COPPA — Children's Online Privacy Protection Act
COPPA (2000) protects the online privacy of children under 13 in the US, requiring verifiable parental consent before collecting personal information from children.
Summary
COPPA (Children's Online Privacy Protection Act) is a US federal law protecting the privacy of children under 13 online. It applies to websites and online services directed at children or that knowingly collect data from children.
- Parental consent: Verifiable parental consent must be obtained before collecting personal information from children under 13.
- Privacy notice: Clear and understandable privacy policies specifically directed at parents.
- Data deletion: Parents can request deletion of data collected from their child.
- Data security: Reasonable security measures to protect children's data.
History
COPPA was passed in response to growing concerns about the online collection of children's data. It was passed by Congress in October 1998 and took effect on 21 April 2000. The FTC is responsible for enforcement and has issued extensive implementing rules. In 2013, the COPPA Rules were substantially updated to cover new technologies (mobile apps, plug-ins) and expand the definition of "personal information." On January 11, 2024, the FTC published a Notice of Proposed Rulemaking (NPRM) for COPPA Rule amendments in the Federal Register. On January 16, 2025, the FTC finalized the amendments, which include an expanded definition of personal information, separate consent requirements for third-party data sharing, and a mandatory data security program. The amended Rule took effect on June 23, 2025, with a compliance deadline of April 22, 2026.
Scope
COPPA applies to: (1) operators of commercial websites or online services directed at children under 13; (2) operators of general audience websites or online services that knowingly collect personal information from children under 13. Third-party service providers (e.g., ad tech companies) that knowingly collect data from child-directed sites may also fall directly under COPPA.
Key Requirements
- Privacy policy: Comprehensive, clear privacy policy with COPPA-specific information (types of data, sharing, deletion).
- Parental notice: Direct notice to parents before collecting data.
- Verifiable parental consent: Use of FTC-approved methods (e.g., credit card transaction, signed consent form, video verification).
- Separate consent for third parties: Since the 2025 Rule amendments, separate verifiable parental consent is required before disclosing children's data to third parties.
- Parental rights: Right to review, revoke consent, and delete child's data.
- Data deletion on request: Data must be deleted upon parental request.
- Data minimization: Only necessary data may be collected.
- Mandatory data security program: Since 2025, operators must maintain a reasonable data security program to protect children's data.
- Expanded definition of personal information: Since 2025, the definition includes biometric identifiers and additional digital identifiers.
- Fines: Up to USD 53,088 per violation (inflation-adjusted, as of 2025).
Related Frameworks
Corrections & Errata
1 correction:
- Incorrect date for FTC COPPA proposed rule: Jan 1 instead of Jan 11, 2024
3 updates:
- last_amended outdated — 2025 amendments not reflected
- Penalty amount outdated — 2025 inflation-adjusted amount is $53,088
- Missing 2025 COPPA Rule amendments (finalized and in effect)