COPPA Compliance for Websites and Apps: What You Must Do Before Collecting Data from Children Under 13

COPPA (the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506) places parents in control of what personal information is collected from their children online. If your website, app, or online service is directed to children under 13 or has actual knowledge that it's collecting personal information from a child under 13, you must comply with COPPA's notice, consent, and data protection requirements before any collection occurs. Violations produce civil penalties of up to $53,088 per violation, and the FTC enforces aggressively. In 2022, Epic Games paid $275 million in COPPA penalties for illegally collecting personal information from children using Fortnite. In August 2024, the DOJ and FTC jointly sued TikTok and ByteDance for COPPA violations related to collecting private information from minors and allowing them to interact with adults and adult content.

COPPA reaches beyond children's websites. A general-audience eCommerce site, a social media app, a gaming platform, or a SaaS product can trigger COPPA if it has actual knowledge that users under 13 are providing personal information, even if the business didn't design the product for children.

What Triggers COPPA

COPPA applies in two situations. First, your website or online service is "directed to children" under 13 based on factors the FTC evaluates: subject matter, visual and audio content, use of animated characters or other child-oriented activities, the age of models in content, the presence of child celebrities or celebrities who appeal to children, advertising on the site directed to children, marketing or promotional materials indicating a child audience, and evidence about the age of actual users on similar services.

Second, your website or online service isn't directed to children but you have "actual knowledge" that you're collecting personal information from a child under 13. Actual knowledge means you know or have reason to know based on the information available to you. If a user enters a birthdate indicating they're 11 years old during account registration, you have actual knowledge.

"Mixed audience" sites (directed to children based on the FTC's factors but not targeting children as the primary audience) can implement an age screen and apply COPPA protections only to users who identify as under 13. Age screening must be done in a neutral manner that doesn't default to a set age or encourage users to falsify their age information.

What Constitutes Personal Information

COPPA defines "personal information" broadly. It includes first and last name, home or physical address, email address, telephone number, Social Security number, a persistent identifier that can recognize a user over time and across different websites (cookies, IP addresses, device serial numbers, when used for purposes other than supporting the site's internal operations), a photograph, video, or audio file containing a child's image or voice, geolocation information sufficient to identify a street name and city or town, and any other information collected from a child that's combined with any of the above identifiers.

Under the 2025 COPPA Rule amendments (effective June 23, 2025, with a compliance deadline of April 22, 2026), the definition was expanded to include biometric identifiers and government-issued identifiers.

Verifiable Parental Consent

Before collecting, using, or disclosing personal information from a child under 13, the operator must obtain verifiable parental consent. "Verifiable" means the operator must make a reasonable effort, considering available technology, to ensure that the person giving consent is the child's parent or guardian.

FTC-approved consent methods include a consent form signed by the parent and returned by mail, fax, or electronic scan, a credit card or other online payment transaction (the theory being that a child is unlikely to have a credit card), a toll-free telephone number staffed by trained personnel, a video conference with the parent, government-issued ID verified against a database (with the ID deleted after verification), knowledge-based challenge questions that would be difficult for a child to answer, and face match to verified photo identification (approved in 2015).

Separate verifiable parental consent is now required under the 2025 amendments before disclosing children's personal information to third parties for purposes related to targeted advertising. Previously, a single consent could cover both collection and disclosure. Under the amended rule, operators must obtain one consent for collection and use and a separate consent for third-party disclosure for advertising purposes.

Privacy Policy Requirements

COPPA-covered operators must post a privacy policy that includes a list of all operators collecting or maintaining children's personal information through the site, a description of what information is collected and how it's collected (directly from the child, passively through cookies or tracking technologies, or from third parties), how the information is used, whether and to whom it's disclosed, and the parent's rights (to review information collected from their child, to have that information deleted, and to refuse further collection or use).

Direct notice to parents must be provided before any collection begins. The notice must contain the same information as the privacy policy and must include a statement that the operator is requesting the parent's consent to collect, use, or disclose the child's personal information, a description of the specific information to be collected, and instructions for how the parent can provide consent.

