COPPA: Children's Online Privacy Protection Rule

The Children's Online Privacy Protection Rule, enforced by the Federal Trade Commission, sets binding requirements on how operators of websites and online services collect, use, and disclose personal information from children under 13. Violations carry civil penalties reaching $51,744 per violation (FTC Civil Penalty Adjustments, 16 C.F.R. § 1.98). This page covers the rule's scope, operational mechanics, classification boundaries, known enforcement tensions, and common misconceptions, serving as a structured reference for legal, compliance, and policy contexts.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and scope

COPPA is a federal statute enacted in 1998 (Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506) and implemented through the FTC's COPPA Rule, which was substantially amended in 2013 and is currently under a second major revision cycle. The statute applies to two categories of operators: (1) operators of websites or online services directed to children under 13, and (2) operators of general-audience websites or services who have actual knowledge that they are collecting personal information from children under 13.

The geographic scope is national and, practically, international — any operator collecting data from children located in the United States falls within COPPA's reach regardless of where the operator is incorporated. The FTC has taken the position that COPPA applies even to foreign-based platforms when U.S. children are among the users, a stance it exercised in the 2019 action against the video platform Musical.ly (rebranded as TikTok), which resulted in a $5.7 million settlement (FTC v. Musical.ly, Case No. 19-cv-00790 (N.D. Ill. 2019)).

"Personal information" under COPPA encompasses more than name and address. The 2013 amended rule (16 C.F.R. Part 312) extended the definition to include persistent identifiers such as cookies, IP addresses, device serial numbers, and geolocation data, as well as photos, videos, and audio files containing a child's image or voice.

Core mechanics or structure

COPPA's operational framework rests on five interlocking obligations:

1. Notice. Operators must post a clear and comprehensive privacy policy on their website homepage and at every point where personal information is collected. The notice must list the types of information collected, the purposes of collection, and disclosure practices.

2. Verifiable Parental Consent (VPC). Before collecting, using, or disclosing personal information from a child under 13, an operator must obtain VPC. The FTC has approved multiple consent mechanisms through its safe harbor and approval process, including signed consent forms, credit card verification, toll-free call-in lines, and video conferences. Email-plus methods — where a parent sends consent via email followed by a delayed confirmation — are permitted for internal use only (not third-party disclosure) (16 C.F.R. § 312.5).

3. Data minimization and retention limits. Operators may collect only as much information as is reasonably necessary for the activity for which the child is participating. Data must be retained only as long as necessary to fulfill the purpose of collection and then securely deleted.

4. Parental rights. Parents have the right to review personal information collected from their child, direct the operator to delete it, and refuse further collection. Operators must have mechanisms to honor these requests within a reasonable time.

5. Confidentiality and security. Operators must maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children, including limiting access to employees who need the information to perform their duties.

Safe harbor programs, authorized under 15 U.S.C. § 6503, allow industry groups to develop self-regulatory guidelines subject to FTC approval. Approved safe harbor programs include kidSAFE and CARU (Children's Advertising Review Unit). Operators under an approved safe harbor are subject to that program's oversight rather than direct FTC enforcement, though the FTC retains ultimate authority.

Causal relationships or drivers

COPPA's passage was directly driven by documented commercial practices in the late 1990s in which child-directed websites routinely collected children's names, home addresses, and parental income information through sweepstakes and promotional registrations — often without parental knowledge. A 1998 FTC report, Privacy Online: A Report to Congress, found that 89% of child-directed sites collected personal information from children, while fewer than 10% of those sites provided any parental notice (FTC, Privacy Online: A Report to Congress, 1998).

The 2013 rule amendment was driven by the explosion of mobile applications, social media, and behavioral advertising. Plug-ins and third-party advertising networks that embedded tracking code in child-directed apps could collect persistent identifiers even when parents had no awareness that a third party was present. The FTC's 2012 report Mobile Apps for Kids documented that operators were routinely sharing data with third-party advertising networks without disclosing this practice to parents.

A proposed 2023 rulemaking — the most significant revision since 2013 — is driven by evidence that algorithmic content recommendation systems on child-directed platforms can constitute a form of collection and use that the original consent framework did not anticipate. The FTC's proposed rule would restrict default data collection practices, add school authorization pathways, and tighten limits on push notifications directed at children.

Classification boundaries

COPPA's threshold concept — "directed to children" — is determined by the FTC using a totality-of-circumstances test examining subject matter, visual content, use of animated characters or child-oriented activities, music, presence of child celebrities, and evidence from advertising that the site targets a child audience.

Mixed-audience sites present the most contested boundary. An operator running a general-audience platform may implement an "age screen" mechanism — requiring users to self-report their age before registration. If the age screen is a good-faith filtering mechanism (not a "know-your-customer" gate designed to be bypassed), and the operator does not have actual knowledge of child users, COPPA obligations may not attach. However, signals of actual knowledge include: internal analytics showing a disproportionate share of users under 13, advertiser contracts specifically targeting children, or customer service emails from parents.

Third-party operators embedded in child-directed contexts carry their own obligations. Under the 2013 rule, a plug-in operator has COPPA obligations if it has actual knowledge it is operating within a child-directed environment, even if its own standalone service is general-audience.

