The Ultimate Guide to COPPA: The Children's Online Privacy Protection Act

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine you’re building a playground. You know that kids will be playing there, so you instinctively take extra precautions. You use soft mulch instead of concrete, ensure the swings have safe chains, and put up a fence to keep the children from wandering into traffic. You have a special duty of care because your creation is for them. The internet is today's playground, and the Children's Online Privacy Protection Act, or COPPA, is the set of federal safety rules for anyone who builds a digital space for children under 13. COPPA isn't about censoring content or telling you what kids can see. Instead, it’s laser-focused on one thing: protecting children's personal information. It places the responsibility squarely on the shoulders of website operators and app developers—the playground builders—to be the responsible guardians of a child's private data. In short, COPPA says: “If you run an online service for kids under 13, you must put parents in control of their children's data. You need to tell them what you're collecting, get their permission first, and protect that information.”

• What it is: COPPA is a critical federal_law in the United States, enforced by the federal_trade_commission_(ftc), that dictates how websites, apps, and other online services must handle the personal information of children under the age of 13.
• Who it affects: COPPA applies to you if you operate a commercial website or online service (including mobile apps) that is either directed to children under 13, or if you have actual knowledge that you are collecting personal information from them.
• What it requires: The core mandate of COPPA is to obtain verifiable parental consent *before* collecting, using, or disclosing a child's personal data, and to post a clear, comprehensive, and easy-to-understand privacy policy.

In the 1990s, the internet was a digital “Wild West.” Commercial websites were booming, and companies quickly realized that children were a lucrative new market. They used cartoon characters, games, and contests to entice kids to share personal information—names, addresses, and even details about their families—often without any parental involvement. Privacy advocates and parents grew alarmed. Children were being targeted by marketers and their data was being collected and used in ways that were invisible and unregulated. Congress recognized the unique vulnerability of children online. They couldn't be expected to understand the long-term consequences of sharing their personal details. In response to widespread public concern, Congress passed the Children's Online Privacy Protection Act of 1998 (`childrens_online_privacy_protection_act_of_1998`). The law officially went into effect in 2000, creating the first-ever federal framework for children's online privacy in the U.S. The law gave the federal_trade_commission_(ftc) the authority to issue and enforce a set of rules, known as the `coppa_rule`. This rule translates the Act's principles into specific requirements for online operators. However, by 2010, the internet had changed dramatically. The rise of smartphones, social media, and mobile apps created new ways to collect data that the original rule never envisioned. To address this new reality, the FTC updated the COPPA Rule in 2013. This crucial amendment expanded the definition of “personal information” to include modern data points like:

• Photos, videos, and audio files containing a child's image or voice.
• Geolocation data.
• Persistent identifiers, like cookies or device serial numbers, that could be used to track a child's activity across different websites and apps over time.

This update ensured that COPPA's protections evolved alongside technology, remaining a relevant and powerful tool for safeguarding children in the digital age.

The legal authority for COPPA flows from a primary federal statute and its implementing regulation. Understanding both is key to understanding your obligations.

• The Children's Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501–6506): This is the foundational law passed by Congress. It establishes the core principle that operators of online services must obtain parental consent before collecting personal information from children under 13. Section 6502(b) lays out the essential requirements for the regulation the FTC was to create, stating an operator must provide:

> “…notice on the Web site of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information.”

In plain language, the law itself created the mandate for a clear privacy policy and parental control.
*   **The COPPA Rule (16 C.F.R. Part 312):** This is the detailed regulation created and enforced by the FTC. It's where the "rubber meets the road." The COPPA Rule provides the specific definitions and operational instructions that businesses must follow. For example, it defines what constitutes "verifiable parental consent" and lists the acceptable methods for obtaining it. It details exactly what must be included in a privacy policy and where it must be located on a website or app. Most of the practical, day-to-day compliance questions are answered by the `[[coppa_rule]]`, not the original, broader statute.

While COPPA is a U.S. federal law, the challenge of protecting children's online privacy is global. Many countries and economic blocs have their own regulations. For a business with an international audience, understanding these differences is vital.

What this means for you: If your app or website is available worldwide, you can't just comply with COPPA. You may need to implement different age verification and consent mechanisms for users in Europe versus the United States. Furthermore, states like California are now leading the way with even more comprehensive protections like the `california_age-appropriate_design_code_act` (AADC), showing a trend towards more stringent regional regulation.

