COPPA: Children's Online Data Protection Standards

The Children's Online Privacy Protection Act establishes federal requirements governing how operators of websites and online services collect, use, and disclose personal information from children under 13. Enforced by the Federal Trade Commission, COPPA applies to commercial operators targeting children or with actual knowledge that a child is using their service. The regulatory scope reaches across mobile apps, connected toys, educational platforms, and advertising networks — making it one of the broadest-reaching data protection frameworks in the US consumer technology sector.

Definition and scope

COPPA was enacted in 1998 and implemented through the FTC's COPPA Rule (16 CFR Part 312), which was substantially updated in 2013 to address mobile applications, plug-ins, and behavioral advertising. The statute defines "child" as any person under 13 years of age and "personal information" to include a specific enumerated list: full name, home address, email address, telephone number, Social Security number, geolocation data, photographs, audio or video files containing a child's image or voice, persistent identifiers used for behavioral tracking, and any information combined with the foregoing that makes a child individually identifiable.

The rule's jurisdictional reach covers two categories of operators:

  1. Operators of websites or online services directed to children, determined by subject matter, visual content, animated characters, use of child celebrities, and advertising on the platform.
  2. Operators of general-audience services that have actual knowledge that a particular user is a child under 13.

The FTC uses a totality-of-circumstances analysis to classify a service as child-directed, meaning a single demographic factor rarely settles the question. Mixed-audience platforms — services where both adults and children are foreseeable users — face a separate analytical framework under FTC guidance.

Operators subject to COPPA must post a clear and comprehensive privacy notice linked on the homepage and at each point of data collection, obtain verifiable parental consent before collecting personal information from children, and maintain reasonable data security standards for retained records. For a broader landscape of US data protection obligations, the data protection providers section catalogs regulatory frameworks by sector and jurisdiction.

How it works

COPPA compliance operates through a structured pre-collection gatekeeping model rather than a post-collection remediation model. The required steps function in sequence:

  1. Age screening — Operators must establish whether a user is under 13 before collecting personal information. Neutral age screens (asking for birth date rather than simply asking "Are you 13?") are the FTC-recognized baseline method.
  2. Parental notice — A direct notice must be delivered to the parent at the point of collection, separately from the general site privacy policy.
  3. Verifiable parental consent (VPC) — Consent must be obtained through a method reasonably calculated to ensure it is provided by the parent. Acceptable methods include signed consent forms returned by mail or fax, credit card transactions, toll-free telephone calls, video conferencing, and government-issued ID verification. Email combined with a follow-up confirmation message is acceptable only for internal operations uses, not for public disclosure of the child's data.
  4. Ongoing rights management — Parents retain the right to review the information collected from their child, direct its deletion, and refuse further collection — even after initial consent.
  5. Data minimization and retention limits — Operators may retain personal information only as long as necessary to fulfill the purpose for which it was collected, after which it must be deleted.

The 2013 rule update expanded the definition of personal information to capture persistent identifiers and geolocation data, directly addressing tracking-based advertising ecosystems. Operators participating in FTC-approved COPPA Safe Harbor Programs — such as those administered by kidSAFE Seal Program and PRIVO — can satisfy compliance through membership in an approved self-regulatory organization, subject to that organization's auditing standards.

Common scenarios

COPPA enforcement and compliance questions arise across predictable operator categories:

Educational technology platforms — EdTech services deployed in K–12 schools can rely on the school-consent exception, under which a school may authorize data collection on behalf of parents for educational purposes only. This exception does not extend to commercial uses of student data.

Mobile gaming and apps — App stores are not themselves operators under COPPA, but individual app developers are. A free-to-play game with no age gate that markets to children through animated characters is presumptively child-directed regardless of whether the developer sought a children's audience.

Advertising networks and plug-ins — A third-party advertising SDK embedded in a child-directed app becomes a covered operator with actual knowledge of the audience. The FTC's 2014 action against Yelp and 2016 settlement with InMobi established that both the app operator and the ad network can bear independent liability.

Connected devices and voice assistants — Internet-connected toys and voice-enabled devices that collect audio from users in a home environment where children are foreseeable users fall within COPPA scope. The FTC and the Department of Justice reached a $5.8 million settlement with Amazon in 2023 over Alexa's retention of children's voice recordings.

Decision boundaries

The primary analytical distinctions in COPPA compliance involve classifying the operator type and the applicable consent pathway:

Child-directed vs. mixed-audience: A purely child-directed service must apply COPPA protections to all users without age screening. A mixed-audience service may apply age screening and restrict COPPA protections to users who identify as under 13. A general-audience service with no child-directed content triggers COPPA only upon actual knowledge of a child user.

Operator vs. third-party: The primary operator of the website or app holds first-tier responsibility. Third parties — including analytics providers, ad networks, and social plug-ins — hold independent responsibility when they have actual knowledge they are collecting data on a child-directed platform.

Internal use vs. third-party disclosure: The email-plus confirmation method for VPC is available only for internal-use collection. Any intended disclosure to third parties requires a more robust verification method.

School consent vs. parental consent: School consent is a narrow carve-out limited to educational purposes within the school context. It does not substitute for parental consent when operator data use extends beyond the educational service relationship.

Civil penalty exposure under COPPA reaches up to $51,744 per violation per day under the FTC Act's penalty inflation adjustments. The FTC maintains enforcement authority, and the section describes how US data protection authorities are organized relative to each other. Professionals navigating operator classification and consent pathway selection within the COPPA framework are identified in the how-to-use-this-data-protection-resource reference.

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Data Protection Listings ANA › Professional Services Authority › National Cyber › National Data Protection Authority Data Protection Providers The... HIPAA Data Protection Requirements for Covered Entities ANA › Professional Services Authority › National Cyber › National Data Protection Authority HIPAA Data Protection Requirements... Gramm-Leach-Bliley Act: Financial Data Protection Rules ANA › Professional Services Authority › National Cyber › National Data Protection Authority Gramm-Leach-Bliley Act: Financial...