verified_user
Standardful
Homechevron_rightStandardschevron_rightCOPPA
ActiveInternational Standardupdate Standard Updated: Jan 2025fact_check Fact checked: Jun 28, 2026

COPPA

Children's Online Privacy Protection Act of 1998

apartmentPublishing Organization:Federal Trade Commission (FTC)

Standard Introduction

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law enacted in October 1998 and enforced by the Federal Trade Commission (FTC) through the COPPA Rule, which first took effect in April 2000. COPPA imposes requirements on operators of commercial websites and online services directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.

COPPA requires operators to provide clear privacy policies, obtain verifiable parental consent before data collection, give parents access to and control over their children’s data, and maintain reasonable data security. The FTC actively enforces COPPA with significant civil penalties — the record being $275 million against Epic Games in 2022. Major amendments finalized in January 2025 strengthen protections around targeted advertising, data retention, and third-party disclosure, with full compliance required by April 2026.

child_care

Under-13 Protection

Imposes requirements on operators of websites and online services directed to children under 13 or that knowingly collect personal information from children under 13.

supervisor_account

Verifiable Parental Consent

Requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children.

gavel

FTC Enforcement

The FTC actively enforces COPPA with civil penalties up to $53,088 per violation. The record penalty was $275 million against Epic Games in 2022.

list_alt Core COPPA Requirements

  • Post a clear, comprehensive online privacy policy
  • Provide direct notice to parents before collecting data
  • Obtain verifiable parental consent before collection
  • Allow parents to review and delete child data
  • Limit data collection to what is reasonably necessary
  • Maintain reasonable data security procedures
  • Data retention and deletion requirements
  • Safe harbor programs for self-regulation

Who Needs to Comply?

groups

Operators of commercial websites and online services (including apps, games, and connected devices) directed to children under 13, or that have actual knowledge they are collecting personal information from children under 13.

Key Requirements

1

Privacy Policy

Operators must post a clear, comprehensive privacy policy describing information practices for children's personal information, including types of data collected, how it is used, and disclosure practices.

2

Verifiable Parental Consent

Must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Methods include signed consent forms, credit card verification, video conferencing, and government ID checks.

3

Data Minimization

Operators may not condition a child's participation in activities on the collection of more personal information than is reasonably necessary for that activity.

4

Data Security Program

Establish and maintain a written information security program with reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

5

Parental Access Rights

Parents must be able to review personal information collected from their child, have it deleted, and refuse further collection or use.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, ownership and regulatory context

Define the children's online privacy compliance program scope across websites, apps, games, connected services, ad tech, analytics, parental workflows, and child-directed or mixed-audience experiences. Assign accountable owners, identify applicable legal, customer, certification, or market-access drivers, and agree the evidence model before remediation starts.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk-based planning

Assess current practices against COPPA expectations and risk context. Review age screening, direct parental notice, verifiable parental consent, data minimization, parental access and deletion rights, third-party sharing limits, security, retention, and safe-harbor alignment, then prioritize gaps by legal exposure, customer impact, safety or privacy risk, and audit or submission readiness.

3
Phase 3schedule Duration: 8-20 weeks

Implement controls, documentation and evidence

Deploy the required processes, controls, reviews, training, supplier controls, and documented information. Build traceable evidence around privacy notices, consent flows, age-gate logic, parental verification records, data maps, processor contracts, deletion logs, security controls, and retention schedules.

4
Phase 4schedule Duration: Ongoing

Review, audit and maintain compliance

Complete internal reviews, readiness checks, and corrective actions before the FTC inquiry or privacy review. Keep the program current after product, supplier, legal, customer, incident, or operational changes.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and improvement

Penalties & Enforcement

warning

Civil penalties up to $53,088 per violation. The FTC secured a record $275 million COPPA penalty against Epic Games (Fortnite) in December 2022. Penalties consider the severity of violations, number of children affected, and company size.

Frequently Asked Questions

Who needs COPPA?

expand_more

COPPA is relevant for organizations whose activities fall within websites, apps, games, connected services, ad tech, analytics, parental workflows, and child-directed or mixed-audience experiences. It is commonly driven by regulation, customers, procurement requirements, market access, or the need to demonstrate disciplined control over high-impact risks.

What is the core purpose of COPPA?

expand_more

The core purpose is to create a repeatable program for age screening, direct parental notice, verifiable parental consent, data minimization, parental access and deletion rights, third-party sharing limits, security, retention, and safe-harbor alignment. The details vary by sector, but the practical goal is to make obligations visible, assign ownership, operate controls, and keep evidence current.

What should be done first?

expand_more

Start by confirming scope and ownership. Many failures come from unclear boundaries, missing accountable owners, or evidence that does not match the actual product, service, system, or data flow.

How long does implementation take?

expand_more

A focused implementation can take several months. Timelines depend on maturity, number of products or sites, supplier involvement, technical complexity, test evidence, and the depth of external review required.

What evidence is most useful?

expand_more

Useful evidence includes privacy notices, consent flows, age-gate logic, parental verification records, data maps, processor contracts, deletion logs, security controls, and retention schedules. Auditors, regulators, customers, or reviewers usually expect evidence that controls are operating, not only that policies exist.

How should suppliers be handled?

expand_more

Supplier responsibilities should be defined contractually and operationally. High-risk suppliers need due diligence, flow-down requirements, evidence requests, performance monitoring, and escalation routes for findings or incidents.

How often should the program be reviewed?

expand_more

Review frequency should follow risk and change. Annual reviews are common, but product releases, incidents, regulatory changes, customer requirements, major suppliers, or audit findings should trigger targeted review sooner.

Can this be integrated with other compliance programs?

expand_more

Yes. COPPA can often share governance, training, supplier management, document control, issue tracking, internal audit, and management review with related standards, while keeping its specific legal or technical evidence separate.

Official Documentation

View All

Implementation Timeline

gavel
Oct 1998
COPPA signed into law by President Clinton
check_circle
Apr 2000
FTC COPPA Rule takes effect
edit_note
Jul 2013
Amended Rule effective — expanded definitions and consent methods
warning
Dec 2022
Record $275M penalty against Epic Games (Fortnite)
update
Jan 2025
FTC finalizes major COPPA Rule amendments
event
Apr 2026
Full compliance deadline for 2025 COPPA Rule amendments

Related Categories