U.S. federal law, enforced by the Federal Trade Commission, that governs how online services collect and use personal information from children under 13. It was written for websites and apps, but its reach is broad: if you operate an online registration page directed to children, or you knowingly collect personal information from children under 13, COPPA's obligations attach to you.

For a youth sports club the practical trigger is simple. The moment a registration form captures a child's name, birthdate, photo, medical note, or anything else that identifies them, you are handling children's personal information online.

The core obligations, in plain language

1. Post a clear privacy policy describing what you collect, why, who you share it with, and how parents can review or delete it.
2. Give parents direct notice and obtain verifiable parental consent before collecting personal information from a child.
3. Collect only what you actually need (data minimization) — don't ask for a child's data 'just in case'.
4. Let parents review their child's information, revoke consent, and request deletion.
5. Keep the data only as long as you need it, then delete it securely.
6. Protect the data with reasonable security appropriate to its sensitivity.

None of these are exotic. They map cleanly onto how a well-run registration flow should already behave. The friction clubs hit is usually that their tooling — a generic form builder or a spreadsheet — wasn't designed with any of this in mind.

Verifiable parental consent without the headache

'Verifiable' is the word that scares people. In practice, when a parent completes and submits the registration, provides their own contact details, and pays a fee from a payment method tied to them, you have a strong, auditable consent signal. The key is to capture and store that the consenting adult acted — with a timestamp — rather than leaving it implicit.

• Present the privacy policy and any waivers before submission, not buried afterward.
• Record who consented, to what version of the policy/waiver, and when.
• Tie sensitive fields (medical, photo permission) to explicit opt-ins, not pre-checked boxes.

Data minimization is your cheapest risk reduction

Every field you don't collect is a field you can't leak, mishandle, or have to delete later. Before a season, audit your form: does the U10 soccer clinic really need a Social Security number, a home address, and a school name? Usually not. Pare the form down to what the program operationally requires.

Retention: collect, use, then delete

COPPA expects you not to hoard children's data indefinitely. Decide a retention period that matches your real need — often the season plus a tax/records window — and then purge. A platform that can automatically redact or delete registrant PII on a schedule turns this from a recurring chore into a setting.

A practical checklist for this week

1. Publish a plain-language privacy policy on your registration site.
2. Make sure waivers/consents appear before submission and are recorded with a timestamp.
3. Trim your registration form to the fields the program actually needs.
4. Flag medical/photo fields as explicit opt-ins and restrict who can view them.
5. Set a data-retention period and a deletion plan.
6. Confirm sensitive fields are encrypted at rest and access is role-limited.
7. Document how a parent can review, revoke, or delete their child's data.

EZ Event Registration is built so most of this is the default rather than a project: consent and waiver capture is timestamped, sensitive fields are encrypted at rest, retention/purge runs on a schedule, and access is role-based. You still own the policy and the judgment calls — the platform just stops fighting you on the mechanics.