COPPA
Children's Online Privacy Protection Act of 1998
Standard Introduction
The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in October 1998 and enforced by the Federal Trade Commission (FTC) through the COPPA Rule, which first took effect in April 2000. COPPA imposes requirements on operators of commercial websites and online services directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
COPPA requires operators to provide clear privacy policies, obtain verifiable parental consent before data collection, give parents access to and control over their children’s data, and maintain reasonable data security. The FTC actively enforces COPPA with significant civil penalties — the record being $275 million against Epic Games in 2022. Major amendments finalized in January 2025 strengthen protections around targeted advertising, data retention, and third-party disclosure, with full compliance required by April 2026.
Under-13 Protection
Imposes requirements on operators of websites and online services directed to children under 13 or that knowingly collect personal information from children under 13.
Verifiable Parental Consent
Requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.
FTC Enforcement
The FTC actively enforces COPPA with civil penalties up to $53,088 per violation. The record penalty was $275 million against Epic Games in 2022.
list_alt Core COPPA Requirements
- Post a clear, comprehensive online privacy policy
- Provide direct notice to parents before collecting data
- Obtain verifiable parental consent before collection
- Allow parents to review and delete child data
- Limit data collection to what is reasonably necessary
- Maintain reasonable data security procedures
- Data retention and deletion requirements
- Safe harbor programs for self-regulation
Who Needs to Comply?
Operators of commercial websites and online services (including apps, games, and connected devices) directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.
Key Requirements
Privacy Policy
Operators must post a clear, comprehensive privacy policy describing information practices for children's personal information, including types of data collected, how it is used, and disclosure practices.
Verifiable Parental Consent
Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Methods include signed consent forms, credit card verification, video conferencing, and government ID checks.
Data Minimization
Operators may not condition a child's participation in activities on the collection of more personal information than is reasonably necessary for that activity.
Data Security Program
Establish and maintain a written information security program with reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
Parental Access Rights
Parents must be able to review personal information collected from their child, have it deleted, and refuse further collection or use.
Penalties & Enforcement
Civil penalties up to $53,088 per violation. The FTC secured a record $275 million COPPA penalty against Epic Games (Fortnite) in December 2022. Penalties consider the severity of violations, number of children affected, and company size.