Partner
Every day, thousands of children go online. While that access opens doors for learning, creativity, and interaction, it also raises serious privacy concerns. To address these risks, the U.S. enacted the Children’s Online Privacy Protection Act (COPPA), a federal law designed to safeguard the personal data of children under 13. Many business owners approach us with many questions about how COPPA applies in their situation. In this article, we address the most frequently asked questions to help you understand what COPPA requires.
COPPA applies to operators of websites, apps, and online services that are directed to children under 13 and collect information from them. It also extends to general-audience platforms that knowingly collect personal data from children under 13. Essentially, even if your platform is not designed for kids, COPPA still applies if you know that children are using it and providing personal information.
Personal information can include identifiers such as the child’s name, home address, phone number, email address, or Social Security number. The child’s platform username can also count. Additionally, less obvious data, such as cookies or device IDs that track users over time, can also fall under COPPA unless they are strictly used for internal operations. Even information about a child’s parent can fall under COPPA if it’s collected from the child and linked to an identifier.
To verify that a parent has consented to the collection of information from a child, the FTC allows several methods. These include knowledge-based authentication questions that a child cannot answer, facial recognition matching a parent’s photo to a government ID, or sending confirmation texts after consent is given.
COPPA applies to services such as mobile apps, online games, social networking platforms, smart speakers, connected toys, location-based services, voice assistants, and any internet-enabled service that collects personal data from children.
No. COPPA only requires operators to keep children’s personal information as long as it is reasonably necessary for its original purpose. If the information is no longer needed, it should be securely deleted. This means that if a parent requests access and you deleted the data because you reasonably no longer needed it, you can simply state that the information is no longer retained.
Non-compliance can be costly. As of 2025, civil penalties can reach up to $53,088 per violation, and each non-compliant event can count separately. The FTC has actually imposed multimillion-dollar fines in several cases. One notable example involved Disney’s YouTube channels. Child-directed videos were incorrectly labelled as “not made for kids,” leading to targeted advertising and features not intended for children. The FTC settlement required a $10 million penalty and significant changes to how Disney designates its content.
In addition to financial penalties, violating COPPA rules can result in reputation damage and even increased regulatory oversight. It’s therefore in your best interest to comply and avoid making costly mistakes.
COPPA, codified at 15 U.S.C. §§ 6501–6506, applies to “operators” of websites or online services directed to children under 13, or any operator that has actual knowledge it is collecting personal information from children under 13. The FTC’s COPPA Rule, 16 C.F.R. Part 312, defines “operator” to include any person who operates a website, app, or online service for commercial purposes. B2B sites and internal enterprise software are generally outside COPPA’s scope. Sites directed exclusively to adults—but which incidentally attract some child visitors without knowing it—may also be outside COPPA’s scope, depending on whether the operator has “actual knowledge” of child users.
Whether a site is “directed to children” is determined by the FTC based on multiple factors: the subject matter of the site; visual content, music, animated characters, and other elements that appeal to children; use of child celebrities or child influencers; advertising on child-directed media; evidence that a substantial portion of the site’s audience is under 13; and representations made to advertisers about the site’s audience. Mixed-audience sites—those directed to a general audience that also includes children—have additional compliance obligations. The 2013 COPPA Rule update extended coverage to plugins and behavioral advertising networks that have actual knowledge they are collecting data from a child-directed site, even if the plugin operator’s own site is not child-directed.
COPPA defines “personal information” broadly to include: first and last name; physical address; online contact information such as an email address; screen name or username that functions as online contact information; telephone number; Social Security number; persistent identifiers such as cookies, IP addresses, device serial numbers, or unique device identifiers that can be used to recognize a user over time across different websites or online services; photographs, videos, and audio files containing a child’s image or voice; geolocation information sufficient to identify street name and city; and any other information about the child or parent that is collected in combination with an identifier described above.
