“COPPA” is an acronym that stands for the “Children’s Online Privacy Protection Act,” which is a federal statute. Generally speaking, COPPA was enacted to protect the privacy of minors under the age of 13 from websites and online services that target children and that collect personal data about said children. COPPA applies to any business actually collecting personal data on children and to any website or online platform that has reason to know that the data being collected involves minors.

COPPA is similar to other online privacy statutes in that COPPA does NOT ban the collection, processing, and sharing/selling of personal information about children. Rather, COPPA requires that clear and conspicuous notifications be given by a website or online platform to parents and that “verifiable consent” be obtained before collection, use, or sharing/selling of the child’s personal data. “Personal data” includes various information like a child’s name, address, phone number, social security number, photos, video geolocation information, etc.

COPPA also has other requirements, which are discussed in this FTC information sheet. Some of the other requirements can be summarized as follows:

• Provide parents with access to the data collected about their child or children
• Obtain parental consents for the internal use of a child’s data
• Disallow websites or online platforms from disclosing/sharing a child’s data with third parties unless disclosure/sharing is necessary for the service, “… in which case, this must be made clear to parents”
• Maintain the confidentiality of data collected about children
• Maintain robust cybersecurity
• Delete children’s data when the data is no longer needed to fulfill the purpose for which it was collected
• Delete the data in a manner that reasonably protects against unauthorized access or use
• Do not demand more information than is reasonably necessary as a condition of a child being allowed to access features of the website/online platform.
• And more

The main federal agency tasked with enforcing COPPA is the Federal Trade Commission (“FTC”). The FTC has promulgated various rules with respect to COPPA. The FTC also investigates alleged violations of COPPA and brings administrative enforcement actions. For example, the FTC recently brought an enforcement case in federal court against Cognosphere LLC, which markets and provides an online game called Genshin Impact. Genshin Impact is marketed to and is very popular with children. The FTC alleged that Cognosphere failed to obtain parental consent before collecting personal data about the kids playing the game and engaged in deceptive practices with respect to in-game “loot boxes” and conversion of real currency into “game currency” (currency that can be used to buy in-game items).

Unfortunately, COPPA does not contain a private right of legal action allowing parents to sue companies directly for COPPA violations. COPPA would be a stronger and more effective statute if such a private right of action existed. For now, if you suspect a website or online platform is violating COPPA, complaints can be lodged with the FTC and with State Attorneys General (who also have enforcement authority).

If your company is investigated for COPPA violations, you will need experienced and top-rated FTC defense attorneys

COPPA’s Jurisdictional Reach: Who Must Comply

COPPA’s reach is broader than many businesses realize. Under 15 U.S.C. § 6502 and 16 C.F.R. Part 312, COPPA applies to:

• Operators of websites or online services directed to children under 13
• Operators of general audience websites or online services who have actual knowledge that they are collecting personal information from children under 13
• Operators of websites or online services that are used by children as part of a broader platform, where the operator has actual knowledge of the child’s age

Determining whether a website is “directed to children” involves a multi-factor test that looks at the subject matter, visual content, use of animated characters or child-oriented activities, music, celebrities who appeal to children, advertising directed to children, and empirical evidence regarding the composition of the audience. App developers, game operators, and social media platforms have all faced COPPA enforcement actions based on this test.

The “Verifiable Parental Consent” Requirement

The heart of COPPA is the requirement to obtain “verifiable parental consent” before collecting, using, or disclosing personal information from children. 16 C.F.R. § 312.5. The FTC has approved several methods for obtaining verifiable consent, including:

• Providing a consent form to be signed and returned by mail or fax
• Requiring a parent to use a credit card in connection with a monetary transaction
• Using a toll-free number or video conference staffed by trained personnel
• Email accompanied by additional steps providing assurances that the person providing consent is the parent (such as a PIN or password)
• Knowledge-based challenge questions that a minor would be unlikely to answer correctly
• Verifying a parent’s government-issued ID against a database

The “email plus” method — sending a confirmation email to the parent and allowing a waiting period before collection begins — may be used only where the information is used for internal purposes and is not disclosed to third parties. For any external use or disclosure, a higher tier of verification is required.

The 2013 and 2024 COPPA Updates

Congress passed COPPA in 1998, and the FTC’s implementing regulations have been updated twice since then. The 2013 amendments significantly expanded the definition of personal information to include geolocation data, photos, videos, audio recordings, screen names that function as persistent identifiers, and persistent identifiers used for behavioral advertising purposes. The 2024 amendments — which were in the proposal and comment phase as of 2026 — propose further expanding COPPA coverage to include teens up to age 16 in certain contexts and to impose stricter limits on behavioral advertising directed to children and teens. Businesses operating in the children’s digital space should be tracking these proposed rules closely.

COPPA Enforcement: Recent Cases and Penalty Levels

The FTC is the primary COPPA enforcer, but state Attorneys General also have authority to bring COPPA enforcement actions under 15 U.S.C. § 6504. Recent significant enforcement actions include:

• Epic Games (Fortnite): In 2023, Epic agreed to pay $275 million to the FTC to resolve allegations that it violated COPPA and used dark patterns to manipulate children into making unauthorized purchases — the largest COPPA settlement in history at that time.
• YouTube/Google: In 2019, Google agreed to pay $170 million to resolve FTC and New York AG allegations that YouTube collected personal information from children without parental consent.
• Cognosphere (Genshin Impact): The FTC pursued an enforcement action against Cognosphere for COPPA violations related to its popular online game, as described above.

These penalty levels — hundreds of millions of dollars in some cases — reflect the FTC’s seriousness about COPPA enforcement. Small and mid-sized businesses are not immune; the FTC has brought enforcement actions against companies of all sizes.

Building a COPPA Compliance Program

• Conduct an audit of your data collection practices to identify any collection from children
• Post a clear, comprehensive, and COPPA-compliant privacy policy
• Implement age-screening mechanisms appropriate to your platform
• Build the parental notice and consent workflow into your user registration flow
• Train your development and marketing teams on COPPA requirements
• Review your relationships with third-party advertising networks — sharing children’s data with third-party ad networks is a common COPPA violation
• Document your compliance efforts in writing

Contact Revision Legal

If you have questions about internet law and FTC compliance, the experienced attorneys at Revision Legal can help. We represent businesses, entrepreneurs, and individuals across the country. Contact us through the form on this page, visit our internet law and FTC compliance practice page, or call us at (855) 473-8474.