Data Minimization and Retention

COPPA prohibits conditioning a child's participation in an activity on the collection of more personal information than is reasonably necessary for that activity. An educational game that requires a child's name and email address to create an account can't also require a home address, phone number, and photograph unless those additional data points are necessary for the game to function.

With the 2025 amendments, operators must retain children's personal information only for as long as reasonably necessary to fulfill the specific purpose for which it was collected. Indefinite retention is prohibited. Operators must establish and disclose retention periods and must delete or de-identify children's personal information when the purpose for collection has been fulfilled.

Safe Harbor Programs

Several FTC-approved self-regulatory "safe harbor" programs provide operators with a structured framework for COPPA compliance. FTC-approved safe harbor programs include ESRB Privacy Certified, kidSAFE Seal Program, PRIVO, and TrustArc. Operators that participate in an approved safe harbor program and comply with its guidelines are subject to the program's disciplinary procedures rather than direct FTC enforcement for potential violations.

Transparency requirements for safe harbor programs increased under the 2025 amendments, requiring them to publicly disclose their membership lists and report additional information to the FTC. Safe harbor programs must also submit proposed modifications to their guidelines to reflect the 2025 amendments.

Safe harbor participation reduces FTC scrutiny but doesn't eliminate liability. If an operator violates COPPA despite participating in a safe harbor program, the FTC considers the operator's compliance history and remedial actions when deciding whether to bring an enforcement action.

When COPPA Applies to General-Audience Businesses

COPPA's reach extends beyond websites and apps designed for children. A general-audience eCommerce site, a social platform, a gaming service, or a productivity app can trigger COPPA obligations if it acquires actual knowledge that a user is under 13.

If your registration process collects birthdates and a user enters a date indicating they're under 13, you have actual knowledge. If a customer support interaction reveals that a user is a child, you have actual knowledge. If a user's profile or content indicates they're under 13, you may have actual knowledge depending on the specificity of the indication.

Once actual knowledge is established, you must either obtain verifiable parental consent before collecting any personal information from that user or stop collecting personal information from that user entirely. Many general-audience services choose the latter approach, terminating accounts that identify as under 13 rather than implementing the full COPPA consent framework.

Age screening for general-audience and mixed-audience sites must be neutral. A registration form that defaults to an age of 18 or asks "are you over 13?" with a pre-selected "yes" button encourages age falsification and doesn't constitute a good-faith effort to determine the user's age. The FTC's February 2026 policy statement specifically incentivizes the use of age verification technologies by providing that operators of general-audience and mixed-audience sites won't face enforcement for collecting information solely for age verification purposes, provided the information isn't used for any other purpose and is promptly deleted after verification.

Practical Recommendations

Determine whether COPPA applies to your business before you launch. Review the FTC's factors for "directed to children" sites and evaluate whether your content, design, marketing, or user demographics trigger COPPA coverage. If you operate a general-audience site, assess whether your registration process or user interactions could produce actual knowledge that users are under 13.

If COPPA applies, implement verifiable parental consent before any collection of personal information from children. Choose a consent method from the FTC-approved list and implement it before the child can provide any personal information beyond what's needed for the consent process itself.

Post a COPPA-compliant privacy policy and provide direct notice to parents. Both must be in place before collection begins, and both must be updated whenever your data practices change.

Don't collect more information than you need. COPPA prohibits conditioning a child's participation on unnecessary data collection, and the 2025 amendments impose retention limits that require you to delete information when the purpose for collection has been fulfilled.

If you operate a general-audience site and don't want to implement COPPA's consent framework, use a neutral age screen at registration and refuse to create accounts for users who indicate they're under 13. Don't design the age screen to encourage falsification, and don't ignore information that indicates a user is a child.

Review your compliance against the 2025 COPPA Rule amendments. If you were compliant under the pre-2025 rule, confirm that your practices satisfy the new requirements for separate consent for third-party advertising disclosures, the expanded definition of personal information (now including biometric identifiers), and the retention limitation requiring deletion when the purpose for collection is fulfilled. Full compliance with the 2025 amendments is required by April 22, 2026.

Need advice tied to your business issue?

Share the issue. Get direct attorney review. Receive a concrete recommendation.

Submit an Inquiry