Children's Online Privacy Protection Act
COPPA is a US law, enforced by the FTC, requiring online services to obtain verifiable parental consent before collecting personal information from children under 13 and to handle that data responsibly. Violations can bring very large civil penalties and ongoing compliance obligations.
What COPPA Is and Why It Exists
The Children's Online Privacy Protection Act (COPPA) is a US federal law, effective in 2000 and implemented through the Federal Trade Commission's COPPA Rule, that governs how online services collect and use personal information from children under the age of 13. It requires operators to obtain verifiable parental consent before collecting such information and to handle it responsibly. The FTC enforces the rule and periodically updates it to reflect new technologies.
COPPA exists because children are uniquely vulnerable online and cannot meaningfully consent to data collection. The law shifts that responsibility to parents and imposes duties on the services children use.
Who It Applies To
COPPA applies to operators of websites and online services directed to children under 13, and to operators of general-audience services that have actual knowledge they are collecting personal information from such children. This includes apps, connected toys, ad networks, and plug-ins. The law applies regardless of where the operator is based if the service targets US children.
Key Requirements
- Privacy notice: operators must post a clear notice describing what they collect, how they use it, and their disclosure practices.
- Verifiable parental consent: operators must obtain consent from a parent before collecting personal information, using methods reasonably designed to confirm the consenting person is a parent.
- Data minimization: collect only what is reasonably necessary for the activity.
- Parental rights: parents can review their child's information, revoke consent, and request deletion.
- Security and retention: maintain reasonable security and retain data only as long as needed.
Penalties for Non-Compliance
The FTC can pursue civil penalties for COPPA violations, with maximum per-violation amounts that are adjusted for inflation and can total very large sums across many affected children. The agency has secured multimillion-dollar and even larger settlements against major platforms. State attorneys general can also bring actions. Beyond fines, settlements often impose ongoing compliance obligations and deletion of unlawfully collected data.
How to Comply
- Determine whether your service is child-directed or has actual knowledge of child users.
- Post a compliant privacy notice and minimize the data you collect from children.
- Implement a verifiable parental-consent mechanism appropriate to your data uses.
- Provide parents with access, revocation, and deletion options.
- Limit retention, secure children's data, and vet any third parties that receive it.
Building child-privacy protections in from the start is far easier than retrofitting them, and aligns with privacy-by-design principles.
Updated Rules and the Wider Children's-Privacy Landscape
The FTC has continued to strengthen the COPPA Rule, with updates tightening consent, data-retention limits, and security expectations, and clarifying obligations around third parties and persistent identifiers used for behavioral advertising. COPPA now sits within a broader children's-privacy movement that includes state laws and international regimes such as the UK's Age Appropriate Design Code, several of which reach teenagers as well as younger children. For product teams, the durable strategy is to design with children's privacy as a default: minimize collection, avoid unnecessary tracking, provide robust parental controls, and build verifiable consent flows that can adapt as overlapping legal requirements continue to expand.