Children's Privacy Law

    What is COPPA?

    Complete guide to the Children's Online Privacy Protection Act - the US federal law protecting children under 13 online.

    Updated: January 17, 20258 min read

    What is COPPA?

    The Children's Online Privacy Protection Act (COPPA) is a United States federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA protects the privacy of children under 13 years old by requiring website operators and online services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

    COPPA applies to operators of commercial websites and online services (including mobile apps and IoT devices) that are directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.

    Key Fact

    COPPA applies regardless of where your business is located - if you operate a website or service accessible to US children, you must comply.

    Who Does COPPA Apply To?

    COPPA applies to operators of commercial websites and online services in two main scenarios:

    Websites & Online Services

    Directed to children under 13 or with actual knowledge of collecting children's personal information

    Mobile Apps for Children

    Apps designed for and marketed to children under 13 years old

    General Audience Sites

    Websites with sections or services directed to children, even if the main site is for adults

    What "Directed to Children" Means

    The FTC considers several factors: subject matter, visual content, use of animated characters, child-oriented activities, music or language, age of models, presence of child celebrities, advertising targeting children, and competent evidence about the site's audience.

    Key COPPA Requirements

    If COPPA applies to your website or online service, you must comply with these six requirements:

    Privacy Policy

    Post a clear and comprehensive privacy policy describing data practices

    Parental Notice

    Provide direct notice to parents about data collection practices

    Verifiable Parental Consent

    Obtain verifiable consent from parents before collecting children's information

    Data Security

    Maintain reasonable procedures to protect collected children's information

    Parental Access

    Allow parents to review, delete, or refuse further collection of their child's information

    Data Retention Limits

    Retain children's personal information only as long as necessary for the purpose collected

    What is "Personal Information" Under COPPA?

    COPPA defines personal information broadly to include information that can be used to identify, contact, or locate a child:

    • First and last name
    • Home or physical address including street name and city
    • Email address or other online contact information
    • Screen name or username that functions as online contact information
    • Telephone number
    • Social Security number
    • Persistent identifier (IP address, device ID, cookies)
    • Photograph, video, or audio file containing a child's image or voice
    • Geolocation information
    • Information about the child or parent combined with an identifier

    Verifiable Parental Consent Methods

    COPPA requires operators to use reasonable efforts to obtain verifiable parental consent. Acceptable methods include:

    1. Credit Card Verification

    Obtaining a credit card number or other payment method to verify the parent's identity (small transaction or charge).

    2. Government-Issued ID

    Having the parent provide a copy of a driver's license or other government-issued ID that can be checked against a database.

    3. Video Conference

    Conducting a video conference with the parent to verify their identity using a form of photo ID.

    4. Email Plus Method

    For certain limited uses (internal operations only), an email to the parent with follow-up confirmation may be sufficient.

    Privacy Policy Requirements

    Your COPPA-compliant privacy policy must include:

    • Contact information for all operators collecting or maintaining children's personal information
    • Types of personal information collected from children
    • How the information is collected (directly or passively)
    • How the information will be used
    • Whether information is disclosed to third parties, and if so, which types of businesses
    • Parental rights including the right to review, delete, and refuse further collection
    • Statement that parental consent is required before collecting children's information

    Exceptions to Parental Consent Requirement

    COPPA allows collection of a child's email address without parental consent in limited situations:

    One-Time Communication

    To respond to a one-time request from a child, as long as the email is not retained after response.

    Safety or Security

    To protect the safety of a child participating on the site, but only used for safety purposes.

    Notify Parent

    To obtain parental consent or notify parent about the child's participation.

    Legal Compliance

    To respond to law enforcement requests or comply with legal requirements.

    Penalties for Non-Compliance

    The FTC can impose substantial civil penalties for COPPA violations:

    Civil Penalties

    Up to $51,744 per violation

    Each instance of collecting information from a child without parental consent can be considered a separate violation.

    Notable Settlements

    Recent major COPPA settlements include:

    • • YouTube: $170 million (2019)
    • • TikTok: $5.7 million (2019)
    • • Epic Games: $275 million (2022)

    Age Gating and Neutral Age Screening

    Many operators use age gating to comply with COPPA. Important considerations:

    Neutral Age Screening

    Age screens must be neutral and not encourage children to falsify their age. For example, don't show different content based on age before the user submits.

    ✓ Good Practice

    Simple date of birth entry without showing what happens after submission.

    ✗ Bad Practice

    Showing preview of "cool features" that unlock when users claim to be older.

    How to Comply with COPPA

    1

    Determine if COPPA Applies

    Assess whether your website or service is directed to children or collects information from children under 13.

    2

    Post a Privacy Policy

    Create and prominently post a comprehensive privacy policy that meets all COPPA requirements.

    3

    Implement Age Gating

    Use neutral age screening to determine if users are under 13 before collecting any personal information.

    4

    Establish Parental Consent Process

    Implement a method for obtaining and verifying parental consent before collecting children's information.

    5

    Provide Parental Access

    Create procedures allowing parents to review, delete, or opt-out of further collection of their child's information.

    6

    Maintain Security & Data Retention Policies

    Implement reasonable security measures and retain children's information only as long as necessary.

    Generate Your COPPA-Compliant Privacy Policy

    Create a professional privacy policy that meets all COPPA requirements for children's apps and websites

    Related Articles

    What is CalOPPA?

    Learn about California's Online Privacy Protection Act and privacy policy requirements.

    Privacy Policy for Mobile Apps

    Comprehensive guide to creating privacy policies for mobile applications.