COPPA & Children's Online Privacy

The Children's Online Privacy Protection Act (COPPA, 1998) — codified at 15 U.S.C. §§ 6501–6506 and implemented through the FTC's 16 C.F.R. Part 312 — requires websites and online services directed to children under 13, or with actual knowledge they're collecting information from children under 13, to obtain verifiable parental consent before collecting personal information. COPPA is why children must enter a birthdate to create an account — and why virtually every major social media platform officially prohibits users under 13, even as studies show tens of millions of underage users on platforms like Instagram, TikTok, and YouTube. The under-13 threshold has created a systemic outcome: platforms avoid actual knowledge of underage users by not asking, and children routinely lie about their age. The FTC has levied significant COPPA enforcement actions: $170 million against Google/YouTube (Sept. 2019; $136M to FTC, $34M to New York AG) for collecting children's viewing data without parental consent; $5.7 million against TikTok (2019, prior to its current scale); and $275 million against Epic Games/Fortnite (Dec. 2022). The 2013 COPPA Rule update expanded "personal information" to include geolocation, photos, videos, and persistent identifiers (device IDs, behavioral advertising IDs). Congress has repeatedly debated COPPA updates and companion legislation: the Children and Teens' Online Privacy Protection Act (COPPA 2.0) would extend protections to ages 13–16; the Kids Online Safety Act (KOSA) would add a "duty of care" for platforms as to minors. Both passed the Senate in 2024 but did not become law. The regulatory and legislative pressure on children's online privacy is accelerating, with multiple states (California, Texas, Utah, Florida) enacting their own children's privacy laws that go beyond COPPA.

Current Law (2026)

Legal Authority

• 15 U.S.C. § 6502(b) — Regulation of unfair and deceptive acts (FTC shall issue regulations requiring operators of websites or online services directed to children, or that have actual knowledge of collecting information from children under 13, to: provide notice of information practices; obtain verifiable parental consent; allow parents to review and delete collected information; maintain confidentiality and security; not condition a child's participation on providing more information than necessary)
• 15 U.S.C. § 6502(a) — Prohibition (it is unlawful for an operator of a website or online service directed to children, or that has actual knowledge of collecting information from children under 13, to collect personal information in a manner that violates FTC regulations)
• 15 U.S.C. § 6504 — State enforcement (state attorneys general may bring civil actions on behalf of state residents; must notify the FTC before filing)

How It Works

COPPA is the primary federal law protecting children's privacy online — requiring websites and apps that collect information from children under 13 to obtain parental consent and follow strict data handling practices. In the era of YouTube Kids, Roblox, and TikTok, COPPA has become one of the most consequential and frequently enforced consumer protection statutes, intersecting with electronic communications privacy protections and the broader tech regulation landscape.

COPPA applies to two categories of operators under 15 U.S.C. § 6502(a): websites or online services directed to children under 13 (determined by subject matter, visual content, animated characters, age of models, music, language, and whether advertising targets children), and general-audience services with actual knowledge they are collecting personal information from a specific child under 13. The "actual knowledge" standard matters — a general-audience site is not liable merely because children use it, only when it knows specific users are under 13, which is why platforms use age gates and why the FTC scrutinizes whether those gates constitute willful avoidance. Before collecting, using, or disclosing personal information from children under 13, operators must obtain verifiable parental consent (15 U.S.C. § 6502(b)) through methods including signed consent forms, credit card verification, toll-free telephone calls, government ID verification, or knowledge-based authentication. "Personal information" under COPPA is broader than most operators realize: it covers name, address, email, phone, screen names used as contact information, geolocation data, photos and videos containing a child's image or voice, and persistent identifiers (cookies, IP addresses, device IDs) when used for targeted advertising or behavioral tracking — this last category, added in the 2013 COPPA Rule update, significantly expanded COPPA's reach beyond traditional contact information.

