Sign In Sign Up

COPPA Explained

Your Child's Privacy Rights Online

Every time your child plays a game, watches a video, or uses an app, companies may be collecting their personal information. COPPA—the Children's Online Privacy Protection Act—is the federal law designed to give you control over that data. Here's what every parent needs to know.

What Is COPPA?

COPPA is a United States federal law that protects the privacy of children under 13 online. Enacted in 1998 and enforced by the Federal Trade Commission (FTC), it requires websites, apps, and online services to get verifiable parental consent before collecting personal information from children.

The law recognizes something important: children can't meaningfully consent to data collection. They don't understand what they're agreeing to when they click "I Accept," and they can't anticipate how their information might be used years later. COPPA puts that decision-making power where it belongs—with parents.

The core principle: If a service knows it's collecting data from a child under 13, it must get a parent's permission first—and give that parent ongoing control over the data.

Who Does COPPA Apply To?

Services Covered by COPPA

COPPA applies to:

  • Websites and apps directed at children under 13 — Games, educational platforms, children's entertainment sites, and any service designed with kids as the primary audience
  • General audience services that knowingly collect data from children under 13 — A social media platform or game that allows users of all ages but knows some users are children
  • Third-party services that collect data on child-directed sites — Advertising networks, analytics providers, and plug-ins operating on children's sites

What "Directed to Children" Means

The FTC looks at several factors to determine if a service targets children:

  • Subject matter (characters, activities, games appealing to children)
  • Visual content (bright colors, cartoon characters, child-friendly design)
  • Music and audio features
  • Age of models or actors
  • Presence of child celebrities or influencers
  • Language level
  • Advertising that targets children
  • Reliable data about the actual audience age

Who COPPA Doesn't Cover

COPPA has significant gaps:

  • Children 13 and older — Teens have no special federal privacy protections
  • Services based entirely outside the US — Though any service collecting data from US children should comply
  • Non-commercial websites — Most nonprofit organizations are exempt
  • Services that don't collect personal information — If no data is collected, COPPA doesn't apply

What Information Does COPPA Protect?

Under COPPA, "personal information" includes:

  • Full name
  • Home or physical address — Including street name and city/town
  • Email address
  • Phone number
  • Social Security number
  • Geolocation data — Precise enough to identify a street or building
  • Photos, videos, or audio files — If they contain a child's image or voice
  • Screen names — If they function as online contact information
  • Persistent identifiers — Cookies, IP addresses, device IDs, or other identifiers that can track a child across sites or over time (when used for purposes other than site functionality)

Important: Even information that seems harmless—like a username or device ID—counts as personal information under COPPA if it can be used to contact the child or track their behavior.

What Companies Must Do Under COPPA

1. Post a Clear Privacy Policy

Sites and apps directed at children must post a privacy policy that includes:

  • The name and contact information of all operators collecting data
  • What personal information is collected and how
  • How the information is used
  • Whether information is shared with third parties
  • Parental rights and how to exercise them

2. Provide Direct Notice to Parents

Before collecting data from a child, operators must directly notify parents about:

  • What information will be collected
  • How it will be used
  • That parental consent is required
  • How to provide or refuse consent

3. Obtain Verifiable Parental Consent

Companies must get actual consent from a parent before collecting, using, or disclosing a child's personal information. Acceptable methods include:

  • Signing and returning a consent form by mail, fax, or email
  • Using a credit card or other payment method for verification
  • Having a parent call a toll-free number staffed by trained personnel
  • Video conferencing with trained personnel
  • Checking a parent's government-issued ID against databases
  • Knowledge-based authentication questions (in some cases)
  • Facial recognition comparing a parent's photo ID to a selfie

Simply having a child check a box saying "my parent consents" is not sufficient.

4. Give Parents Ongoing Control

After consent is given, parents must be able to:

  • Review the personal information collected from their child
  • Revoke consent and have data deleted
  • Prevent further collection or use

5. Protect Collected Data

Operators must establish reasonable procedures to protect the confidentiality, security, and integrity of children's personal information.

6. Limit Data Collection

Companies cannot require children to disclose more information than is reasonably necessary to participate in an activity. A game can't demand a home address just to create a profile.

7. Limit Data Retention

Personal information collected from children should only be kept as long as necessary to fulfill the purpose for which it was collected, then securely deleted.