The inclusion of persistent identifiers—cookies, device IDs, IP addresses—is significant because many websites collect this information automatically through analytics tools, advertising networks, and session management without ever asking a user to provide it. Under COPPA, even automatic collection of a persistent identifier from a child user on a child-directed site requires verifiable parental consent unless an exception applies. This means that simply embedding Google Analytics, a Meta Pixel, or a retargeting cookie on a child-directed site triggers COPPA compliance obligations, regardless of whether the site operator intended to collect children’s data.
COPPA requires operators to obtain “verifiable parental consent”—not just any consent—before collecting personal information from children under 13. The FTC’s COPPA Rule specifies several approved methods for obtaining verifiable consent, depending on the type of information collected. For internal uses only (information not disclosed to third parties), operators may use a signed consent form returned by mail or fax, credit card verification, a toll-free number staffed by trained personnel, a video conference with a live agent, or any other method approved by the FTC. For public disclosure of children’s information, only the stricter methods—those that verify the consent-giver is an adult—are acceptable.
The FTC has approved several COPPA Safe Harbor programs administered by approved industry groups, including kidSAFE, PRIVO, and ESRB Privacy Certified. Operators that obtain and maintain certification from an approved Safe Harbor program are deemed compliant with the consent and notice requirements of the COPPA Rule, provided they follow the Safe Harbor program’s guidelines. Safe Harbor certification requires a rigorous application process, annual renewal, and ongoing monitoring. For large child-directed platforms, Safe Harbor certification reduces FTC enforcement risk and provides a credible compliance defense.
An operator subject to COPPA must post a clear, comprehensive, and easily accessible privacy policy that includes: the name, address, telephone number, and email address of each operator collecting personal information; a description of the personal information collected and how it is used; whether the information is disclosed to third parties; and a description of parental rights including the right to review, refuse to permit further use of, or require deletion of the child’s personal information. The privacy notice must be linked directly from the homepage of the website or service and from each page where personal information is collected.
In addition to the posted privacy policy, operators must provide direct notice to parents at the time of data collection, before obtaining verifiable parental consent. This notice must be clearly written, complete, and consistent with the posted privacy policy. It must state that the operator wants to collect the child’s information, explain how the information will be used, and inform the parent that their consent is required. Operators may not condition participation in an activity on the disclosure of more information than is reasonably necessary for that activity—a concept the FTC calls data minimization, and one that has taken on new significance in the agency’s broader privacy enforcement agenda.
COPPA violations can be costly. Civil penalties under COPPA are assessed on a per-violation basis, with maximum penalties adjusted annually for inflation—currently exceeding $51,744 per violation. In significant enforcement cases, the FTC has imposed substantial settlements: TikTok (then Musical.ly) paid $5.7 million in 2019; YouTube paid $170 million in 2019 in a joint FTC and New York AG settlement; Epic Games (Fortnite) paid $275 million in 2022. These cases involved collection of children’s personal information without parental consent, failure to honor parents’ requests to delete data, and use of deceptive user interface practices (dark patterns) that prevented parents from protecting their children’s privacy.
The FTC’s 2023 proposed amendments to the COPPA Rule signal that enforcement will increase, not decrease. Proposed changes include restrictions on targeted advertising to children, limits on use of children’s data to improve AI systems, enhanced data security requirements, and stronger data deletion obligations. State attorneys general also have independent authority to bring COPPA enforcement actions in federal court under 15 U.S.C. § 6504. Businesses operating child-directed platforms or products should treat COPPA compliance as a ongoing program—not a one-time checkbox—and conduct annual privacy audits to identify data collection practices that may have evolved out of compliance as products were updated.
If your business operates a website, app, or online service that may be subject to COPPA—or if you have received an FTC inquiry about your data collection practices involving children—contact the privacy attorneys at Revision Legal through the form on this page or call (855) 473-8474. Our internet law practice advises businesses on COPPA compliance, parental consent mechanisms, and FTC response nationwide.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?