Schools occupy a distinct classification. COPPA's school exception, codified at 16 C.F.R. § 312.5(b)(1), permits schools to provide consent on behalf of parents for ed-tech services used for educational purposes, but this authorization does not extend to commercial use of children's data for behavioral advertising or data sale.

Tradeoffs and tensions

Consent friction vs. access equity. Robust VPC mechanisms create friction that can effectively block children from accessing educational or social content when parents lack the documentation, time, or digital literacy to complete consent flows. Researchers at the Center for Democracy and Technology have documented that aggressive COPPA compliance can result in platforms choosing to block all users appearing to be under 13 rather than build compliant consent systems, producing access gaps.

Age verification vs. privacy. Meaningful age verification to identify children under 13 requires collecting age-corroborating information, which itself raises privacy concerns for both the child and the parent. Requiring government-ID-level verification introduces data security exposure disproportionate to many operators' threat models.

Third-party tracking ecosystems. COPPA's notice-and-consent model was designed around first-party data collection. In a real-time bidding environment, data flows from a child-directed app to dozens of ad-tech intermediaries within milliseconds of a page load, a structural reality that consent checkboxes at the point of registration cannot realistically govern.

Enforcement asymmetry. Large platforms with dedicated legal and compliance teams absorb COPPA compliance costs as a line item. Smaller developers — particularly indie mobile app developers and school ed-tech startups — face the same per-violation penalty ceiling of $51,744 (FTC, Civil Penalties) with a fraction of the legal resources, creating asymmetric compliance burdens. This tension is visible in enforcement patterns; the FTC's notable cases and settlements record shows that the largest penalties have fallen on established companies, while smaller operators have received warning letters.

Common misconceptions

Misconception 1: COPPA applies only to websites.
The rule applies to "operators of websites or online services," a phrase the FTC has consistently interpreted to include mobile applications, connected toys, voice assistants, and IoT devices that collect personal information from children. The 2019 action against YouTube (United States v. Google LLC/YouTube, 2019) and the consent order requiring Google to pay $136 million (DOJ Press Release, September 4, 2019) confirm that video-sharing platforms are covered online services.

Misconception 2: COPPA creates a minimum age of 13.
COPPA does not prohibit children under 13 from using online services; it requires that operators obtain verifiable parental consent before collecting their data. A platform may serve users under 13 in full compliance with COPPA if it implements a compliant VPC process and adheres to all data handling requirements.

Misconception 3: General-audience sites have no COPPA obligations.
A general-audience site that gains actual knowledge it has users under 13 — through user-submitted information, parental complaint, or internal analytics — acquires COPPA obligations from that point forward with respect to those known child users. "Actual knowledge" is not limited to explicit self-identification; it includes constructive signals the FTC considers reasonably apparent.

Misconception 4: Parental consent, once obtained, covers all future data uses.
COPPA requires that consent be obtained for the specific collection and use purposes disclosed at the time of consent. A material change in data practices — such as beginning to share data with third-party advertisers where none existed before — requires fresh notice and renewed consent from parents.

Misconception 5: COPPA only governs the operator's direct data collection.
Under the 2013 rule, operators must also take steps to prevent third-party plug-ins and ad networks embedded in their child-directed properties from collecting personal information without compliant consent. The operator bears responsibility for third-party integrations operating within their platform environment.

Checklist or steps

The following sequence reflects the standard COPPA compliance determination workflow as documented in FTC guidance (Complying with COPPA: Frequently Asked Questions):

1. Determine operator status. Establish whether the service is (a) directed to children, (b) a general-audience service with actual knowledge of child users, or (c) a mixed-audience service with an age-gate mechanism.

2. Audit data collection points. Inventory all points at which personal information (including persistent identifiers, geolocation, and audio/visual data) is collected, including data collected by embedded third-party code.

3. Verify privacy policy completeness. Confirm the policy identifies all operators collecting data through the service, all categories of personal information collected, all purposes, all third-party disclosures, and the parental rights process.

4. Evaluate VPC mechanism. Confirm the consent mechanism meets FTC-approved standards for the intended use (internal use only vs. third-party disclosure).

5. Implement data minimization controls. Document the basis for each data element collected, mapped to a specific operational purpose.

6. Establish data retention and deletion schedules. Set maximum retention periods tied to operational necessity and verify secure deletion protocols.

7. Build parental rights workflow. Create documented processes for parental review requests, deletion requests, and consent revocation, with a defined response timeframe.

8. Review third-party integrations. Audit all SDK, plug-in, and ad-network integrations present in child-directed environments and obtain written representations from third parties about their COPPA compliance status.

9. Assess safe harbor membership. Evaluate whether joining an FTC-approved safe harbor program (e.g., CARU, kidSAFE) is appropriate given the operator's scale and resources.

10. Monitor for actual knowledge triggers. Establish internal processes for flagging customer service communications, analytics anomalies, or advertising targeting parameters that may constitute actual knowledge of child users.

Reference table or matrix

The FTC administers COPPA alongside its broader privacy enforcement portfolio, including the FTC Safeguards Rule and general FTC data security enforcement authorities. COPPA enforcement actions appear in the FTC's formal case record, accessible through the FTC's primary index of regulatory activity.