Overview
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law designed to protect the privacy of children under 13 years old online. Enforced by the Federal Trade Commission (FTC), COPPA regulates how websites, apps, and online services collect, use, and disclose personal information from children.
The law requires businesses to obtain verifiable parental consent before collecting or sharing a child’s data. Failure to comply can lead to substantial fines and legal action by the FTC.
Who Must Comply?
COPPA applies to:
✔ Websites, apps, and online services targeting children under 13
✔ General websites that knowingly collect data from children
✔ Ad networks and third-party services that process children’s data
✔ EdTech companies collecting student data under 13
✔ Game developers offering interactive features
Even if a company does not intend to target children, it may still be liable if its platform attracts young users and collects their data.
Key Requirements Under COPPA
Businesses must:
✔ Obtain verifiable parental consent before collecting a child’s personal data
✔ Provide clear privacy notices about data collection practices
✔ Allow parents to review and delete their child’s data
✔ Limit data collection to what is necessary for the service
✔ Secure collected data to prevent unauthorized access
✔ Prohibit conditioning access to services on data collection
Personal information under COPPA includes:
📌 Name, address, phone number, and email
📌 Geolocation data
📌 Photos, videos, and voice recordings
📌 Persistent identifiers (e.g., IP addresses, device IDs)
📌 Any other data that can identify a child
Real-World Enforcement Cases
The FTC has aggressively enforced COPPA, penalizing major companies for non-compliance.
📌 Google & YouTube – $170 Million Fine (2019)
- Google was fined for illegally collecting children’s data to serve targeted ads without parental consent.
📌 TikTok (formerly Musical.ly) – $5.7 Million Fine (2019)
- TikTok violated COPPA by allowing children under 13 to sign up without parental consent and failing to delete their personal information.
📌 Epic Games (Fortnite) – $275 Million Fine (2022)
- Epic Games was fined for collecting children’s data without consent and using dark patterns to encourage unwanted purchases.
📌 Amazon Alexa – FTC Action (2023)
- The FTC required Amazon to delete children’s voice recordings after Amazon was found to be retaining data longer than necessary.
Compliance Best Practices
To comply with COPPA, businesses should:
✔ Use Age Gates – Screen users for age before collecting any data.
✔ Implement Verifiable Parental Consent Methods – Options include credit card verification, signed consent forms, or video chats.
✔ Limit Data Collection – Only collect the minimum information required.
✔ Secure Children’s Data – Encrypt and protect stored information.
✔ Post a Clear COPPA-Compliant Privacy Policy – Inform parents about what data is collected, how it’s used, and who it is shared with.
✔ Honor Parental Deletion Requests – Parents must be able to review and delete their child’s data at any time.
Future of COPPA Regulation
New legislation, such as the Kids Online Safety Act (KOSA), is being considered to strengthen COPPA protections, especially against AI-driven data collection and social media targeting. The FTC is also proposing updates to COPPA that could impose stricter penalties on companies that misuse children’s data.
