COPPA
Children's Online Privacy Protection Act of 1998
Standard Introduction
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in October 1998 and enforced by the Federal Trade Commission (FTC) through the COPPA Rule, which first took effect in April 2000. COPPA imposes requirements on operators of commercial websites and online services directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
COPPA requires operators to provide clear privacy policies, obtain verifiable parental consent before data collection, give parents access to and control over their children’s data, and maintain reasonable data security. The FTC actively enforces COPPA with significant civil penalties — the record being $275 million against Epic Games in 2022. Major amendments finalized in January 2025 strengthen protections around targeted advertising, data retention, and third-party disclosure, with full compliance required by April 2026.
Under-13 Protection
Imposes requirements on operators of websites and online services directed to children under 13 or that knowingly collect personal information from children under 13.
Verifiable Parental Consent
Requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
FTC Enforcement
The FTC actively enforces COPPA with civil penalties up to $53,088 per violation. The record penalty was $275 million against Epic Games in 2022.
list_alt Core COPPA Requirements
- Post a clear, comprehensive online privacy policy
- Provide direct notice to parents before collecting data
- Obtain verifiable parental consent before collection
- Allow parents to review and delete child data
- Limit data collection to what is reasonably necessary
- Maintain reasonable data security procedures
- Data retention and deletion requirements
- Safe harbor programs for self-regulation
Who Needs to Comply?
Operators of commercial websites and online services (including apps, games, and connected devices) directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
Key Requirements
Privacy Policy
Operators must post a clear, comprehensive privacy policy describing information practices for children's personal information, including types of data collected, how it is used, and disclosure practices.
Verifiable Parental Consent
Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Methods include signed consent forms, credit card verification, video conferencing, and government ID checks.
Data Minimization
Operators may not condition a child's participation in activities on the collection of more personal information than is reasonably necessary for that activity.
Data Security Program
Establish and maintain a written information security program with reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Parental Access Rights
Parents must be able to review personal information collected from their child, have it deleted, and refuse further collection or use.
Implementation Roadmap
Prepare scope, ownership and regulatory context
Define the children's online privacy compliance program scope across websites, apps, games, connected services, ad tech, analytics, parental workflows, and child-directed or mixed-audience experiences. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.
Gap analysis and risk-based planning
Assess current practices against COPPA expectations and risk context. Review age screening, direct parental notice, verifiable parental consent, data minimization, parental access and deletion rights, third-party sharing limits, security, retention, and safe-harbor alignment, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.
Implement controls, documentation and evidence
Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around privacy notices, consent flows, age-gate logic, parental verification records, data maps, processor contracts, deletion logs, security controls, and retention schedules.
Review, audit and maintain compliance
Complete internal reviews, readiness checks, and corrective actions before the FTC inquiry or privacy review. Keep the program current after product, supplier, legal, customer, incident, or operational changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and records
checklist Monitoring and improvement
Penalties & Enforcement
Civil penalties up to $53,088 per violation. The FTC secured a record $275 million COPPA penalty against Epic Games (Fortnite) in December 2022. Penalties consider the severity of violations, number of children affected, and company size.
Frequently Asked Questions
Who needs COPPA?
expand_more
COPPA is relevant for organizations whose activities fall within websites, apps, games, connected services, ad tech, analytics, parental workflows, and child-directed or mixed-audience experiences. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.
What is the core purpose of COPPA?
expand_more
The core purpose is to create a repeatable program for age screening, direct parental notice, verifiable parental consent, data minimization, parental access and deletion rights, third-party sharing limits, security, retention, and safe-harbor alignment. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.
How long does implementation take?
expand_more
A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.
What evidence is most useful?
expand_more
Useful evidence includes privacy notices, consent flows, age-gate logic, parental verification records, data maps, processor contracts, deletion logs, security controls, and retention schedules. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.
How should suppliers be handled?
expand_more
Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.
How often should the program be reviewed?
expand_more
Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.
Can this be integrated with other compliance programs?
expand_more
Yes. COPPA can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.
Official Documentation
COPPA Rule (16 CFR Part 312)
External Link • ecfr.gov • Full Regulatory Text
FTC COPPA Portal
External Link • ftc.gov • Official Rule Information
COPPA Compliance FAQ
External Link • ftc.gov • Business Guidance & FAQ