To comply with COPPA, you must understand its core definitions and tests. Getting any of these wrong can lead to significant penalties.

You are covered by COPPA if you are an “operator” of a commercial “website or online service” that collects personal information from children under 13.

• Operator: This isn't just the owner of the website. It includes anyone who operates or maintains the site or service, or on whose behalf it is operated. For example, if you hire a third-party developer to create and run your child-directed app, you are both considered operators and are both responsible for COPPA compliance.
• Website or Online Service: This is a very broad category. It includes standard websites, mobile apps, gaming platforms, advertising networks, plug-ins or toolbars, voice-over-internet protocol (VoIP) services, and even internet-connected toys or devices (the “Internet of Things”).

Example: A small toy company creates a Bluetooth-enabled teddy bear that connects to a mobile app. The app allows the child to talk to the bear, and it records their voice. The toy company is an operator, and the app/bear combination is an online service. They must comply with COPPA.

This is the most critical question you must ask. The FTC doesn't just look at what you say your audience is; it looks at the totality of the circumstances. This is called the multi-factor test. The FTC will examine:

• Subject Matter: Does your content focus on topics that are highly interesting to kids, like cartoons, dolls, or simple games?
• Visual Content: Do you use cartoon characters, bright colors, and kid-friendly animations?
• Audio Content: Does your service feature children's music, simple sound effects, or young-sounding voices?
• Age of Models: Do you use child models or actors in your advertisements or content?
• Advertising: Is your service promoted on child-focused TV channels, websites, or by child influencers?
• Empirical Evidence: Do your own audience demographic studies or user data show that a significant portion of your users are under 13?

You do not need to meet all these criteria. If your service has several of these characteristics, the FTC will likely consider it “directed to children,” even if some adults also use it.

Even if your website is for a general audience (e.g., a photo-sharing site), COPPA can still apply to you. If you have “actual knowledge” that you are collecting personal information from a specific user who is under 13, you must immediately either delete their data or obtain verifiable parental consent. Example: A social media platform designed for adults has a user sign up and enter their age as “11.” Or, a parent emails the platform's support line saying, “My 12-year-old daughter is using your service.” In both cases, the platform now has actual knowledge. It must act to comply with COPPA for that specific user. This is why many general audience sites, like Facebook and Instagram, simply state in their terms of service that users must be 13 or older, and they terminate accounts of users they discover are underage.

Under COPPA, “personal information” is much more than just a name and address. The definition is broad and designed to evolve with technology. It includes:

• First and last name.
• A home or other physical address, including street name and city/town.
• Online contact information, like an email address or a screen name that functions as one.
• A telephone number.
• A social_security_number.
• A photograph, video, or audio file containing a child's image or voice.
• Geolocation information sufficient to identify a street name and city/town.
• A persistent identifier that can be used to recognize a user over time and across different sites or services. This includes a customer number held in a `cookie`, an IP address, a device serial number, or a unique device identifier.

Before you can collect, use, or disclose any of the personal information listed above from a child under 13, you must first obtain Verifiable Parental Consent (VPC). This means you must make reasonable efforts to ensure that the person giving consent is actually the child's parent. The FTC has approved several methods:

• Having the parent sign and return a consent form (by mail, fax, or electronic scan).
• Requiring the parent to use a credit card, debit card, or other online payment system that provides notification of each transaction to the account holder.
• Having the parent call a toll-free telephone number staffed by trained personnel.
• Connecting with the parent via a video conference.
• Verifying a parent's identity by checking a form of government-issued identification.

Simply accepting an email from someone claiming to be a parent is not enough to meet the VPC requirement.

COPPA requires you to post a clear, prominent, and easy-to-read privacy policy on your website or service. It must be easily accessible from your homepage and any page where you collect personal information from children. This policy must specifically detail:

• The name and contact information of all operators collecting the information.
• What specific types of personal information you are collecting.
• How you use the information.
• Whether you disclose the information to third parties, and if so, what kind of businesses they are and how they use the data.
• A description of a parent's rights, including the right to review their child's information and have it deleted.

