The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law that regulates how commercial websites and online services collect information from children under 13. It requires operators to post clear privacy policies and obtain verifiable consent from parents before collecting, using, or disclosing a child's data. For marketers and SEO practitioners, compliance is critical to avoid heavy fines and ensure that tracking pixels or third party tools do not inadvertently scrape data from minors.
What is COPPA?
COPPA was enacted in 1998 and became effective on April 21, 2000. It applies specifically to the collection of personal information from children under the age of 13. The Federal Trade Commission (FTC) enforces this law to ensure parents remain in control of what information is gathered from their children online.
The law covers any website or service directed at children, as well as general audience sites that have "actual knowledge" they are collecting data from a minor. Even if a company is based outside the United States, COPPA applies if it targets U.S. users or collects data from children located in the U.S.
Why COPPA matters
Failure to comply with COPPA carries severe financial and reputational risks. Modern marketing often relies on data collection that may conflict with these regulations.
- Financial Penalties: The costs of non-compliance are high. [Courts may fine violators up to $50,120 in civil penalties for each violation] (Federal Trade Commission).
- Ad-Tech Complexity: Many automated tools used by marketers tracks users by default. [96% of apps used in K to 12 schools shared personal information with third parties and advertisers] (Internet Safety Labs).
- Brand Reputation: High-profile settlements damage consumer trust. [Google and the FTC reached a $170 million settlement over YouTube violations] (CNN Business).
- Platform Restrictions: Major platforms may ban services that fail to meet criteria. Apple and Google pulled dating apps after the FTC found they allowed users under 13 to register.
How COPPA works
The FTC uses a sliding scale for compliance based on how the data is used. If you collect "personal information," which includes names, geolocations, or photos, you must follow these steps:
- Transparency: Post a clear privacy policy describing exactly what data you collect and how you use it.
- Direct Notice: Notify parents directly about your data practices before any collection occurs.
- Verifiable Consent: Obtain consent through methods like a signed form, a credit card transaction, or a "face match" compared to a government ID.
- Parental Access: Provide a way for parents to review, delete, or refuse further collection of their child's information.
- Data Minimization: Only collect the data reasonably necessary for the child to participate in the activity.
- Security and Retention: Protect the integrity of the data and delete it once the original purpose is fulfilled.
Safe Harbor Programs
The FTC allows industry groups to create self-regulatory programs known as "Safe Harbors." Website operators who participate in these programs are subject to the program's disciplinary procedures instead of direct FTC enforcement for most issues.
As of 2016, several organizations provided these programs, including TrustArc, ESRB, CARU, iKeepSafe, and the Internet Keep Safe Coalition. However, these programs are under constant review. [Aristotle, Inc. withdrew from the safe harbor program in 2021 after the FTC expressed concerns about its enforcement] (FTC Press Releases).
Best practices
Audit your tracking tools. Check if your SEO tools, pixels, or heatmaps collect "persistent identifiers" like IP addresses. These are considered personal information under the 2013 COPPA updates.
Use age gates correctly. Do not encourage "age fraud." If you ask for a birth date, do not suggest that the user must be older to enter, as this encourages children to lie.
Vet your SDKs. Software Development Kits (SDKs) often transmit data to third parties without the developer's knowledge. Conduct due diligence to ensure these kits do not create undisclosed data collection pathways.
Minimize data collection. Stick to tools designed for education if your audience includes children. Avoid using tools that commercialize student learning or focus heavily on advertising.
Common mistakes
Mistake: Assuming COPPA only applies if you have a "kids' site." Fix: Any service with "actual knowledge" of a user's age is liable. If you ask for a age and the user says 10, COPPA applies immediately.
Mistake: Failing to disclose third-party trackers. Fix: Your privacy policy must list every third party that collects data through your site, including ad networks or analytics plugins.
Mistake: Keeping data indefinitely. Fix: Establish a deletion schedule. New rules require [stricter limits on data retention] (Federal Trade Commission).
Mistake: Using "Actual Knowledge" as a loophole. Fix: The FTC also considers whether your content (visuals, characters, celebrities) is "directed to children," regardless of whether you officially know the user's age.
Examples
YouTube Content Creators: Following a settlement, YouTube now requires creators to mark videos as "child-oriented" or "not for kids." This affects how targeted ads are served.
TikTok (ByteDance): The company [agreed to pay $5.7 million to settle claims that it failed to obtain parental consent] (Federal Trade Commission) and was required to add a kids only mode.
Epic Games: The Fortnite creator agreed to a [record $520 million settlement involving both COPPA violations and unintended purchases] (The New York Times).
COPPA vs GDPR
| Feature | COPPA | GDPR |
|---|---|---|
| Jurisdiction | United States | European Union |
| Protected Age | Under 13 | Under 16 (member states can lower to 13) |
| Key Metric | Parental consent for all data | Specific data processing rights |
| Maximum Fine | $50,120 per violation | Up to 4% of annual global revenue |
| Risk | Civil penalties | Global revenue fines |
FAQ
Does COPPA apply to non-profit organizations? Generally, most recognized non-profits are exempt. However, the Supreme Court ruled that non-profits operating for the commercial benefit of their members are subject to FTC regulation and COPPA requirements.
What is considered personal information under COPPA? It includes first and last names, physical addresses, online contact information (like email), screen names, telephone numbers, and Social Security numbers. It also covers persistent identifiers (cookies, IP addresses), geolocation data, and photos/videos containing a child's image or voice.
How do I verify a parent's identity? The FTC approves several "sliding scale" methods. These include provide a form to be signed and returned, using a credit card in connection with a transaction, or using "face match to verified photo identification" (FMVPI) where an ID is compared to a live photo.
Can schools provide consent instead of parents? Yes, schools may grant consent on behalf of parents if the data is used strictly for educational purposes and not for commercial or advertising use.
What is COPPA 2.0? Introduced as proposed legislation, COPPA 2.0 aims to expand protections to minors under 17 and ban targeted advertising to all children. [Both KOSA and COPPA 2.0 passed the Senate in mid-2024] (Morrison Foerster), though they have not yet become law.
