COPPA: Children's Online Data Protection Standards

The Children's Online Privacy Protection Act establishes a federal baseline for how operators of websites and online services must handle personal data collected from children under age 13. Administered by the Federal Trade Commission, COPPA creates specific obligations around parental consent, data disclosure, and retention limits that apply across commercial online services operating in the United States. This page describes COPPA's statutory scope, operational mechanics, common compliance scenarios, and the classification boundaries that determine whether an operator falls under the rule's authority.

Definition and Scope

COPPA was enacted in 1998 and is codified at 15 U.S.C. §§ 6501–6506. The implementing regulation, the COPPA Rule (16 C.F.R. Part 312), was significantly revised by the FTC in 2013 and governs the practical obligations that operators must satisfy. The rule applies to two distinct categories of covered entities:

1. Operators directed to children under 13 — websites or online services whose primary audience is children, as determined by subject matter, visual or audio content, animated characters, music, or advertising targeting.
2. General audience operators with actual knowledge — platforms not primarily directed to children that nonetheless have actual knowledge they are collecting personal information from a child under 13.

"Personal information" under the COPPA Rule extends beyond names and addresses. It includes persistent identifiers (cookies, IP addresses, device IDs), geolocation data precise enough to identify a street-level address, photographs, videos, audio files, and — following the 2013 update — screen names or user names that function as online contact information. The FTC's COPPA FAQs specify that the definition of personal information is intentionally broad to anticipate evolving data collection technologies.

COPPA does not extend to data collected from teenagers between 13 and 17. That gap is addressed by other frameworks covered under state-data-privacy-laws-comparison and emerging-federal-privacy-legislation.

How It Works

Compliance under COPPA is structured around five operational requirements:

1. Privacy Notice — Operators must post a clear, comprehensive privacy policy on their homepage and at each point where personal information is collected from children. The notice must identify what data is collected, the purpose, and the disclosure practices.
2. Verifiable Parental Consent (VPC) — Before collecting, using, or disclosing personal information from a child under 13, operators must obtain consent from a parent or legal guardian. The FTC accepts approved consent mechanisms including signed forms, credit card transactions, toll-free phone calls, and video conferencing.
3. Parental Rights — Parents must be able to review personal information collected from their child, request deletion, and revoke consent for future collection at any time.
4. Data Minimization — Operators may only collect the personal information strictly necessary to provide the service. This principle intersects with the broader framework described in data-minimization-principles.
5. Data Retention and Deletion — Personal information collected from children must be retained only as long as reasonably necessary to fulfill the purpose of collection and then securely deleted. Standards for deletion timelines align with practices described in data-retention-disposal-standards.

The FTC maintains a Safe Harbor program under which industry groups can develop self-regulatory guidelines. Organizations operating under FTC-approved safe harbors — such as the kidSAFE Seal Program or CARU's COPPA Safe Harbor — must submit to independent monitoring and audit, but receive streamlined regulatory treatment in exchange.

Common Scenarios

Mixed-audience platforms — A general-audience social media or gaming platform that does not screen user age but receives actual knowledge (for example, through a child disclosing age in profile data or a support ticket) must immediately stop collecting data from that user and obtain parental consent before resuming service.

Third-party advertising networks — Ad networks that serve ads on child-directed sites are independently covered by COPPA, not just the site operator. The FTC's 2012 enforcement action against operators including Tic Toc Toe and others established that plug-in operators bear direct responsibility. Third-party vendor obligations are detailed in third-party-vendor-data-security.

Education technology — School-based operators fall under a limited exception: schools may provide consent on behalf of parents when an educational technology service is used solely for educational purposes and the operator collects only the minimum data necessary. This exception does not extend to commercial purposes. The intersection with ferpa-educational-records-protection creates overlapping obligations for records held by educational institutions.

Mobile applications — App stores and app developers who offer child-directed apps are both potentially covered. The FTC has brought enforcement actions specifically targeting app developers who failed to disclose data sharing with third-party analytics and advertising SDKs embedded in children's apps.

Decision Boundaries

The threshold question in COPPA analysis is whether a service is "directed to children." The FTC applies a multi-factor test examining subject matter, visual and musical content, age of models, presence of child celebrities, and advertising directed to children. A service need not exclusively target children to qualify — a significant child-directed component is sufficient.

Directed to children vs. general audience with knowledge — These two categories carry different consent obligations. Directed-to-children operators must obtain consent prior to any collection. General-audience operators with actual knowledge may use a neutral age-screen mechanism, but once actual knowledge is established, collection must halt until consent is verified.

Passive vs. active collection — Persistent identifiers collected automatically (IP addresses, cookies) trigger COPPA obligations if the operator is covered, even absent any affirmative data submission by the user. This is a meaningful distinction from frameworks like ccpa-cpra-compliance-reference, where opt-out mechanisms may suffice for adults.

Civil penalty exposure — The FTC can seek civil penalties up to $51,744 per violation per day under COPPA (FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98). The 2022 settlement with WW International (formerly Weight Watchers) required a $1.5 million civil penalty payment related to collection of children's data through its Kurbo app, as announced in the FTC press release.

Enforcement patterns, penalty structures, and the FTC's broader data security authority are examined in ftc-data-security-enforcement and data-protection-penalties-enforcement.

References

• Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506
• COPPA Rule, 16 C.F.R. Part 312 — Electronic Code of Federal Regulations
• FTC: Complying with COPPA — Frequently Asked Questions
• FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98
• FTC Press Release: WW International (Kurbo) $1.5 Million COPPA Settlement, 2022
• FTC Press Release: 2012 Child-Directed App Enforcement Actions
• Federal Trade Commission — COPPA Overview