COPPA Compliance Guide: Children's Online Privacy Protection (2026)

Children interact with websites, apps, and connected devices at younger ages every year. The Children's Online Privacy Protection Act, known as COPPA, is the primary federal law governing how companies collect and use personal information from children under 13. Enacted in 1998 and enforced by the Federal Trade Commission, COPPA places specific obligations on operators of commercial websites, online services, and mobile applications.

This guide breaks down who COPPA applies to, what it requires, how the FTC enforces it, and what changes are on the horizon. For broader context on family and child-related legal frameworks, see our United States Child Support Laws hub.

What Is COPPA and Why Does It Exist?

Congress passed the Children's Online Privacy Protection Act in 1998 (15 U.S.C. §§ 6501-6506) to give parents control over what personal information companies collect from young children online. The law took effect on April 21, 2000, when the FTC's implementing regulation, the COPPA Rule (16 C.F.R. Part 312), became enforceable.

The statute reflects a straightforward principle: children under 13 lack the maturity to understand privacy risks, so parents should make decisions about their children's data. COPPA does not ban children from using the internet. It places obligations on the companies that operate websites and online services.

The FTC updated the COPPA Rule in 2013 to address smartphones, tablets, social networking, and other technologies that did not exist when the original rule was written. As of 2024, the Commission has proposed further amendments to strengthen the Rule.

Who Must Comply with COPPA?

COPPA applies to two categories of operators:

Operators of websites or online services directed to children under 13. The FTC considers factors like the site's subject matter, visual content, use of animated characters, music, child-oriented activities, the age of models, the presence of advertising directed to children, and whether the site uses language or terms aimed at children. A website does not need to exclusively target children; if a portion of the audience is children and the site is designed in a way that attracts them, COPPA may apply.

Operators of general audience websites or online services that have actual knowledge they are collecting personal information from children under 13. "Actual knowledge" means the operator has been informed or has clear evidence that a specific user is under 13. The FTC has taken the position that deliberately avoiding age-related information does not avoid COPPA obligations.

Third-party plug-ins and advertising networks also face COPPA requirements when they collect data through a child-directed site, even if the third party itself does not operate the site. The FTC's COPPA FAQ addresses this in detail.

Entities Exempt from COPPA

COPPA applies specifically to commercial operators. Nonprofit organizations that are not acting in a commercial capacity are generally exempt under the FTC Act's jurisdictional limits. Schools and school districts are not operators under COPPA, although ed-tech vendors that collect student data on behalf of schools may be covered. Government agencies are also outside COPPA's scope.

What Counts as Personal Information?

COPPA defines "personal information" broadly. Under 16 C.F.R. § 312.2, it includes:

• First and last name
• Home or physical address (including street name and city or town)
• Online contact information (email address, instant messaging ID)
• Screen name or username that functions as online contact information
• Telephone number
• Social Security number
• A photograph, video, or audio file containing a child's image or voice
• Geolocation information sufficient to identify a street name and city or town
• Persistent identifiers (cookies, IP addresses, device serial numbers, processor serial numbers) when used to recognize a user over time and across websites, except when used solely for internal operations

The 2013 Rule update expanded this definition significantly. Adding persistent identifiers, photos, audio recordings, and geolocation brought the definition in line with how children actually use modern devices and apps.

Verifiable Parental Consent Requirements

Before collecting, using, or disclosing personal information from a child under 13, an operator must obtain verifiable parental consent (VPC). The FTC requires that the consent method be "reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."

Approved Consent Methods

The FTC recognizes several methods for obtaining VPC:

• Signed consent form returned by mail, fax, or electronic scan
• Credit card or other online payment system where the operator provides notification to the cardholder and charges a small transaction
• Toll-free telephone number or video conference staffed by trained personnel
• Government-issued ID checked against a database, with the ID deleted promptly after verification
• Knowledge-based challenge questions that would be difficult for a child to answer
• Facial recognition comparing a parent's photo ID to a real-time selfie, then deleting both after verification

For internal use only (where personal information will not be disclosed to third parties), the FTC allows a streamlined "email plus" method: the operator sends a confirmation email to the parent, who must respond, call a number, or connect via another mechanism to confirm consent.

