In the late 1990s, the internet was still figuring itself out. Websites collected data freely, often with little regard for who was on the other end. Then came stories about children being targeted—marketers collecting data from kids, predators lurking in chat rooms, and children unwittingly sharing personal information that put them at risk.
The Children's Online Privacy Protection Act (COPPA) was Congress's response. Passed in 1998 and effective since 2000, it remains one of the most significant privacy laws specifically targeting the protection of minors. And with children spending more time online than ever, understanding COPPA has never been more important.
What COPPA Requires
COPPA applies to operators of websites or online services directed at children under 13, or that knowingly collect personal information from children under 13. If that describes your business, you face specific obligations:
Post a Privacy Policy
Your privacy policy must explain what information you collect from children, how you use it, and your disclosure practices. This isn't just standard privacy policy stuff—COPPA requires specific information about data collection from kids, including direct contact information for a parent to ask questions.
Provide Notice and Obtain Consent
Before collecting personal information from a child, you must notify parents and obtain verifiable parental consent. The notice must clearly and completely disclose what information you collect and how it will be used.
"Verifiable" is the key word here. A simple checkbox saying "I am over 13" doesn't cut it. The FTC requires methods that provide a higher level of assurance that the person giving consent is actually the parent.
Maintain Confidentiality and Security
Reasonable measures must be in place to protect the confidentiality, security, and integrity of personal information collected from children. This means appropriate data security, access controls, and data retention limits.
Delete Data Upon Request
Parents can review, have deleted, and refuse further collection of their child's personal information. You must honor these requests promptly.
Who Must Comply?
This is where things get tricky. COPPA applies to:
Websites or Services Directed to Children
If your site is designed to appeal to children under 13, you're covered. The FTC looks at several factors: subject matter, visual content, use of animated characters, child-oriented activities and incentives, music, and presence of child celebrities or characters who appeal to children.
This doesn't mean every cartoon on your site makes you subject to COPPA. The totality of circumstances matters. But if your primary audience is clearly kids, you need to comply.
General Audience Sites with Actual Knowledge
Even if your site isn't directed at children, COPPA applies if you have actual knowledge that you're collecting information from children under 13. "Actual knowledge" has been interpreted fairly narrowly—it means you specifically know a particular user is a child, not just that some children might be using your site.
However, the FTC has made clear that you can't deliberately ignore evidence that children are using your service. If your analytics show significant traffic from elementary-school-age users, or your customer service receives communications from obvious children, willful ignorance isn't a defense.
Third-Party Services on Child-Directed Sites
If you provide plug-ins, advertising, or other services on websites directed at children, COPPA can apply to you too—even if your own service isn't child-directed. This extension has caught many advertising networks and analytics providers off guard.
What Counts as Personal Information?
COPPA defines personal information broadly:
- Full name
- Home or physical address
- Email address
- Telephone number
- Social Security number
- Persistent identifiers (like cookies) when used to recognize a user over time and across sites
- Photographs, video, or audio files containing a child's image or voice
- Geolocation information sufficient to identify a street name and city
- Any combination of information that permits physical or online contact
That item about persistent identifiers is significant. It means that even if you're not collecting names or emails, using advertising cookies or device fingerprinting on a child-directed site can trigger COPPA requirements.
Verifiable Parental Consent Methods
The FTC has approved various methods for obtaining verifiable parental consent:
Signed Consent Forms
Parents sign a physical form and return it by mail, fax, or email scan. Old school, but verifiable. Obviously not ideal for user experience.
Credit Card or Other Payment Method
Using a credit card in connection with a monetary transaction (even a small authorization) provides reasonable verification that an adult is involved.
Calling a Toll-Free Number
Parents call and speak with trained personnel who verify they're a parent and obtain consent.
Video Conference
Connecting with parents via video chat to verify their identity and obtain consent.
Checking Government ID
Verifying the parent's government-issued identification against a database, then deleting the identification from your records promptly.
Knowledge-Based Authentication
Using questions based on financial history or other data that a child wouldn't typically know to verify parental identity.
Email Plus (Limited Use)
"Email plus" combines an email consent with an additional step—like a delayed email sent to the same address requesting confirmation, or a phone number or mailing address for follow-up. This is only acceptable for internal uses of data, not for public disclosure or communications with third parties.
The Safe Harbor Program
The FTC has approved industry self-regulatory programs that provide "safe harbor" from FTC enforcement—if you comply with the program's guidelines, the FTC will not pursue independent enforcement for COPPA violations.
Several organizations offer COPPA safe harbor programs, including CARU (Children's Advertising Review Unit), ESRB Privacy Certified, iKeepSafe, and kidSAFE Seal Program. Joining one of these provides an additional layer of protection and demonstrates commitment to children's privacy.
Penalties for Violation
COPPA violations can result in civil penalties of up to $50,120 per violation as of 2023 (this amount is adjusted for inflation). When you're talking about thousands or millions of user records, these per-violation penalties add up quickly.
The FTC has pursued major enforcement actions against companies of all sizes:
TikTok (then Musical.ly) paid $5.7 million in 2019 for COPPA violations—the largest COPPA penalty at that time.
YouTube paid $170 million in 2019 in a settlement with the FTC and New York Attorney General for collecting children's data without parental consent.
Epic Games (maker of Fortnite) agreed to pay $275 million in 2022 for COPPA violations.
Smaller companies have faced significant penalties too. The FTC has made clear that COPPA enforcement is a priority regardless of company size.
Practical Compliance Steps
Determine If COPPA Applies
Honestly assess whether your website or service is directed at children or likely to attract children. Look at your content, design, and marketing. Review your analytics for age signals. If there's any ambiguity, err on the side of compliance.
Minimize Data Collection
If possible, design your service to work without collecting personal information from children. Many kids' games and websites operate with minimal or no data collection specifically to avoid COPPA complexity.
Implement Age Screening
If your service isn't meant for children, consider age screening to filter out underage users. This isn't foolproof—kids can lie about their age—but it helps establish that you're not knowingly collecting children's data.
Age gates should be designed not to encourage false answers. Asking "Are you over 13? Yes/No" is fine. Showing a birth year selector and requiring 2012 or earlier is also fine. Telling users "You must be 13 to use this site" right before asking their age is problematic—it tells them what answer to give.
Create COPPA-Compliant Privacy Policy
If COPPA applies, your privacy policy must include specific disclosures about children's information: what you collect, how you use it, your disclosure practices, and parental rights.
Build Parental Consent Mechanisms
Implement a verifiable consent process before collecting children's data. The method you choose depends on your audience and the sensitivity of the data, but make sure it actually verifies parental identity.
Establish Data Handling Procedures
Have processes for handling parental requests to review or delete data. Train staff on COPPA requirements. Set appropriate data retention limits—don't keep children's data longer than necessary.
Review Third-Party Relationships
If you use third-party services (analytics, advertising, social features), ensure they're aware of and compliant with COPPA. Some services have child-directed versions; others may need to be disabled entirely on parts of your site directed at children.
Looking Forward
COPPA has been remarkably durable—the core requirements haven't changed dramatically since 2000, though the FTC has updated the implementing regulations to address new technologies.
However, there's growing pressure to update the law more fundamentally. Proposals include raising the protected age to 16 or 17, strengthening requirements, and addressing new concerns about targeted advertising to teens and algorithmic manipulation.
Meanwhile, children are online earlier and more extensively than ever. If your business touches kids' data in any way, staying ahead of COPPA requirements isn't just legal compliance—it's the right thing to do.