FTC enforcement has produced some of the largest privacy penalties in U.S. history: $170 million against Google/YouTube (2019) for collecting children's viewing data without consent, $275 million against Epic Games/Fortnite (2022), and $5.7 million against TikTok (2019). Civil penalties run up to ~$53,088 per violation per day (2025 inflation-adjusted), and the FTC has increasingly targeted gaming platforms, social media, education technology, and streaming services. Companies that join an FTC-approved safe harbor program — operated by CARU (Children's Advertising Review Unit), kidSAFE, ESRB Privacy Certified, and others — are deemed compliant with the COPPA Rule (15 U.S.C. § 6503), providing a structured alternative compliance pathway and reduced enforcement risk. The 2024 COPPA Rule update added new requirements: operators must delete personal information when no longer necessary for its original collection purpose, cannot condition a child's access on providing more data than necessary, and must maintain specific, public data retention policies.

How It Affects You

If you're a parent with children under 13: COPPA gives you real, enforceable rights — but you have to invoke them. You can contact any website or app directed to children and request to: (1) review the personal information collected about your child, (2) have inaccurate information corrected, and (3) have all information deleted. The operator must respond to your request. You can also revoke consent at any time, and the operator must stop collecting new information and delete what was already collected (within a reasonable timeframe). What counts as your child's "personal information" is broader than you might expect: it includes not just name and email but also persistent identifiers like device IDs and advertising IDs when used for behavioral tracking, geolocation data, and photos or videos containing your child's image. The biggest gap: if your child lies about their age to join a platform that has an age gate (like Instagram or TikTok), that platform doesn't have "actual knowledge" that your child is under 13 — and COPPA doesn't apply. If you suspect a platform is collecting data from your child without consent, you can file a complaint directly with the FTC at ftc.gov/complaint; state attorneys general can also bring COPPA enforcement actions.

If you operate a website, app, or online service used by children: COPPA compliance depends on which category applies to you. If your service is directed to children (judged by subject matter, animated characters, age of models, child-targeted music, or advertising targeting children), COPPA applies regardless of whether you know the ages of specific users — and you must obtain verifiable parental consent before collecting any personal information. If you're a general-audience service that has actual knowledge that a specific user is under 13 (from a birthdate, parental inquiry, or other clear signal), COPPA applies to that user. The FTC's 2024 COPPA Rule update added significant new restrictions: you must delete personal information when it's no longer necessary for the purpose it was collected, you can't condition access on children providing more data than necessary, and your data retention policy must be written, public, and specific. FTC enforcement is real and expensive: $275 million against Epic Games/Fortnite (2022), $170 million against Google/YouTube (2019), and $5.7 million against TikTok (2019). Per-violation penalties run up to ~$53,088 per day (2025 inflation-adjusted figure). Joining an FTC-approved safe harbor program (CARU, kidSAFE, ESRB) gives you a compliance framework and reduces enforcement risk.

If you're an education technology provider serving K-12 schools: Schools can authorize COPPA consent on behalf of parents — but with a critical limitation. The school consent exception only covers data collection that is for the educational purpose the school contracted for. If you use student data collected under the school consent exception for advertising, behavioral targeting, product improvement, or any commercial purpose beyond the educational service, you need separate parental consent. In practice: your data use agreements with schools should spell out exactly what you collect and how you use it. Many school district contracts include student privacy provisions modeled on the Student Privacy Pledge, which go beyond COPPA's requirements. The FTC has brought enforcement actions against EdTech companies that used school-collected data for commercial purposes outside the scope of school authorization. California's Student Online Personal Information Protection Act (SOPIPA) and similar state laws add another layer — more restrictive than COPPA — in states where most EdTech business is concentrated.

If you're building compliance for an app, advertising network, or tech product targeting families: The practical challenge is that the "directed to children" test is fact-specific — no app developer self-certifies as "directed to children," but the FTC looks at content, design, and advertising choices. If your app features animated characters, bright colors, and simple language, expect COPPA scrutiny even if your terms say "13+." Advertising networks serving children's apps must themselves comply with COPPA for the data they collect in that context — the FTC has pursued enforcement against ad SDKs embedded in children's apps. State laws are accelerating beyond COPPA: California's Age-Appropriate Design Code (enjoined pending appeal, but influential), Texas, Utah, and Florida have enacted children's online safety laws that require risk assessments, restrict data collection from minors, and add "duty of care" concepts that have no parallel in federal COPPA. Compliance strategies that satisfy COPPA may need updating to meet state requirements — especially if you serve users in California, Texas, or Utah.