• federal_trade_commission_(ftc): The primary enforcer of COPPA. The FTC investigates complaints, conducts its own inquiries, and can levy significant civil penalties and require ongoing monitoring for violations.
• State Attorneys General: State AGs also have the authority to enforce COPPA.
• Website/App Operators: The businesses and individuals who create and run online services. They are the ones who bear the primary responsibility for compliance.
• Parents and Guardians: COPPA empowers parents by giving them the ultimate say over their children's data. They are the gatekeepers.
• Children: The protected class under the law. COPPA exists to protect their privacy and safety online.
• COPPA Safe Harbor Programs: These are self-regulatory programs approved by the FTC. Companies can join these programs (e.g., ESRB Privacy Certified, PRIVO) which audit their practices and certify them as COPPA-compliant. Membership can provide a degree of protection in an FTC investigation, though it does not grant total immunity.

If you are launching a new app or website, or reviewing an existing one, this is your compliance checklist.

1. Analyze your content: Go through the “directed to children” multi-factor test honestly. Look at your subject matter, visuals, music, and marketing. If your service is appealing to kids under 13, you must comply with COPPA.
2. Analyze your user data: Do you ask for age information at registration? Do you have analytics that show a large under-13 audience? If you have actual knowledge of collecting data from kids, you must comply.
3. When in doubt, comply: The penalties for non-compliance are severe. If you are in a gray area, it is far safer to assume COPPA applies and build in its protections from the start.

1. Be transparent: Create a dedicated section of your privacy policy, or a separate policy page, specifically addressing children's privacy.
2. Use simple language: Write the policy in a way that a parent can easily understand. Avoid legal jargon.
3. Include all required elements: Use the FTC's checklist to ensure your policy lists the operators, the information collected, its use, its disclosure practices, and parental rights.
4. Make it conspicuous: Place a clear link to the policy on your homepage, and on every page where you collect data.

1. Provide Direct Notice: Before collecting data, you must send a direct notice to the parent. This notice must explain that you wish to collect their child's data, what data you want, how you will use it, and must link to your privacy policy. It must also inform them that you need their consent.
2. Choose a VPC Method: Select one of the FTC-approved VPC methods. For many small businesses, a consent form sent via email scan or a system that uses a small credit card transaction (which can be voided) are common choices.
3. Honor Parental Rights: You must provide parents with a way to review the personal information you have collected from their child, request its deletion, and refuse to allow any further collection or use of the data.

1. Protect the data: You must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information you collect. This includes protecting against unauthorized access or use. This is your data_security obligation.
2. Don't keep it forever: You may only retain a child's personal information for as long as is reasonably necessary to fulfill the purpose for which it was collected. You must delete it securely once that purpose is met.

• The COPPA Privacy Policy: This is your most important public-facing document. It must be detailed, accurate, and easy to find. It is not a generic legal document; it is a specific disclosure mandated by federal law.
• The Direct Notice to Parents: This is the communication (often an email) you send to a parent to initiate the consent process. It must clearly explain what you are doing and seek their permission.
• The Verifiable Parental Consent Form: If you use the consent form method, this document is what the parent signs and returns to you. It should clearly state that they are the parent, they have read your privacy policy, and they consent to the collection and use of their child's information as described.

The FTC's enforcement actions provide the clearest picture of what not to do. These cases have resulted in massive fines and have shaped how companies approach compliance today.

• Backstory: For years, YouTube maintained that it was a general audience platform and that COPPA did not apply. However, it had numerous channels with content clearly aimed at children (e.g., nursery rhymes, toy unboxings). YouTube's own marketing materials promoted its platform to toy companies as a top destination for reaching kids.
• Legal Question: Could a massive platform like YouTube, which hosts third-party content, be considered a single “operator” of a child-directed service?
• Holding and Impact: The FTC and the New York Attorney General said yes. They fined Google and YouTube a record $170 million for violating COPPA. The ruling established that even if a platform has a general audience, if it has actual knowledge that specific channels are child-directed and it profits from them (e.g., by selling targeted ads on those channels), it is an operator subject to COPPA. Today, this is why YouTube requires all content creators to designate whether their videos are “made for kids,” which disables targeted ads and other features on that content.

