Children's Online Privacy Protection Act (COPPA)

Overview

The Children's Online Privacy Protection Act (COPPA) is the primary federal law protecting the online privacy of children under 13. COPPA imposes requirements on operators of commercial websites and online services directed to children under 13, and on operators of general audience websites/services with actual knowledge they collect personal information from children under 13.

Key Purposes:

• Protect privacy and personal information of children under 13 online


• Give parents control over what information websites can collect from their children


• Establish verifiable parental consent requirements


• Limit collection and use of children's personal information

Legislative Authority

• Statute: 15 USC 6501-6505 (Chapter 91 - Children's Online Privacy Protection Act)


• Regulations: 16 CFR Part 312 (Children's Online Privacy Protection Rule - COPPA Rule)


• Enacted: October 21, 1998


• Original Effective Date: April 21, 2000


• 2013 Amendments Effective: July 1, 2013


• 2025 Amendments Effective: April 22, 2025

Applicability

Covered Operators

Two categories of operators subject to COPPA:

1. Operators of websites/online services directed to children under 13


2. Operators with actual knowledge they are collecting personal information from children under 13

"Operator" Definition: Any person who operates a commercial website or online service directed to children, or any person who operates a commercial website or online service that has actual knowledge that it is collecting personal information from a child.

Exclusions: Nonprofit entities exempt under Section 5 of the FTC Act

"Directed to Children" Test

A website/service is "directed to children" based on totality of circumstances considering:

• Subject matter


• Visual content (animated characters, child-oriented activities)


• Music or audio content


• Age of models


• Presence of child celebrities or celebrities appealing to children


• Language and characteristics


• Advertising directed to children


• Competent and reliable empirical evidence regarding audience composition


• Other evidence of intended audience

Important: No single factor is determinative. Content isn't automatically "directed to children" just because some children may see it - the key is intended audience.

Actual Knowledge Standard

An operator has actual knowledge of a user's age if:

• Site asks for age information and user provides information indicating under 13


• Employee recognizes child-directed nature of content


• Parent or third party informs operator it's collecting from children


• Operator notified through formal industry standards/conventions

Note: COPPA does not require general audience sites to investigate users' ages. However, asking for age information triggers COPPA if information reveals user is under 13.

Core COPPA Requirements

1. Privacy Policy (16 CFR Sec. 312.4)

Where policy must be posted:

• Homepage


• Anywhere personal information collected from children


• Links must be clear and prominent (larger font or different color on contrasting background)

What policy must include:

• Types of personal information collected (including public posting capabilities)


• How operator uses information


• Disclosure practices (identities/categories of third parties, purposes)


• Data retention and deletion policy


• Parental rights


• Procedures to exercise rights


• Practices of ALL parties collecting information (including plug-ins, ad networks)

Standard: Clearly and understandably written, complete, with no unrelated or confusing materials.

2. Direct Notice to Parents (16 CFR Sec. 312.4)

Before collecting information, operators must provide direct notice to parents including:

• Notice operator collected parent's contact info for consent purposes


• Operator wants to collect personal information from child


• Parental consent required


• Specific personal information to be collected


• Specific third-party identities receiving data (2025 amendment)


• Disclosure practices


• Parent's contact info deleted if no consent within reasonable time

Updated notice required if material changes made to practices.

3. Verifiable Parental Consent (16 CFR Sec. 312.5)

Standard: Use methods "reasonably designed in light of available technology" to ensure person giving consent is child's parent.

FTC-Approved Consent Methods (for all uses including external disclosure):

• Signed consent form (mailed, faxed, electronic scan)


• Credit/debit card transaction


• Toll-free call to trained personnel


• Video conference with trained personnel


• Government-issued ID verification


• Knowledge-based authentication (KBA) with dynamic multiple-choice questions


• Privacy-protective facial age estimation (under FTC review)

"Email Plus" - Internal use only:

• Email from parent PLUS:

- Delayed email confirmation, OR
- Phone call to parent, OR
- Letter to parent

2025 Amendment: Separate consent required for:

• Targeted advertising disclosures


• Other third-party disclosures

4. Parental Rights (16 CFR Sec. 312.6)

Parents must be able to:

• Review personal information collected from their child


• Stop further collection or use


• Delete information collected


• Access information free of charge


• Make requests without undue burden

Revocation: Parents can revoke consent at any time - operator must stop collecting, using, or disclosing child's information.

No third-party disclosure option: Parents can agree to collection/use while refusing third-party disclosure (unless disclosure integral to service).

Important Limitation: Right to amend does NOT include challenging grades or opinions (applies to education records under FERPA, not COPPA).

