COPPA Compliance Guide: Children's Privacy

Everything you need to know about the Children's Online Privacy Protection Act and how to comply when collecting data from children under 13.

16 min read Updated April 2026

What Is COPPA?

The Children's Online Privacy Protection Act (COPPA) is a federal law enacted in 1998 that imposes requirements on websites and online services directed to children under 13 years old, as well as on websites and online services that have actual knowledge they are collecting personal information from children under 13.

COPPA is administered by the Federal Trade Commission (FTC) and represents the strongest children's privacy protection law in the United States. It requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

COPPA Key Facts

  • Enacted: 1998 (updated in 2013)
  • Administered by: Federal Trade Commission (FTC)
  • Applies to: Children under 13
  • Consent Model: Verifiable parental consent required
  • Maximum Penalty: $50,120 per violation (2026)

Why COPPA Matters

Children are particularly vulnerable to privacy risks because they may not understand the implications of sharing personal information. COPPA was designed to:

  • Put parents in control over what information is collected from their children
  • Create a safer online environment for children
  • Hold websites accountable for protecting children's data
  • Require transparency about data collection practices

Who Does COPPA Apply To?

COPPA applies to two categories of organizations:

1. Operators Directed to Children

Websites and online services that are directed to children under 13 must comply regardless of whether they actually collect information from children. Factors used to determine if a site is "directed to children" include:

  • Subject matter and content
  • Use of child-oriented activities, language, or design
  • Music, animations, or other features appealing to children
  • Advertising directed to children
  • Age of models used in visuals
  • Presence of child celebrities or characters
  • Customer reviews suggesting child audience

2. Operators With Actual Knowledge

Websites and online services that know they are collecting personal information from children under 13 must also comply, even if not directed to children. This includes:

  • General audience sites that have reason to know users are under 13
  • Services that collect data through plugins or ad networks that reveal child users
  • Platforms where children's profiles are visible to adult users

Critical Point

You can violate COPPA even if your site is not specifically for children. If you have actual knowledge that a user is under 13, COPPA requirements apply. This is particularly relevant for social platforms and messaging apps.

COPPA Requirements for Websites

Under COPPA, operators must meet several specific requirements:

Privacy Notice Requirements

Your privacy notice must be clear and understandable, and must include:

  • Contact Information: Name, address, and contact email for the operator
  • Data Collection List: Types of personal information collected from children
  • Purpose: How the information will be used
  • Disclosure: Whether information is disclosed to third parties
  • Parental Access: Parents can review and delete their child's information
  • Consent Options: Methods for obtaining parental consent

Data Collection Limitations

COPPA restricts what you can collect from children:

  • Collection must be limited to what's necessary for the specific activity
  • Must provide direct notice to parents about collection practices
  • Must obtain verifiable parental consent before collection
  • Cannot require a child to provide more information than reasonable
  • Must delete children's data when no longer needed

Third-Party Disclosure

If you share children's data with third parties, you must:

  • Identify all third parties in your privacy notice
  • Ensure third parties are also COPPA-compliant
  • Include provisions in contracts requiring compliance
  • Only share data for the purposes stated in the notice

Direct Data Collection from Children

When collecting personal information directly from children, you must follow specific procedures:

Required Disclosures

Before collecting any information, you must post a clear and prominent link to your privacy policy that includes:

  • Name and contact information of all operators
  • Types of information collected from children
  • How the information will be used
  • Whether information is disclosed to third parties
  • Parent's rights to review and delete
  • Procedures for obtaining parental consent

Direct Notice to Parents

You must also provide direct notice to parents (not just in the privacy policy) that includes:

  • Name of website/service
  • Types of information collected
  • How information will be used
  • Parent's options for consent/refusal
  • Link to privacy policy

Best Practice

Always provide a separate, plain-language notice specifically for parents when collecting any data from their children. Don't hide this information in your general privacy policy.

Parent's Rights

COPPA grants parents specific rights:

  • Review: Parents can review what information has been collected
  • Delete: Parents can request deletion of their child's information
  • Refuse: Parents can refuse further collection or use
  • Revoke: Parents can revoke previously given consent

Third-Party Services and COPPA

Many websites use third-party services that may collect data from children. You remain responsible for ensuring compliance.

Common Third-Party Risks

  • Analytics tools: Google Analytics, Mixpanel, etc.
  • Advertising networks: AdSense, programmatic ads
  • Social media plugins: Facebook Like, Twitter buttons
  • Embedded content: YouTube videos, social posts
  • SDKs and APIs: Mobile app integrations

Your Responsibilities

You must ensure that third parties processing children's data:

  • Are listed in your privacy policy
  • Comply with COPPA requirements
  • Only collect data for disclosed purposes
  • Do not use data for non-disclosed purposes
  • Have appropriate security measures

Warning

If you use ad networks or analytics on a site that may attract children, you could be liable for their data collection practices. Always vet third-party services and ensure they are COPPA-compliant.

COPPA Penalties and Enforcement

The FTC takes COPPA enforcement seriously, with significant penalties for violations.

Civil Penalties

  • Current maximum: $50,120 per violation (2026, adjusted annually for inflation)
  • Calculation: Each instance of unauthorized collection counts as a separate violation
  • Enforcement: FTC can also seek consumer redress and injunctive relief

Notable Enforcement Cases

Company Year Penalty
Epic Games (Fortnite) 2022 $520 million (includes COPPA violations)
YouTube 2019 $170 million
Musical.ly (TikTok) 2019 $5.7 million
Google/AdSense 2019 $170 million
Little Twins Star 2023 $200,000

State Attorney General Enforcement

In addition to FTC enforcement, state attorneys general can also enforce COPPA and seek penalties. Many states have used this authority to pursue cases against companies violating children's privacy.

COPPA Compliance Checklist

Use this checklist to ensure your site or service is COPPA-compliant:

Step 1: Determine If COPPA Applies

  • Is your site directed to children under 13?
  • Does your service have actual knowledge of collecting from children under 13?
  • Do you have child users regardless of intended audience?

Step 2: Update Privacy Policy

  • Create a stand-alone children's privacy notice
  • List all data collected from children
  • Explain how data will be used
  • Disclose all third parties receiving children's data
  • Include parent consent procedures
  • Explain parent's rights to review/delete

Step 3: Implement Consent Mechanism

  • Select appropriate consent method for your data collection
  • Test the consent process works correctly
  • Document all consent obtained
  • Create process for parents to revoke consent

Step 4: Data Handling Procedures

  • Limit data collection to what's necessary
  • Create secure storage for children's data
  • Establish data retention and deletion procedures
  • Implement process for parent access/deletion requests

Step 5: Third-Party Management

  • Audit all third parties that may collect children's data
  • Ensure third parties are COPPA-compliant
  • Update contracts to include required provisions
  • Monitor for new third-party integrations

Step 6: Ongoing Compliance

  • Regularly review and update privacy notices
  • Train staff on COPPA requirements
  • Document compliance efforts
  • Monitor regulatory updates

Analyze Your Privacy Policy

Use PolicyLens to check if your privacy policy properly addresses COPPA requirements and children's privacy protections.

Analyze Your Policy Free