What is COPPA?
The Children’s Online Privacy Protection Act (COPPA) is a United States federal law enacted in 1998 and updated in 2013. It requires operators of websites, apps, and online services to obtain verifiable parental consent before collecting personal information from children under 13. COPPA is enforced by the Federal Trade Commission (FTC) and applies to operators of services directed to children or those with actual knowledge of collecting children’s personal information.
COPPA’s scope extends beyond obvious children’s products. Any service that collects data from users under 13 — even if the service is not explicitly directed to children — must comply when the operator has actual knowledge of the child’s age.
Key Requirement Areas
COPPA imposes specific obligations across several areas of children’s data handling and privacy governance.
| Requirement Area | Description | Key Provisions |
|---|---|---|
| Verifiable Parental Consent | Obtain consent before collecting children’s PI | FTC-approved consent methods, consent verification, consent records |
| Privacy Notice Requirements | Clear, comprehensive notice to parents | Online notice, direct notice, notice content requirements |
| Age Gating / Age Verification | Determine whether users are under 13 | Age screens, neutral age prompts, age verification mechanisms |
| Data Minimization | Collect only what is reasonably necessary | Purpose limitation, no conditioning participation on excess data |
| Vendor / Third-Party Liability | Operators responsible for third-party data collection | SDK audit, advertising network controls, third-party contracts |
| Data Retention and Deletion | Retain only as long as necessary, then delete | Retention policies, secure deletion, parental deletion requests |
| Safe Harbor Programs | FTC-approved self-regulatory programs | Industry guidelines, compliance monitoring, streamlined oversight |
Readiness Assessment Checklist
Before engaging in a full compliance program, evaluate where your organization stands against these six readiness questions:
- Have you conducted a “directed to children” analysis to determine whether COPPA applies to your service?
- Do you have FTC-approved verifiable parental consent mechanisms in place for all data collection from users under 13?
- Is your privacy notice compliant with COPPA’s content and format requirements, including both online and direct notice?
- Are you collecting only the personal information reasonably necessary for the activity, without conditioning participation on excess data?
- Have you audited all third-party SDKs, plugins, and advertising networks for COPPA compliance and data collection practices?
- Do you have data retention and deletion policies that ensure children’s data is retained only as long as necessary?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what the FTC expects across all COPPA control areas, with evidence examples for each.