COPPA: Children's Online Privacy Protection

The Children's Online Privacy Protection Act (COPPA) establishes the federal framework governing how operators of websites and online services collect, use, and disclose personal information from children under 13 in the United States. Enforced by the Federal Trade Commission, COPPA creates compliance obligations that span commercial websites, mobile apps, connected devices, and third-party advertising networks. The law carries civil penalty exposure that can reach into the millions of dollars per violation, making it a high-stakes regulatory boundary for any digital service with child audiences. The Privacy Providers provider network catalogs service providers operating in this compliance space.

Definition and scope

COPPA was enacted in 1998 and took effect in April 2000 (15 U.S.C. §§ 6501–6506). The implementing regulation — the COPPA Rule, codified at 16 C.F.R. Part 312 — was substantially revised by the FTC in 2013 and is currently under further rulemaking review.

The statute applies to two categories of operators:

  1. Operators of websites or online services directed to children under 13 — regardless of whether operators know they are collecting children's data.
  2. Operators of general-audience websites or online services who have actual knowledge they are collecting personal information from a child under 13.

"Personal information" under COPPA is defined broadly by the FTC's rule to include full name, home address, email address, telephone number, Social Security number, persistent identifiers (such as cookies or device IDs used to track a child across sites), geolocation data precise enough to identify street name and city, photos, videos, and audio files containing a child's image or voice (16 C.F.R. § 312.2).

COPPA does not apply to nonprofits, though the FTC has noted that some nonprofit structures may fall under the rule depending on commercial activity. The statute also does not govern offline data collection.

How it works

Compliance under COPPA operates through five discrete obligations:

  1. Privacy notice — Operators must post a clear, comprehensive privacy policy on their homepage and at every point where personal information is collected from children.
  2. Verifiable parental consent — Before collecting personal information from a child, the operator must obtain verifiable parental consent. Acceptable methods include signed consent forms returned by mail or fax, credit or debit card transactions (with notice of the charge), toll-free phone calls, video conferencing, and — under the 2013 rule — electronic identity verification systems.
  3. Access and deletion rights — Parents have the right to review personal information collected from their child, request deletion, and refuse further collection without consenting to the site's other services.
  4. Data minimization and retention limits — Operators may collect only as much personal information as is reasonably necessary for the activity for which it was collected, and must retain data no longer than necessary.
  5. Data security — Operators must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (16 C.F.R. § 312.8).

The FTC also operates a Safe Harbor program under 16 C.F.R. § 312.11, through which industry-developed self-regulatory guidelines may be approved as COPPA-compliant frameworks. Operators subject to an approved Safe Harbor program are deemed compliant when they follow its guidelines.

Civil penalties under COPPA can reach $51,744 per violation as of the FTC's 2023 adjusted penalty schedule (FTC Civil Penalty Adjustments, 88 Fed. Reg. 3,051 (Jan. 18, 2023)). The FTC has assessed penalties exceeding $170 million in a single action — the 2019 YouTube/Google settlement — making COPPA enforcement among the most consequential in FTC history.

Common scenarios

COPPA compliance issues arise across a predictable set of operator scenarios:

Child-directed apps and games — A mobile gaming app that collects device identifiers or email addresses for account creation from users under 13 must obtain verifiable parental consent before any data flows, including to third-party ad networks embedded in the app.

Mixed-audience platforms — A general-audience social media or video platform that receives signals of underage users (through age gate failures or behavioral evidence) triggers COPPA's "actual knowledge" standard. The 2019 FTC action against Google/YouTube turned substantially on YouTube's actual knowledge of child viewership on channels designated as child-directed by their creators.

Third-party plug-ins — Ad networks, analytics SDKs, and social sharing buttons embedded on child-directed sites are themselves treated as operators under COPPA when they collect personal information. A first-party website operator can face liability for third-party data collection it enables.

Ed-tech platforms — Schools and school districts can authorize operators to collect student data in lieu of parental consent, but only for educational purposes. The FTC's guidance on COPPA and schools restricts commercial use of data collected under school authorization. More detail on how educational platforms intersect with privacy regulation appears on the Privacy Resource Overview page.

Decision boundaries

Distinguishing COPPA applicability from non-applicability requires analysis along three axes:

Age threshold — COPPA applies exclusively to children under 13. Operators serving users 13 and older are not subject to COPPA for those users, though state laws (notably California's Age-Appropriate Design Code, A.B. 2273) extend analogous protections to minors under 18.

Directed-to-children vs. general audience — The FTC applies a multi-factor test to determine whether a site is "directed to children," weighing subject matter, visual and audio content, use of animated characters, celebrities popular with children, and whether child-oriented activities are featured. A site that passes this threshold is subject to COPPA for all users, not only verified minors. A general-audience site with no child-directed features is subject to COPPA only upon actual knowledge.

COPPA vs. FERPA — The Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) governs educational records held by schools receiving federal funding. FERPA and COPPA can apply simultaneously to ed-tech platforms — FERPA governs the school's obligation to protect student records; COPPA governs the operator's obligation regarding online data collection from children. The two regimes do not substitute for each other.

COPPA vs. state minors' privacy laws — COPPA sets a federal floor. California's COPPA counterpart — the California Online Privacy Protection Act — and the Age-Appropriate Design Code impose additional requirements for operators serving California minors. The scope and purpose of this provider network covers how federal and state frameworks interact across the privacy compliance landscape.

 ·   · 

References

Read Next

Data Breach Notification Requirements by State ANA › Professional Services Authority › National Cyber › National Privacy Data Breach Notification Requirements by State State-level... HIPAA Privacy Rule: Scope and Requirements ANA › Professional Services Authority › National Cyber › National Privacy HIPAA Privacy Rule: Scope and Requirements The HIPAA Privacy... CCPA and CPRA Compliance Guide ANA › Professional Services Authority › National Cyber › National Privacy CCPA and CPRA Compliance Guide The California Consumer Privacy...