The Children’s Online Privacy Protection Act (COPPA) is a US federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). COPPA regulates how websites, mobile apps, and digital services collect, use, and share personal information from children under the age of 13. The law requires parental consent, transparency, and data security, with the goal of protecting children’s online privacy. Are you in compliance?
If your business operates a website, game, app, or digital platform aimed at children under 13 or collects their data, you must put specific measures into place that safeguard more stringent privacy practices, obtain parental consent, and limit data collection. You must also ensure third-party services (e.g., ad networks or analytics platforms) comply with COPPA when used on your platform.
To evaluate your compliance with COPPA, consider:
Age controls:
Think about whether your website or app is targeted toward children under 13, or knowingly collects data from children
Parental consent:
Implement a method for obtaining verifiable parental consent before collecting personal information
Disclosure:
Disclose your data practices in a privacy policy written in language understandable to children and parents
Parental controls:
Allow parents to review, delete, or refuse further collection of their child’s data
Third-party connections:
Ensure third-party services or cookies you use also COPPA-compliant
Failure to meet these requirements may place your business in violation of federal law.
COPPA applies to:
Operators of websites or online services (including apps, games, and social platforms) directed to children under 13.
Operators who knowingly collect data from users under 13, even if the site is not specifically directed at children.
Third-party services, such as plugins or ad networks, that collect data through child-directed platforms.
Under COPPA, parents and legal guardians have the right to:
Be informed of the types of personal data being collected from their children.
Give or deny consent to the collection and use of their child's information.
Access or review their child’s personal information held by a business.
Request deletion of their child’s data.
Withdraw consent and prohibit further collection or use of their child’s personal information.
Cookie consent banners must clearly explain data collection practices and ensure no data is gathered from children without parental approval.
Cookies, especially those used for tracking, behavioral profiling, or targeted advertising, fall under COPPA if they collect information from users under 13. This includes:
IP addresses
Device IDs
Location data
Browsing behavior
If your platform is child-directed or knowingly targets children, you must disable tracking cookies until you have received verifiable parental consent. First-party cookies used for essential functionality may be permitted, but profiling or marketing cookies are restricted.
Violating COPPA can result in:
Civil penalties of up to 50,120 USD per violation.
Enforcement actions by the FTC and state attorneys general.
Reputational damage, public investigation reports, and forced changes to business practices.
Legal settlements or compliance orders requiring periodic audits and monitoring.
Ensuring that standard best practices for data privacy are enacted and followed in addition to obtaining verifiable parental consent before collecting or disclosing a child's personal information is at the heart of COPPA compliance.
Update privacy policy:
Provide clear and comprehensive privacy notices about your data practices.
Gain parental consent:
Obtain verifiable parental consent before collecting or disclosing a child's personal information.
Give parents control:
Allow parents to access and delete their child’s information.
Keep data secure:
Implement procedures to maintain data security.
Data minimization:
Limit data collection to what is necessary for the activity.
COPPA applies to websites, mobile apps, and online services that collect personal information from children under 13 in the United States, or that knowingly target this age group.
COPPA defines personal information as any data that can be used to identify a child, including names, email addresses, usernames, IP addresses, geolocation data, and photos or voice recordings.
All personal data from children under 13 is treated as sensitive under COPPA. This includes identifiers, biometric data, and behavioral information collected through tracking.
The Federal Trade Commission (FTC) enforces COPPA, including investigating complaints, issuing fines, and publishing enforcement guidelines.
General-audience websites that neither target children nor knowingly collect their data may be exempt. However, once an operator becomes aware they are collecting data from a child under 13, COPPA applies.
You can visit the FTC’s COPPA page for comprehensive guidance, updates, and compliance resources.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