State Variations

• COPPA is a federal floor — states can enact more protective children's privacy laws
• California (CCPA/CPRA and Age-Appropriate Design Code, part of the broader data privacy landscape) provides additional protections extending to teens under 16
• Several states have enacted their own children's online privacy laws, some covering ages up to 16 or 18
• State attorneys general can enforce COPPA independently and have been increasingly active
• State education privacy laws (often modeled on student privacy pledges) supplement COPPA for EdTech

Implementing Regulations

• 16 CFR Part 312 — Children's Online Privacy Protection Rule (COPPA Rule): the FTC's implementation of COPPA specifying technical and operational requirements for each statutory obligation. The 2024 amendments were the most significant update since 2013:

  • § 312.4 — Notice requirements: before collecting personal information from a child, the operator must provide a clear and prominent notice at the point of collection stating what information is collected, how it's used, and whether it's disclosed to third parties; operators must post a comprehensive, current privacy policy — a generic policy failing to describe actual practices is itself a COPPA violation
  • § 312.5 — Verifiable parental consent (VPC): operators must obtain VPC before collecting, using, or disclosing personal information from a child under 13; acceptable methods include signed consent forms, credit card transactions with cardholder notice, toll-free calls with trained personnel, government-issued ID checks, knowledge-based authentication, and FTC-recognized facial age estimation technology; for internal operations only (no third-party disclosure, no targeted advertising), email plus additional confirmation (call, text, or follow-up email) suffices — but the 2024 Rule established that persistent identifiers used for targeted advertising require full VPC even for ostensibly internal operations
  • § 312.7 — Data security, retention, and deletion: operators must maintain the confidentiality and security of children's data; must establish a written data retention policy specifying retention periods; and must delete children's personal information when it is no longer necessary for the purpose of collection — the 2024 Rule made violations of the operator's own retention policy independently enforceable; operators may not hold children's data indefinitely or repurpose it for new uses
  • § 312.8 — Prohibition on conditioning access: operators may not condition a child's participation in any game, offering, or activity on disclosing more personal information than is reasonably necessary for participation; the 2024 Rule strengthened this to specifically prohibit monetizing children's data beyond what is necessary for the core service; conditioning access to educational content on consent to targeted advertising is explicitly prohibited
  • § 312.10 — Safe harbor programs: operators following guidelines from FTC-approved programs (CARU, kidSAFE, ESRB Privacy Certified) are deemed compliant; the program must conduct annual member assessments and take responsive action against violators; the safe harbor pathway is popular for gaming and education platforms
  • § 312.13 — Civil penalties: ~$53,088 per violation per day (2025 inflation-adjusted figure under the FTC's annual Federal Civil Penalties Inflation Adjustment update; 2026 figure modestly higher); FTC may target executives in egregious cases; state AGs may also enforce COPPA

  The 2024 Rule update (89 FR 2034) added explicit prohibitions on targeted advertising to children without separate VPC, strengthened data minimization, expanded school-directed service requirements to prevent commercial student profiling, and increased operator accountability for integrated third-party services. Major enforcement cases: Google/YouTube ($170M, 2019); Epic/Fortnite ($275M, 2022); Microsoft/Activision ($20M, 2023).

Pending Legislation

• HR 6291 — Expand COPPA to teens, stronger consent/deletion rights, ban targeted ads to minors. Status: In committee.
• S 836 (Sen. Markey, D-MA) — Update COPPA for teens 13-16, expand data rules, tighten consent/ad limits. Status: Passed Senate.

Recent Developments

• The FTC finalized major updates to the COPPA Rule in 2024, strengthening requirements around targeted advertising, data retention, and consent mechanisms
• Proposals to raise the COPPA age from 13 to 16 have been debated but not enacted
• Age verification technology has advanced but remains imperfect — balancing child protection with privacy and access concerns
• The Kids Online Safety Act (KOSA) and other legislation targeting social media's impact on children complement COPPA's data protection focus
• FTC enforcement has intensified, with record penalties against gaming platforms, social media, and streaming services
• In March 2026, the House Energy and Commerce Committee held a full committee markup of nine bills including H.R. 7757, the Kids Internet and Digital Experience Safety Act, advancing children's online safety legislation.