The Privacy Policy Requirement

Operators must post a clear, complete privacy policy on each page where data is collected from children. The policy must describe:

• What information the operator collects and how it is used
• The operator's disclosure practices
• The parent's right to review, delete, and refuse further collection of the child's data
• Contact information for the operator
• The effective date of the policy

Operators must also provide direct notice to parents before collecting information, describing the specific data to be collected and how it will be used.

FTC Safe Harbor Programs

Section 312.11 of the COPPA Rule establishes the safe harbor provision, which allows industry groups to submit self-regulatory guidelines for FTC approval. Companies that participate in an approved safe harbor program and comply with its guidelines are deemed to comply with the COPPA Rule, subject to review.

Currently Approved Safe Harbor Programs

Children's Advertising Review Unit (CARU), operated by BBB National Programs, is the longest-running COPPA safe harbor. CARU monitors and reviews child-directed advertising and privacy practices across digital media.

kidSAFE Seal Program focuses on children's websites, apps, games, and connected products. kidSAFE provides a certification process that includes privacy assessments, compliance monitoring, and a public seal that parents can look for.

iKeepSafe offers COPPA safe harbor certification along with related certifications for FERPA and state student privacy laws. iKeepSafe works primarily with ed-tech companies.

PRIVO provides a technology-based safe harbor program. PRIVO's platform offers age verification and parental consent tools that operators can integrate directly into their products.

Participation in a safe harbor program does not guarantee immunity from FTC enforcement. The FTC retains authority to investigate and take action against any operator, including safe harbor participants, if it finds COPPA violations.

Major COPPA Enforcement Actions

The FTC has brought dozens of COPPA enforcement cases since 2000. The penalties have escalated significantly in recent years, reflecting both rising violation counts and the increased penalty ceiling.

Epic Games ($520 Million, 2022)

In December 2022, the FTC announced a $520 million settlement with Epic Games, the maker of Fortnite. The case involved two components: $275 million for COPPA violations related to collecting personal information from children under 13 without parental consent, and $245 million for dark patterns that tricked players into making unintended purchases. This remains the largest COPPA enforcement action in history.

Epic Games had defaulted all players into open voice and text chat, connecting children with strangers without parental knowledge. The company also collected personal information and persistent identifiers from players it knew were under 13.

Google/YouTube ($170 Million, 2019)

Google and YouTube paid $170 million ($136 million to the FTC and $34 million to the New York Attorney General) for tracking children on YouTube channels directed at kids. YouTube had marketed itself to content creators as a top destination for children while simultaneously telling advertisers it could track and target those same young viewers. The settlement required YouTube to create a system for channel operators to identify child-directed content.

TikTok/Musical.ly ($5.7 Million, 2019)

Musical.ly (now TikTok) paid $5.7 million for collecting names, email addresses, and other personal information from children under 13 without parental consent. The app had actual knowledge that many users were children based on the birthdates users entered, yet continued collecting data. TikTok subsequently launched a restricted mode for users under 13.

Other Notable Cases

The FTC has also pursued cases against Edmodo ($6 million, 2023, ed-tech company using student data for advertising), Flo Health (2021, sharing reproductive health data), and numerous smaller operators. The pattern is clear: the FTC prioritizes cases involving large-scale collection, actual knowledge of child users, and companies that profit from children's data.

Penalties for COPPA Violations

The FTC enforces COPPA under Section 5 of the FTC Act, which authorizes civil penalties for unfair or deceptive practices. The maximum civil penalty per violation is adjusted annually for inflation.

As of 2024, the maximum penalty is $50,120 per violation, per the FTC's adjusted penalty amounts. Each instance of collecting personal information from a child without proper consent counts as a separate violation. For an app or website with millions of child users, penalties accumulate rapidly.

Beyond monetary penalties, FTC orders typically require the company to:

• Delete all personal information collected in violation of COPPA
• Implement a comprehensive privacy program
• Obtain biennial independent privacy assessments for 20 years
• Submit compliance reports to the FTC
• Refrain from misrepresenting privacy practices

State attorneys general can also enforce COPPA under 15 U.S.C. § 6504, bringing actions in federal court on behalf of state residents.

COPPA 2.0, KOSA, and Pending Legislation

Federal lawmakers have introduced several bills to update children's online privacy protections beyond the original COPPA framework.

