What Is COPPA?
The Children's Online Privacy Protection Act (COPPA) is a federal law enacted in 1998 that imposes requirements on websites and online services directed to children under 13 years old, as well as on websites and online services that have actual knowledge they are collecting personal information from children under 13.
COPPA is administered by the Federal Trade Commission (FTC) and represents the strongest children's privacy protection law in the United States. It requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
COPPA Key Facts
- Enacted: 1998 (updated in 2013)
- Administered by: Federal Trade Commission (FTC)
- Applies to: Children under 13
- Consent Model: Verifiable parental consent required
- Maximum Penalty: $50,120 per violation (2026)
Why COPPA Matters
Children are particularly vulnerable to privacy risks because they may not understand the implications of sharing personal information. COPPA was designed to:
- Put parents in control over what information is collected from their children
- Create a safer online environment for children
- Hold websites accountable for protecting children's data
- Require transparency about data collection practices
Who Does COPPA Apply To?
COPPA applies to two categories of organizations:
1. Operators Directed to Children
Websites and online services that are directed to children under 13 must comply regardless of whether they actually collect information from children. Factors used to determine if a site is "directed to children" include:
- Subject matter and content
- Use of child-oriented activities, language, or design
- Music, animations, or other features appealing to children
- Advertising directed to children
- Age of models used in visuals
- Presence of child celebrities or characters
- Customer reviews suggesting child audience
2. Operators With Actual Knowledge
Websites and online services that know they are collecting personal information from children under 13 must also comply, even if not directed to children. This includes:
- General audience sites that have reason to know users are under 13
- Services that collect data through plugins or ad networks that reveal child users
- Platforms where children's profiles are visible to adult users
Critical Point
You can violate COPPA even if your site is not specifically for children. If you have actual knowledge that a user is under 13, COPPA requirements apply. This is particularly relevant for social platforms and messaging apps.
COPPA Requirements for Websites
Under COPPA, operators must meet several specific requirements:
Privacy Notice Requirements
Your privacy notice must be clear and understandable, and must include:
- Contact Information: Name, address, and contact email for the operator
- Data Collection List: Types of personal information collected from children
- Purpose: How the information will be used
- Disclosure: Whether information is disclosed to third parties
- Parental Access: Parents can review and delete their child's information
- Consent Options: Methods for obtaining parental consent
Data Collection Limitations
COPPA restricts what you can collect from children:
- Collection must be limited to what's necessary for the specific activity
- Must provide direct notice to parents about collection practices
- Must obtain verifiable parental consent before collection
- Cannot require a child to provide more information than reasonable
- Must delete children's data when no longer needed
Third-Party Disclosure
If you share children's data with third parties, you must:
- Identify all third parties in your privacy notice
- Ensure third parties are also COPPA-compliant
- Include provisions in contracts requiring compliance
- Only share data for the purposes stated in the notice
Verifiable Parental Consent
The heart of COPPA is verifiable parental consent. You cannot collect, use, or disclose personal information from a child under 13 without first obtaining consent from the child's parent.
Methods of Obtaining Consent
The FTC allows several methods for obtaining verifiable parental consent:
High-Assent Methods
- Signed consent form: Printed form sent by mail or fax
- Electronic consent: With identity verification
- Video conference: With parental ID verification
- Government ID: Copy of government ID with verification
Lower-Assent Methods
- Email plus: Email consent + follow-up verification
- Knowledge-based: Answering detailed questions
- Credit card: For age verification (in limited cases)
- Device verification: For certain contextual data
Consent for Different Collection Types
| Type of Collection | Consent Required |
|---|---|
| Contact information for newsletter | Prior consent required |
| Name for account creation | Prior consent required |
| Online contact with another person | Prior consent required |
| Physical contact info for contest | Prior consent required |
| Audio/video with child | Prior consent required |
| Passive tracking (cookies) | Prior consent required |
| Data for security/traffic | Can be collected without prior consent |
Direct Data Collection from Children
When collecting personal information directly from children, you must follow specific procedures:
Required Disclosures
Before collecting any information, you must post a clear and prominent link to your privacy policy that includes:
- Name and contact information of all operators
- Types of information collected from children
- How the information will be used
- Whether information is disclosed to third parties
- Parent's rights to review and delete
- Procedures for obtaining parental consent
Direct Notice to Parents
You must also provide direct notice to parents (not just in the privacy policy) that includes:
- Name of website/service
- Types of information collected
- How information will be used
- Parent's options for consent/refusal
- Link to privacy policy
Best Practice
Always provide a separate, plain-language notice specifically for parents when collecting any data from their children. Don't hide this information in your general privacy policy.