Your Rights as a Parent

COPPA gives you specific, enforceable rights:

Your Right What It Means
Right to Notice You must be informed before any data collection begins and told exactly what will be collected and why
Right to Consent No personal information can be collected from your child without your verified permission
Right to Review You can request to see all personal information a company has collected from your child
Right to Delete You can demand that a company delete your child's personal information
Right to Revoke Consent You can withdraw permission at any time and stop future data collection
Right to Refuse You can say no without your child being excluded from activities that don't require data collection

How to Exercise Your Rights

  1. Find the privacy contact: Look in the app's or website's privacy policy for contact information for the operator or their designated privacy contact
  2. Submit a written request: Email or write to request a review of your child's data, deletion, or to revoke consent
  3. Verify your identity: Be prepared to verify you're the parent—companies may ask for proof to protect against fraudulent requests
  4. Follow up: Companies should respond reasonably promptly; if they don't, you can file a complaint with the FTC

Common COPPA Violations

Despite the law's clarity, violations are common. Watch for these red flags:

  • Collecting data without any parental verification — Just asking for a birthdate and accepting whatever is entered
  • Using "I am over 13" checkboxes as the only gate — This is easily bypassed and doesn't constitute parental consent
  • Burying consent requests in lengthy terms of service — Consent must be clear and separate
  • Tracking children for advertising purposes — Using persistent identifiers to serve targeted ads without consent
  • Sharing children's data with third parties — Without explicit parental consent for each recipient
  • Not providing a working method to review or delete data — Parents must have practical access to these rights
  • Collecting more data than necessary — Requiring extensive personal information for simple activities

Notable COPPA Enforcement Actions

The FTC has levied significant fines for COPPA violations:

  • YouTube (Google) — $170 million (2019): Collected data from children watching kids' channels without parental consent
  • TikTok (Musical.ly) — $5.7 million (2019): Collected personal information from children under 13 without parental consent
  • Epic Games (Fortnite) — $275 million (2022): Collected data from children under 13 and enabled harmful features by default
  • Microsoft (Xbox) — $20 million (2023): Collected data from children without proper parental consent and retained it longer than necessary

The Age Gate Problem

Most apps and websites use simple age gates—"Enter your birthdate" or "Are you over 13?"—as their only protection. This creates problems:

  • Children lie about their age: Studies show the majority of children under 13 on age-restricted platforms simply entered a false birthdate
  • Parents help them: Many parents knowingly assist children in bypassing age requirements
  • "Age-gating" isn't parental consent: A child claiming to be 13 is not the same as a parent giving verified permission
  • Once bypassed, protections vanish: A 10-year-old with a "verified" age of 14 is treated as a teen or adult with no COPPA protections

The result: millions of children use platforms that collect their data without any meaningful COPPA compliance, because the platforms claim they don't "know" the users are children.

What this means for you: If your child is using a service designed for older users by lying about their age, COPPA may not protect them. The service can claim it reasonably believed the user was 13+.

COPPA vs. Other Privacy Laws

COPPA is just one piece of the children's privacy landscape:

Law Scope Age Protected Key Difference
COPPA (US) Commercial websites/apps Under 13 Requires parental consent for data collection
FERPA (US) Educational records Students of any age Protects school records; parents control until child is 18
GDPR (EU) All data processing Under 16 (or 13-16 by country) Requires parental consent; broader scope than COPPA
UK Age Appropriate Design Code Online services likely accessed by children Under 18 Requires privacy by default for all minors, not just young children
California AADC Online services likely accessed by children Under 18 Requires Data Protection Impact Assessments; privacy by default

Notably, the US lacks comprehensive privacy protections for teenagers (13-17), leaving a significant gap between COPPA's protections and adulthood.

COPPA in Schools

When schools use educational technology, COPPA rules can be complicated:

  • Schools can consent on parents' behalf — For educational technology used in the school context, schools can provide consent instead of requiring individual parental permission
  • This only applies to educational use — If a service is also used for commercial purposes (like advertising), parental consent is still required
  • Schools must evaluate services — Schools accepting this responsibility should review privacy policies and ensure services comply with COPPA
  • Parents can still opt out — Even when schools consent, parents retain the right to review data and object

Ask your child's school: What educational technology do they use? Have they reviewed privacy policies? What data is collected, and is it shared with third parties?

Practical Tips for Parents

Before Your Child Uses an App or Website

  • Check the privacy policy — Look for a clear children's privacy section. If there isn't one on a kids' app, that's a red flag.
  • Look for COPPA compliance statements — Reputable children's services explicitly state they comply with COPPA
  • Research the app — Search "[app name] COPPA" or "[app name] children's privacy" to see if there have been complaints or violations
  • Check if it's age-appropriate — Common Sense Media provides detailed reviews of apps, games, and websites for families
  • Understand what data is collected — Does the app really need location access? Microphone access? Access to photos?