COPPA 2.0 (S. 1628)

The Children and Teens' Online Privacy Protection Act, commonly called "COPPA 2.0," would raise the age threshold from 13 to 17, ban targeted advertising to minors, create an "Eraser Button" allowing parents and children to delete personal information, and establish a Youth Privacy and Marketing Division within the FTC. The bill passed the Senate Commerce Committee in 2024 but has not received a full floor vote as of early 2026.

Kids Online Safety Act (KOSA)

KOSA (S. 1409) would impose a duty of care on covered platforms to prevent and mitigate harms to minors, including promotion of suicide, eating disorders, substance abuse, bullying, and sexual exploitation. Platforms would need to enable the strongest privacy settings by default for users under 17. KOSA passed the Senate in July 2024 with a 91-3 vote but stalled in the House.

FTC COPPA Rule Updates

Separately from legislation, the FTC has proposed amendments to the COPPA Rule that would require separate opt-in consent for targeted advertising to children, limit data retention, strengthen data security requirements, and update the definition of personal information to include biometric data. These regulatory changes can take effect without new legislation.

For a state-by-state view of children's privacy legislation going beyond COPPA, see our Children's Online Privacy by State guide.

Practical COPPA Compliance Steps

Organizations that operate websites, apps, or connected products used by children can follow these steps to build a COPPA-compliant program.

Step 1: Determine Whether COPPA Applies

Evaluate whether your site or service is "directed to children" using the FTC's totality of circumstances test. Review your content, design, advertising, and actual user demographics. If your audience includes children under 13 or if you have actual knowledge of child users, COPPA applies.

Step 2: Audit Your Data Collection

Map every point where personal information (as defined by 16 C.F.R. § 312.2) is collected. This includes registration forms, in-app purchases, chat features, analytics tracking, third-party SDKs, advertising networks, and social login integrations. Document what data is collected, why, and where it goes.

Step 3: Implement Age Screening

Use a neutral age gate (ask for date of birth without suggesting the "right" answer). The FTC has penalized companies that allowed children to simply enter a fake birthdate after being rejected. Block collection of personal information from users who indicate they are under 13, unless you implement the full VPC process.

Step 4: Obtain Verifiable Parental Consent

Choose a VPC method appropriate for your service. For apps and games, credit card verification or facial recognition matching may be practical. For lower-risk internal use, the email-plus method works. Maintain records of consent for auditing purposes.

Step 5: Draft a Compliant Privacy Policy

Your COPPA privacy policy must be clear, prominent, and complete. List every category of personal information collected, each purpose for collection, all third parties that receive data, and parent's rights regarding their child's data. Avoid legal jargon. Use plain language.

Step 6: Establish Data Retention and Deletion Procedures

Retain children's personal information only as long as necessary for the purpose it was collected. Implement processes for parents to request deletion of their child's data. Respond to deletion requests promptly.

Step 7: Secure Children's Data

Apply reasonable security measures proportionate to the sensitivity of the data. The FTC expects encryption, access controls, employee training, and incident response procedures. Data breaches involving children's information carry heightened enforcement risk.

Step 8: Consider Safe Harbor Certification

Joining an FTC-approved safe harbor program provides a structured compliance framework and demonstrates commitment to children's privacy. Programs like CARU, kidSAFE, iKeepSafe, and PRIVO offer assessments and monitoring that help maintain ongoing compliance.

How COPPA Intersects with State Laws

COPPA sets a federal baseline, but states increasingly add their own children's privacy requirements. California's Age-Appropriate Design Code Act imposes data protection impact assessments for services likely to be accessed by children. Utah, Texas, Louisiana, Arkansas, and Florida have enacted social media restrictions for minors that go beyond COPPA's scope.

These state laws do not preempt COPPA; they layer additional obligations on top of the federal framework. Companies operating nationally need to comply with both COPPA and the most restrictive applicable state laws. For a detailed breakdown, see our Children's Online Privacy by State guide and individual state data privacy pages like California and Texas.

Cross-Links to Related Topics

Families navigating children's online privacy issues often face related legal questions around child support, custody, and parental rights. State child support agencies increasingly use digital tools that collect family data, raising privacy questions of their own.

• United States Child Support Laws (hub page)
• California Child Support Laws
• Texas Child Support Laws
• Student Data Privacy and FERPA

This article provides general legal information about COPPA compliance. It does not constitute legal advice. Consult an attorney for advice specific to your situation.