• Backstory: Musical.ly, a popular short-form video app that later became TikTok, required users to provide an email, phone number, name, and bio to create an account. The app was widely used by children under 13, and until 2017, accounts were public by default, meaning a child's profile could be viewed by anyone.
• Legal Question: Is an operator liable under COPPA for failing to get parental consent when its platform is overwhelmingly popular with children?
• Holding and Impact: The FTC fined the company $5.7 million, the largest COPPA civil penalty at the time. The case highlighted the massive risk for social media platforms popular with a young audience. It underscored that operators have an affirmative duty to investigate their user base, and that claiming ignorance is not a defense. It also emphasized the danger of making children's profiles public by default.

• Backstory: Epic Games, the creator of the massively popular game Fortnite, was accused of multiple violations. The FTC alleged that Epic collected personal information from players under 13 without parental consent and, critically, enabled live voice and text chat by default for all users, including children. This exposed children to bullying, threats, and harassment from strangers.
• Legal Question: Do default settings that facilitate communication and data sharing violate COPPA if they are not restricted for users under 13?
• Holding and Impact: Epic Games agreed to a landmark settlement of $520 million, which included $275 million for COPPA violations. This was a clear signal from the FTC that privacy-invasive settings, especially features like open chat, would be a major focus. The case established that “privacy by design” is not just a best practice but a legal necessity. Companies must now build privacy and safety protections into their services from the ground up, not as an afterthought.

• The “Teen Privacy” Gap: COPPA's protections end sharply on a child's 13th birthday. Yet, a 13- or 14-year-old is arguably just as vulnerable to online manipulation and data exploitation. This has led to a push for new laws, like the proposed federal Kids Online Safety Act (KOSA), which would extend a duty_of_care to platforms to protect minors up to age 16.
• The Metaverse and VR: How does COPPA apply in immersive virtual worlds? These technologies can collect unprecedented amounts of personal information, including biometric data like eye movements, gait, and voice patterns. Regulators are grappling with how to apply a law written for websites to these complex new environments.
• Educational Technology (“EdTech”): The widespread use of apps and online services in schools raises unique COPPA questions. While COPPA allows schools to consent on behalf of parents for educational purposes, there is ongoing debate about how this data can be used by EdTech companies, especially for commercial purposes like advertising.

• The Rise of State “COPPA 2.0” Laws: Frustrated with federal inaction on teen privacy, states are taking the lead. The most significant is the `california_age-appropriate_design_code_act` (AADC), which went into effect in 2024. It requires online services “likely to be accessed by a child” (under 18) to proactively design their services with the child's best interests in mind. This is a major shift from COPPA's consent-based model to a design-based one, and other states are expected to follow.
• Artificial Intelligence and Machine Learning: How will COPPA regulate AI systems that create detailed profiles of children to personalize content or ads? The ability of AI to make inferences about a child's behavior and interests presents a new frontier for privacy regulation that the current COPPA rule does not explicitly address.
• Global Harmonization: As more countries enact their own child privacy laws, there will be increasing pressure on businesses and lawmakers to harmonize these standards to reduce compliance complexity and provide consistent protections for children everywhere.

• actual_knowledge: The legal standard meaning you are consciously aware that you are collecting data from a child under 13.
• child-directed: A term for a website or service that is targeted at children under 13, based on a multi-factor test.
• coppa_rule: The specific regulation (16 C.F.R. Part 312) issued by the FTC to implement the COPPA statute.
• data_security: The obligation to take reasonable steps to protect collected personal information from unauthorized access.
• federal_trade_commission_(ftc): The U.S. federal agency responsible for consumer protection and enforcing COPPA.
• operator: The individual or business that operates a website or online service and is responsible for its compliance.
• parental_rights: The rights granted to parents under COPPA, including the right to review and delete their child's data.
• personal_information: The broad category of data covered by COPPA, including names, addresses, photos, and persistent identifiers.
• persistent_identifier: A piece of data, like a cookie or device ID, used to recognize a user over time and across different services.
• privacy_policy: A public-facing legal document that explains how an operator handles personal information.
• safe_harbor_program: An FTC-approved self-regulatory program that audits and certifies COPPA compliance.
• verifiable_parental_consent: The requirement to make reasonable efforts to ensure the person giving consent is a child's parent.

• california_consumer_privacy_act_(ccpa)
• general_data_protection_regulation_(gdpr)
• federal_law
• data_breach
• internet_law
• california_age-appropriate_design_code_act
• federal_trade_commission_(ftc)