Parent's Rights
COPPA grants parents specific rights:
- Review: Parents can review what information has been collected
- Delete: Parents can request deletion of their child's information
- Refuse: Parents can refuse further collection or use
- Revoke: Parents can revoke previously given consent
Third-Party Services and COPPA
Many websites use third-party services that may collect data from children. You remain responsible for ensuring compliance.
Common Third-Party Risks
- Analytics tools: Google Analytics, Mixpanel, etc.
- Advertising networks: AdSense, programmatic ads
- Social media plugins: Facebook Like, Twitter buttons
- Embedded content: YouTube videos, social posts
- SDKs and APIs: Mobile app integrations
Your Responsibilities
You must ensure that third parties processing children's data:
- Are listed in your privacy policy
- Comply with COPPA requirements
- Only collect data for disclosed purposes
- Do not use data for non-disclosed purposes
- Have appropriate security measures
Warning
If you use ad networks or analytics on a site that may attract children, you could be liable for their data collection practices. Always vet third-party services and ensure they are COPPA-compliant.
COPPA Penalties and Enforcement
The FTC takes COPPA enforcement seriously, with significant penalties for violations.
Civil Penalties
- Current maximum: $50,120 per violation (2026, adjusted annually for inflation)
- Calculation: Each instance of unauthorized collection counts as a separate violation
- Enforcement: FTC can also seek consumer redress and injunctive relief
Notable Enforcement Cases
| Company | Year | Penalty |
|---|---|---|
| Epic Games (Fortnite) | 2022 | $520 million (includes COPPA violations) |
| YouTube | 2019 | $170 million |
| Musical.ly (TikTok) | 2019 | $5.7 million |
| Google/AdSense | 2019 | $170 million |
| Little Twins Star | 2023 | $200,000 |
State Attorney General Enforcement
In addition to FTC enforcement, state attorneys general can also enforce COPPA and seek penalties. Many states have used this authority to pursue cases against companies violating children's privacy.
COPPA Compliance Checklist
Use this checklist to ensure your site or service is COPPA-compliant:
Step 1: Determine If COPPA Applies
- Is your site directed to children under 13?
- Does your service have actual knowledge of collecting from children under 13?
- Do you have child users regardless of intended audience?
Step 2: Update Privacy Policy
- Create a stand-alone children's privacy notice
- List all data collected from children
- Explain how data will be used
- Disclose all third parties receiving children's data
- Include parent consent procedures
- Explain parent's rights to review/delete
Step 3: Implement Consent Mechanism
- Select appropriate consent method for your data collection
- Test the consent process works correctly
- Document all consent obtained
- Create process for parents to revoke consent
Step 4: Data Handling Procedures
- Limit data collection to what's necessary
- Create secure storage for children's data
- Establish data retention and deletion procedures
- Implement process for parent access/deletion requests
Step 5: Third-Party Management
- Audit all third parties that may collect children's data
- Ensure third parties are COPPA-compliant
- Update contracts to include required provisions
- Monitor for new third-party integrations
Step 6: Ongoing Compliance
- Regularly review and update privacy notices
- Train staff on COPPA requirements
- Document compliance efforts
- Monitor regulatory updates
Analyze Your Privacy Policy
Use PolicyLens to check if your privacy policy properly addresses COPPA requirements and children's privacy protections.
Analyze Your Policy Free