What Is COPPA?
COPPA (Children's Online Privacy Protection Act) is a US federal law that restricts the online collection of personal information from children under 13. Enforced by the Federal Trade Commission (FTC), COPPA requires operators to: obtain verifiable parental consent before collecting any data from children, maintain a clear privacy policy, give parents access to and control over their child's data, and delete children's data upon request. Violations can result in civil penalties up to $51,744 per violation.
Who Does COPPA Apply To?
COPPA applies to two categories of operators:
1. Sites/Apps Directed to Children
Factors the FTC considers when determining if a site is "directed to children":
- Subject matter primarily about children
- Animated characters, cartoons, child-friendly graphics
- Child-oriented activities (games, puzzles, coloring)
- Music or celebrities popular with children
- Use of child models or actors
- Young adult content appealing to under-13s
2. General Audience Sites With Knowledge
Even general audience sites must comply when they have "actual knowledge" of under-13 users:
- A user tells you they are under 13 during registration
- Age verification shows a user is under 13
- A parent or guardian contacts you about their child's account
- User behavior patterns suggest child users
- Your own employees report child users
Did you know?
Many app developers mistakenly believe that adding "You must be 13 or older to use this app" in their terms of service protects them from COPPA. It does not. If the FTC determines your app is directed to children based on content and design, COPPA applies regardless of your age gate in the terms.
What COPPA Requires
COPPA has five core requirements for operators. Your privacy policy must reflect compliance with all of them.
| COPPA Requirement | What You Must Do |
|---|---|
| Clear privacy notice | Prominent, clearly written privacy policy on your homepage and every page where data is collected |
| Direct notice to parents | Notify parents directly before collecting any personal information from their child |
| Verifiable parental consent | Obtain verifiable consent from parents before collecting, using, or disclosing children's data |
| Parent access and control | Allow parents to review, correct, and delete their child's data at any time |
| Data security and retention | Keep children's data only as long as needed for the purpose collected, then delete securely |
Verifiable Parental Consent Methods
One of COPPA's most challenging requirements is obtaining "verifiable parental consent" - you must take reasonable steps to confirm that the person providing consent is actually the child's parent.
The FTC has approved several methods:
Credit or debit card transaction
Requiring a small transaction to verify parent's payment method - refundable if desired.
Parent signs and returns a consent form
Send form by postal mail, email, or fax and require return with signature.
Video conference with the parent
Real-time interaction with the parent to confirm identity and obtain consent.
Government-issued photo ID check
Verify parent's identity using a government ID, then delete the ID immediately after verification.
Knowledge-based authentication
Questions from a consumer report database that only a parent would likely know.
Did you know?
A simple email confirmation is NOT sufficient verifiable parental consent under COPPA unless combined with additional verification steps. The FTC's view is that email alone cannot verify that the person consenting is actually an adult parent or guardian.
COPPA Privacy Policy Requirements
Under COPPA, your privacy policy must contain specific disclosures. The FTC Rule specifies the required content in detail.
Name, address, telephone number, and email address of all operators collecting or maintaining data
Description of what personal information is collected from children and how it is used
Description of all third parties who receive children's personal information
That verifiable parental consent is required before collecting personal information
How parents can review their child's personal information
That parents may refuse to permit further collection of their child's information
Procedures for deleting children's personal information
That you do not condition participation on providing more information than is reasonably necessary
COPPA Privacy Policy: Template Section Examples
Children's Privacy
Our [website/app] is directed to children under the age of 13. We are committed to protecting the privacy of children and complying with the Children's Online Privacy Protection Act (COPPA). We do not collect any personal information from children under 13 without verifiable parental consent.
Parental Consent
Before we collect any personal information from your child, we will send a direct notice to the email address you provide. This notice will describe what information we collect, how it will be used, and how you can review, correct, or delete your child's information. We will not collect, use, or disclose your child's personal information until we have received your verifiable consent.
Parent's Rights
As a parent or guardian, you have the right to: review personal information we have collected from your child, have that information deleted, refuse to permit further collection of your child's information, and consent to our collection of your child's information without consenting to disclosure to third parties. To exercise these rights, contact us at [privacy@yoursite.com] or [1-800-XXX-XXXX].
