COPPA: Children's Online Privacy Protection

The Children's Online Privacy Protection Act establishes a federal framework governing the collection, use, and disclosure of personal information from children under 13 by operators of websites and online services directed to children, or operators with actual knowledge they are collecting such data. Administered by the Federal Trade Commission, COPPA carries significant civil penalty exposure and applies across commercial operators regardless of where the company is headquartered, provided the service reaches U.S.-based children. This reference covers the statute's scope, operational mechanics, common compliance scenarios, and the classification boundaries that determine when COPPA obligations attach.

Definition and Scope

COPPA is codified at 15 U.S.C. §§ 6501–6506 and implemented through the FTC's COPPA Rule, 16 C.F.R. Part 312. The statute was enacted in 1998 and substantially amended by the FTC in 2013. A further proposed rulemaking published by the FTC in January 2024 sought to expand protections around push notifications, targeted advertising to children, and data retention limits (FTC COPPA Rule Review, 2024).

Covered operators include any person or entity operating a commercial website or online service directed to children under 13, or any general-audience operator with actual knowledge that a child under 13 is providing personal information. Non-profit organizations are expressly excluded from COPPA's definition of "operator."

Covered personal information includes, but is not limited to:

  1. Full name
  2. Home or physical address
  3. Online contact information (email address, instant messaging ID)
  4. Screen name or username linked to other personal information
  5. Telephone number
  6. Social Security number
  7. Persistent identifiers (cookies, device IDs, IP addresses used to recognize a user over time)
  8. Photographs, video, or audio files containing a child's image or voice
  9. Geolocation data sufficient to identify street name and city
  10. Any other information collected from a child combined with the above identifiers

The "directed to children" determination is fact-specific and evaluated by the FTC using factors that include subject matter, visual or audio content, use of animated characters, and the site's actual audience composition. General audience platforms where child-directed content exists in a defined section can sometimes apply a mixed-audience operator classification, which carries modified obligations. The broader US privacy laws and regulations landscape situates COPPA alongside FERPA, HIPAA, and state-level frameworks.

How It Works

COPPA compliance is structured around six core operational obligations for covered operators:

  1. Privacy notice: A clear, comprehensive privacy policy posted on the homepage and at every point where personal information is collected from children. The policy must identify all operators collecting data through the site, describe what information is collected, how it is used, and the disclosure practices.

  2. Verifiable parental consent: Before collecting, using, or disclosing personal information from a child, the operator must obtain verifiable parental consent. Acceptable consent mechanisms, defined at 16 C.F.R. § 312.5, include signed consent forms returned by mail or fax, use of a credit card in connection with a transaction, toll-free telephone call confirmation, video conference, and government-issued ID verification. Email-plus-confirmation satisfies consent only in limited low-risk contexts.

  3. Direct notice to parents: Operators must provide parents with direct notice of data collection practices before seeking consent. This notice must be written in plain language and cannot contain marketing language or unrelated content.

  4. Parental rights: Parents retain the right to review personal information collected from their child, direct the operator to delete it, and refuse further collection. Operators must establish procedures for honoring these requests.

  5. Data minimization and retention limits: Under the 2013 amendments and proposed 2024 updates, operators may retain children's data only as long as reasonably necessary to fulfill the purpose for which it was collected. The data minimization practices principle is embedded directly in COPPA's regulatory structure.

  6. Confidentiality and security: Operators must implement reasonable security procedures protecting the confidentiality, security, and integrity of children's personal information.

Civil penalties for COPPA violations are assessed per violation, per day. The FTC has obtained penalties exceeding $91 million in a single enforcement action (FTC v. YouTube/Google, 2019, FTC enforcement record), making COPPA one of the highest-exposure federal privacy statutes in the federal privacy framework.

Common Scenarios

Ed-tech platforms: Schools and school districts that authorize an operator to collect student data on behalf of an educational institution can provide consent in place of parents under the school-official exception established in 16 C.F.R. § 312.5(b)(1). This applies only when the data use is restricted to the educational context and no commercial purpose is served. The intersection of COPPA and FERPA education privacy is a common compliance challenge for ed-tech operators.

Mixed-audience platforms: A general social media or gaming platform that does not direct its service to children but encounters users under 13 can segment child-directed areas and apply COPPA only to those sections, provided the platform does not knowingly collect data from child users outside the segment. Self-reported age at account creation, without additional verification, does not insulate operators from "actual knowledge" liability if behavioral or registration signals indicate a child user.

Third-party plug-ins and SDKs: Ad networks, analytics providers, and social sharing widgets embedded on child-directed sites are independently covered as "operators" if they collect personal information from the child audience. The primary site operator also bears responsibility for disclosing third-party data collection in its privacy policy. Third-party data sharing rules and vendor privacy management frameworks directly implicate COPPA obligations in these configurations.

Mobile applications: Apps marketed through app stores to children, or apps with child-oriented content regardless of age-gate disclaimers, qualify as child-directed services. The FTC has consistently rejected the position that app store age verification substitutes for operator-level parental consent.

Decision Boundaries

The critical compliance question under COPPA is whether COPPA obligations attach at all — a determination driven by two independent triggers:

Trigger 1 — Service directed to children: The FTC applies a totality-of-circumstances test. A service is "directed to children" based on subject matter, visual content, use of child celebrities or child-oriented activities, music, animated characters, age of models used, and advertising on the service. A site with a broad general audience can still qualify as child-directed for specific sections. Contrast this with a general-audience platform that makes no child-specific content decisions — that platform avoids child-directed classification unless Trigger 2 applies.

Trigger 2 — Actual knowledge: An operator of a general-audience service acquires actual knowledge when a child's age is self-reported during registration, when a parent contacts the operator about a child's account, or when internal evidence (behavioral analytics, account flags) makes the user's age apparent. Constructive knowledge — what the operator "should have known" — does not meet the statutory threshold for general-audience operators, but the FTC has pursued enforcement where operators systematically avoided age verification to maintain plausible deniability.

Age gate sufficiency: A numeric age gate asking users to self-report age, without any secondary verification, is not sufficient to prevent actual knowledge liability if the operator subsequently observes indicators of child users. Age-neutral design choices that attract child audiences can shift the directed-to-children classification even when the operator claims general-audience intent.

State law overlay: COPPA does not preempt state laws offering greater protection. California, for instance, enacted the Age-Appropriate Design Code Act (AB 2273), which imposes data protection impact assessment requirements for services likely accessed by users under 18 — a broader population than COPPA's under-13 threshold. The state privacy laws comparison captures these divergences across jurisdictions.

The consent management frameworks that operators implement for adult users require substantive modification to satisfy COPPA's verifiable parental consent standard — standard opt-in consent flows built for adult compliance do not transfer.

References

📜 4 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator