Skip to main content
> COPPA

Children's Online Privacy Protection Act

Protecting children's personal information collected online

Governing Body: Federal Trade Commission (FTC)
Established: 1998 (effective April 2000) Last Updated: 2024 (proposed rule amendments) Scope: United States
Under 13
Protected Age

// What is COPPA?

COPPA imposes requirements on operators of websites, online services, and mobile applications that collect, use, or disclose personal information from children under 13. The law gives parents control over what information is collected from their children online.

COPPA applies not only to sites and services directed at children, but also to general audience sites that have actual knowledge they are collecting information from children under 13. This broad scope affects educational technology platforms, gaming companies, social media services, and any website with child users.

The FTC actively enforces COPPA, with enforcement actions resulting in millions of dollars in civil penalties. The agency has pursued cases against major technology companies and smaller operators alike, making COPPA one of the most actively enforced online privacy regulations in the United States.

// Inside the Regulation

COPPA establishes a framework of notice, consent, and data protection requirements for operators collecting personal information from children under 13. The rule defines covered information broadly and imposes strict obligations on data handling.

1

Covered Information

16 CFR § 312.2

COPPA defines personal information broadly to capture various identifiers and data collected from children.

Direct Identifiers

Name, address, email, telephone number, Social Security number.

Online Identifiers

Screen names, usernames, cookies, IP addresses, device identifiers, and other persistent identifiers used to recognize users over time.

Media Content

Photographs, videos, and audio files containing a child's image or voice.

Geolocation Data

Precise geolocation information sufficient to identify a street name and city.

2

Notice and Consent

16 CFR § 312.4-312.5

Operators must provide clear notice and obtain verifiable parental consent before collecting children's personal information.

Privacy Policy

Clear, comprehensive privacy policy describing information practices, posted prominently and linked from every page where information is collected.

Direct Notice to Parents

Direct notice to parents before collecting information, describing what will be collected, how it will be used, and parental rights.

Verifiable Parental Consent

Obtain verifiable consent using reasonable methods: signed consent form, credit card transaction, video call, government ID check, or knowledge-based authentication.

3

Data Protection Requirements

16 CFR § 312.8

Operators must maintain reasonable security procedures protecting the confidentiality, security, and integrity of children's personal information.

Confidentiality

Establish and maintain procedures to protect confidentiality of personal information collected from children.

Security

Implement reasonable security measures to protect against unauthorized access, use, or disclosure.

Integrity

Ensure collected data is accurate and protected from unauthorized alteration.

Data Minimization

Collect only personal information reasonably necessary for the child's participation in the activity.

4

Parental Rights and Data Retention

16 CFR § 312.6-312.10

Parents retain ongoing rights over their children's data, and operators must limit data retention.

Parental Access

Allow parents to review personal information collected from their child.

Deletion Rights

Allow parents to request deletion of their child's personal information and revoke consent for future collection.

Retention Limits

Retain personal information only as long as reasonably necessary to fulfill the purpose for which it was collected. Delete information when no longer needed.

Note: The FTC's proposed 2024 rule amendments would strengthen COPPA by limiting data retention, expanding the definition of covered information, and restricting targeted advertising to children. Educational technology operators should monitor these changes closely as they may impact school-context data collection.

// Who Must Comply

  • 1 Websites and online services directed to children under 13
  • 2 General audience sites with actual knowledge of child users under 13
  • 3 Mobile application developers with child audiences
  • 4 Educational technology platforms used by K-12 students
  • 5 Online gaming platforms accessible to children
  • 6 Social media services used by children
  • 7 Third-party plug-ins and ad networks operating on child-directed sites

// Key Requirements

Privacy Policy

Clear, comprehensive privacy policy describing children's information practices

Parental Consent

Verifiable parental consent before collecting personal information from children under 13

Data Security

Reasonable security procedures protecting confidentiality and integrity of children's data

Data Minimization

Collect only information reasonably necessary for the child's participation in the activity

Parental Access

Allow parents to review, delete, and revoke consent for their child's personal information

Vendor Oversight

Ensure third-party service providers maintain equivalent protections for children's data

// Enforcement & Penalties

The FTC enforces COPPA through civil penalty actions. Penalties can be substantial, with recent enforcement actions reaching tens of millions of dollars. The FTC has pursued both large technology companies and smaller operators.

Maximum Penalty

Up to $50,120 per violation (adjusted annually for inflation)

Examples:

  • Epic Games: $275 million (2022) for COPPA violations in Fortnite
  • Google/YouTube: $170 million (2019) for tracking children without consent
  • Musical.ly (TikTok): $5.7 million (2019) for collecting children's data
  • Ongoing FTC enforcement sweeps targeting child-directed apps and websites

// Cyber Insurance Impact

Organizations handling children's data face elevated regulatory risk. Cyber insurers closely scrutinize COPPA compliance, and violations can result in coverage disputes. FTC enforcement actions typically include significant penalties that may exceed standard cyber liability coverage limits.

// How Breach Craft Helps

We help organizations achieve COPPA compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of COPPA.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Vulnerability Assessment

Comprehensive security scanning and risk prioritization.

Learn more

// Related Frameworks

FERPA State Privacy Laws CCPA/CPRA

// Industries That Need COPPA

These industries commonly require COPPA compliance as part of their regulatory obligations.

K-12 Education

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873