When Setting Up Accounts

  • Use your email, not your child's — This ensures you receive any privacy notices
  • Don't help your child lie about their age — This bypasses COPPA protections designed to help them
  • Create the account together — Review privacy settings as part of the setup process
  • Disable unnecessary permissions — Turn off location, microphone, camera, and contacts access unless truly needed
  • Opt out of personalized advertising — Where offered, disable targeted ads

Ongoing Monitoring

  • Review app permissions regularly — Apps sometimes add new data collection through updates
  • Watch for privacy policy changes — Services can change their practices with updated policies
  • Periodically request your child's data — Exercise your right to review what's been collected
  • Delete unused apps and accounts — Less data exposure is always better

How to File a COPPA Complaint

If you believe a company has violated COPPA, you can report it to the Federal Trade Commission:

  1. Document the violation — Take screenshots of the app, website, or any communications. Note dates and what personal information was collected.
  2. File online at ReportFraud.ftc.gov — Select "Something Else" and describe the children's privacy violation
  3. Include specifics:
    • Name of the app, website, or company
    • What personal information was collected
    • How you know your child's data was collected without consent
    • Whether you attempted to contact the company
  4. Contact your state attorney general — Many states also enforce children's privacy laws and may investigate

While the FTC doesn't resolve individual complaints, patterns of complaints trigger investigations and enforcement actions.

The Future of Children's Privacy

COPPA was groundbreaking in 1998, but the online landscape has changed dramatically. Several developments are worth watching:

Potential Changes

  • Raising the protected age: Bills have been proposed to extend COPPA protections to ages 16 or 17
  • Stronger enforcement: Recent large fines signal the FTC is taking violations more seriously
  • State laws: California's Age-Appropriate Design Code and similar state laws may provide stronger protections
  • Age verification technology: New methods of verifying age without invasive data collection are being developed
  • Design requirements: Following the UK's lead, laws may require privacy-protective design, not just consent mechanisms

What Parents Should Watch For

  • Changes to COPPA regulations or new federal children's privacy laws
  • Your state's privacy legislation, which may provide additional protections
  • Platform policy changes that affect how children's data is handled
  • New technologies your children are using and their privacy implications

Frequently Asked Questions

My child lied about their age. Does COPPA still apply?
Unfortunately, if the service reasonably believed your child was 13 or older based on the information provided, COPPA protections may not apply. This is a significant loophole. The best protection is to supervise account creation and not help children bypass age gates.
Can I sue a company for violating my child's privacy under COPPA?
COPPA doesn't provide a private right of action—meaning individuals can't sue directly under the law. Only the FTC and state attorneys general can bring enforcement actions. However, you may have claims under state laws or general privacy torts.
Do free apps have to comply with COPPA?
Yes. COPPA applies to all commercial websites and apps that collect personal information from children, regardless of whether they charge money. Free apps that collect data for advertising purposes are absolutely covered.
What if an app is based outside the United States?
COPPA applies to foreign-based sites and services if they are directed to children in the United States or knowingly collect personal information from US children. Enforcement can be challenging, but legitimate companies operating in the US market generally comply.
Does COPPA apply to my child's school Chromebook or iPad?
Educational technology used in schools can be covered by COPPA, but schools can consent on behalf of parents for educational purposes. Schools should have policies about what data is collected and how it's used. Ask your school about their edtech privacy practices.
Can I opt my child out of data collection but still let them use the app?
Sometimes. COPPA requires that children not be denied access to activities that don't require personal information. But if data collection is essential to the service (like an app that requires an account), the company may not be able to provide access without some data collection.
My child is 13. Are there any protections for teens?
Federal law doesn't provide special privacy protections for teens 13-17. Some state laws (like California's CCPA) provide additional rights for all consumers, including teens. The California Age-Appropriate Design Code, when fully in effect, will extend protections to under-18s.
How do I know if an app is COPPA compliant?
Look for a children's privacy policy section, COPPA compliance statements, and membership in safe harbor programs like kidSAFE or PRIVO. Be wary of children's apps that don't mention COPPA at all or that ask for extensive personal information.

Key Takeaways

  • COPPA protects children under 13 from having their personal information collected without verified parental consent
  • You have rights — to notice, consent, review, deletion, and revocation — and companies must provide mechanisms to exercise them
  • Age gates aren't enough — if your child lies about their age, they may lose COPPA protections
  • Violations are common — even major companies have been fined for COPPA violations
  • You can file complaints with the FTC if you believe a company is violating the law
  • COPPA has limits — teens aren't protected, enforcement is challenging, and the law hasn't kept pace with technology
  • Parental involvement matters — your oversight is the most effective protection for your child's privacy

COPPA provides a foundation, but protecting your child's privacy online ultimately requires ongoing attention. Review the apps they use, understand what data is being collected, and don't hesitate to exercise your rights when something doesn't seem right.

Browse What is a Privacy Policy? →

Track Privacy Policies That Affect Your Family

Monitor the privacy policies of apps and services your children use. Get notified when they change.

Start Tracking Free