5. Data Security (16 CFR Sec. 312.8)

Operator obligations:

• Establish and maintain reasonable procedures to protect confidentiality, security, and integrity


• Written information security program with safeguards appropriate to:

- Sensitivity of information
- Size and complexity of operations

• Take reasonable steps to release information only to service providers/third parties capable of maintaining confidentiality, security, integrity


• Ensure service providers maintain appropriate security safeguards

6. Data Retention and Deletion (16 CFR Sec. 312.10)

Retention standard: Retain children's personal information "for only as long as is reasonably necessary to fulfill purpose for which information was collected"

Deletion requirement: After retention period ends, delete information using reasonable measures to ensure secure destruction

Purpose-driven approach:

• No specific time period mandated


• Depends on purpose of collection


• Consider whether purpose ends with account deletion, subscription cancellation, account inactivity

Enforcement examples:

• Microsoft Xbox: Delete within two weeks if parent doesn't consent


• WW/Kurbo: Delete data after one year of app inactivity

7. Prohibition on Conditional Participation (16 CFR Sec. 312.7)

Core prohibition: Operators cannot condition children's participation in activities on collection of more personal information than is reasonably necessary to participate.

Requirements:

• Collect only information reasonably necessary for activity


• Disclose limitation in privacy policy


• Cannot condition access on disclosure to third parties

Expanded Definition of "Personal Information" (2013/2025)

Personal information includes:

• First and last name


• Home or physical address


• Online contact information (email, username)


• Screen name or username functioning as online contact information


• Telephone number


• Social Security number


• Persistent identifiers (cookies, IP addresses, device IDs, customer numbers) when used to recognize user over time/across websites


• Photograph, video, or audio file containing child's image or voice


• Geolocation information sufficient to identify street name and city/town


• Information about child or parent that operator collects and combines with identifier above


• Biometric identifiers (2025 amendment)


• Government-issued identifiers (2025 amendment)

Exceptions to Verifiable Parental Consent

Support for Internal Operations Exception

Operators can collect persistent identifiers without parental consent when used solely for:

• Contextual advertising


• Frequency capping


• Legal compliance


• Site analysis


• Network communications

Restrictions: Information may NEVER be used to contact specific individual, amass profile, or any other purpose.

Other Exceptions

Parental consent not required for:

• One-time response to specific request (information not used to re-contact child)


• Obtaining consent (collecting parent's contact info to obtain parental consent)


• Safety (protecting child's safety, information not used for other purposes)


• Legal compliance (complying with law enforcement requests)

Safe Harbor Programs (16 CFR Sec. 312.11)

Self-regulatory programs approved by FTC that implement COPPA protections. Operators complying with approved Safe Harbor guidelines deemed in compliance with COPPA.

FTC-Approved Safe Harbor Programs:

• PRIVO (Privacy Vaults Online, Inc.)


• iKeepSafe (Internet Keep Safe Coalition)


• kidSAFE Seal Program


• ESRB Privacy Certified (Entertainment Software Rating Board)


• TRUSTe (with modifications)

2025 Safe Harbor Transparency Requirements:

• Must publicly disclose membership lists


• Must report additional information to FTC

2025 COPPA Rule Amendments

Effective April 22, 2025:

Key Changes:

1. Separate Opt-In Consent Required:

- Operators must obtain separate verifiable parental consent for:
- Disclosing children's information for targeted advertising
- Other third-party disclosures

1. Expanded Personal Information Definition:

- Biometric identifiers added
- Government-issued identifiers added

1. Safe Harbor Transparency:

- Programs must publicly disclose membership lists
- Must report additional information to FTC

1. Third-Party Disclosure Transparency:

- Must disclose specific third-party identities (not just categories) when obtaining consent

Changes NOT Adopted:

• Push notification restrictions


• Educational technology-specific requirements in school environments

FERPA and COPPA Coordination (Schools)

School Official Exception

Under COPPA: Schools can consent on behalf of parents, BUT only if:

• Information used for school-authorized educational purpose


• NOT used for any other commercial purpose

FTC Policy: "COPPA is not a barrier to schools providing robust remote learning opportunities through ed tech services"

Ed Tech Provider Prohibitions:

• Cannot use information for purposes other than educational


• Cannot use for marketing or advertising to children


• Cannot retain information longer than necessary for educational purpose

Key Principle: "Bottom-line responsibility for COPPA compliance in school setting is the ed tech company" (Edmodo case, 2023)

Coordination with FERPA:

• Schools may rely on FERPA's "school official exception" when working with ed tech providers


• Question: How schools maintain "direct control" over providers under this exception

Enforcement

FTC Enforcement Authority

• FTC enforces COPPA under Federal Trade Commission Act (15 USC Sec. 6505)


• COPPA violations constitute unfair or deceptive acts/practices under FTC Act


• Banking agencies enforce for their respective institutions

State Enforcement Authority (15 USC Sec. 6504)

State attorneys general may:

• Bring civil actions on behalf of state residents


• Seek injunctions


• Enforce compliance


• Obtain damages or restitution

Civil Penalties

2025: Up to $53,088 per violation (inflation-adjusted annually)
2024: Up to $51,744 per violation

Factors in penalty assessment:

• Egregiousness of violations


• Prior violations


• Number of children involved


• Amount/type of personal information collected


• How information was used


• Whether information shared with third parties


• Size of company

Notable Enforcement Actions

Epic Games (Fortnite) - 2022/2023:

• Penalty: $275 million (largest COPPA penalty ever)


• Violations: Collected personal information from children under 13 without parental notice/consent


• Additional: $245 million for dark patterns and billing practices

Google/YouTube - 2019:

• Penalty: $170 million ($136M FTC, $34M New York)


• Violations: Collected persistent identifiers from children watching child-directed channels without consent; used for behavioral advertising


• Requirements: Develop system for channel owners to identify child-directed content

TikTok - 2024:

• Action: FTC filed lawsuit August 2024


• Allegations: Failed to obtain parental consent; built "back doors" allowing children to bypass age gates using third-party credentials

Amazon (Alexa) - 2023:

• Penalty: $25 million


• Violations: Indefinitely retained children's voice recordings; failed to honor parent deletion requests


• Requirements: Delete inactive child accounts, voice recordings, geolocation data; prohibited from using data to train algorithms

Microsoft (Xbox) - 2023:

• Penalty: $20 million


• Violations: Collected personal information from children signing up for Xbox without parental notice/consent


• Requirements: Delete children's data within two weeks if no parental consent

Edmodo - 2023:

• Violations: Education technology provider collected data from children without parental consent; used for advertising; outsourced compliance to schools


• Key Finding: "Bottom-line responsibility for COPPA compliance in school setting is the ed tech company"

Compliance Checklist

Privacy Policy

• [ ] Post privacy policy on homepage with clear and prominent link


• [ ] Post privacy policy wherever personal information collected


• [ ] Include all required elements (types of info, uses, disclosures, retention, parental rights, procedures)


• [ ] Describe practices of ALL parties collecting info (including third parties)

Direct Notice to Parents

• [ ] Provide direct notice to parents before collecting information


• [ ] Include specific personal information to be collected


• [ ] Include specific third-party identities receiving data (2025)


• [ ] Explain disclosure practices

Verifiable Parental Consent

• [ ] Obtain verifiable parental consent using FTC-approved method


• [ ] Obtain separate consent for targeted advertising (2025)


• [ ] Obtain separate consent for third-party disclosures (2025)


• [ ] Use "email plus" only for internal use (not external disclosure)

Parental Rights

• [ ] Allow parents to review child's information


• [ ] Allow parents to stop further collection/use


• [ ] Allow parents to delete child's information


• [ ] Provide access free of charge


• [ ] Process requests without undue burden

Data Security

• [ ] Implement written information security program


• [ ] Establish reasonable procedures to protect confidentiality, security, integrity


• [ ] Ensure service providers can maintain appropriate safeguards

Data Retention and Deletion

• [ ] Retain data only as long as reasonably necessary


• [ ] Delete data using reasonable measures for secure destruction


• [ ] Implement automated deletion processes for abandoned/inactive accounts

Conditional Participation

• [ ] Collect only information reasonably necessary for activity


• [ ] Do NOT condition participation on excessive information collection


• [ ] Disclose limitation in privacy policy

School Context (If Applicable)

• [ ] Obtain school authorization for educational use


• [ ] Use information ONLY for school-authorized educational purposes


• [ ] Do NOT use for marketing, advertising, or non-educational purposes


• [ ] Do NOT retain longer than necessary for educational purpose


• [ ] Understand school authorization does NOT relieve COPPA obligations

Related Frameworks

• FERPA: Student education records privacy (overlaps with COPPA for schools using ed tech)


• PPRA: Protection of Pupil Rights Amendment (surveys/evaluations involving students)


• IDEA: Individuals with Disabilities Education Act (additional privacy protections)


• State Privacy Laws: Some states have additional children's privacy laws


• GDPR: EU privacy law with special protections for children under 16

Resources

Official Sources

• FTC Children's Privacy: https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy


• 15 USC Chapter 91: https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter91&edition=prelim


• 16 CFR Part 312: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312


• COPPA Rule: https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa


• COPPA FAQ: https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions


• Six-Step Compliance Plan: https://www.ftc.gov/business-guidance/resources/childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business


• Safe Harbor Programs: https://www.ftc.gov/enforcement/coppa-safe-harbor-program


• Verifiable Parental Consent: https://www.ftc.gov/business-guidance/privacy-security/verifiable-parental-consent-childrens-online-privacy-rule


• 2025 Amendments: https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data


• 2025 Penalties: https://www.ftc.gov/news-events/news/press-releases/2025/02/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2025