Third-Party Services and COPPA Compliance
One of the most challenging aspects of COPPA is managing third-party services. Many common analytics, advertising, and social features collect data from users - and if those users are children, your third-party service must also be COPPA-compliant.
| Service Type | COPPA Consideration | Action Required |
|---|---|---|
| Google Analytics | Collects user behavior data | Must disable advertising features; use restricted data processing |
| Facebook Pixel | Behavioral tracking and advertising | Generally not COPPA compliant - avoid or configure carefully |
| YouTube embeds | May collect viewing data | Use YouTube Privacy-Enhanced Mode (youtube-nocookie.com) |
| Comment systems | Collect personal information from commenters | Disable or require parental consent before posting |
| Email newsletter tools | Collect email addresses | Must verify email belongs to a parent, not the child |
5 Common COPPA Privacy Policy Mistakes
Relying on an age gate without COPPA compliance
Asking users to click 'I am 13 or older' does not satisfy COPPA if your site is directed to children. The FTC can determine your site is directed to children regardless of your age gate if the content attracts under-13s.
Using advertising networks that are not COPPA compliant
Standard advertising networks like Google AdSense are not COPPA compliant for child-directed content. You must use child-safe advertising programs or disable advertising entirely for child users.
Not notifying parents before collecting any data
COPPA requires a direct notice to parents BEFORE you collect information. Burying the notice in your privacy policy or requiring parents to find it themselves does not meet the 'direct notice' requirement.
Retaining children's data longer than necessary
COPPA requires you to retain children's personal information only as long as necessary for the purpose it was collected. You must have a deletion schedule and process documented in your policy.
Not listing all operators and third parties collecting data
COPPA requires your privacy policy to list the name, address, telephone number, and email of all operators who collect data from children. Each must be specifically identified, not covered by a vague 'third-party service providers' reference.
Frequently Asked Questions
What is COPPA?
COPPA (Children's Online Privacy Protection Act) is a US federal law restricting online collection of personal data from children under 13. It requires verifiable parental consent, clear privacy disclosures, and grants parents control over their child's data. Violations can result in fines up to $51,744 per violation.
Who does COPPA apply to?
COPPA applies to operators of websites and online services directed to children under 13, and general audience sites that have actual knowledge they are collecting data from children under 13. It applies regardless of business location, as long as data is collected from US-based children.
What must a COPPA privacy policy include?
A COPPA policy must include: what data is collected from children, how it's used, third-party recipients, that parental consent is required, how parents can review and delete data, that parents can refuse further collection, and operator contact information.
Does COPPA apply to my app or website?
COPPA applies if your app or site is directed to children under 13 (based on content, design, and subject matter) OR if you have actual knowledge that children under 13 are using it. Adding an age gate to your terms of service alone is not sufficient.
What is verifiable parental consent under COPPA?
Verifiable parental consent means confirming that an actual adult parent or guardian has consented. Acceptable methods include credit card verification, signed consent forms, video conference, government ID check, or knowledge-based authentication. A simple email confirmation or checkbox is not sufficient.
Generate Your COPPA Privacy Policy
Create a complete COPPA-compliant privacy policy for your child-directed website or app in under 2 minutes. Covers all FTC requirements, parental consent, and third-party disclosures.
- All FTC COPPA Rule required disclosures
- Parental consent and rights section
- Third-party service disclosures
- Free to generate, no account required
Related Resources
Privacy Policy for Mobile Apps
Mobile app privacy policy requirements
Privacy Policy for Apps
General app privacy policy guide
Apple App Store Privacy Policy Requirements
App Store child-safe requirements
Do Mobile Apps Need a Privacy Policy?
When mobile apps require a privacy policy
GDPR Privacy Policy Template
EU-compliant privacy policy including child data
CCPA Privacy Policy Example
California consumer privacy compliance
Is a Privacy Policy Legally Required?
When privacy policies are mandatory by law
What Should a Privacy Policy Include?
Complete privacy policy sections checklist