What is COPPA?
The Children's Online Privacy Protection Act explained
Everything you need to know about the federal law that protects children's privacy online — from requirements and enforcement to the latest 2025 amendments.
COPPA (the Children's Online Privacy Protection Act) is a United States federal law enacted in 1998 that requires websites, apps, and online services to obtain verifiable parental consent before collecting personal information from children under 13. Enforced by the Federal Trade Commission (FTC), COPPA imposes civil penalties of up to $53,088 per violation and was significantly updated in 2025 with new requirements for data security, retention policies, and third-party data sharing.
COPPA at a Glance
1998
Enacted
FTC
Enforced by
Under 13
Age threshold
In Force
Status
$53,088/violation
Penalty
2025
Last amended
What Does COPPA Require?
COPPA places specific obligations on operators of websites and online services directed at children under 13, or that knowingly collect personal information from children.
Verifiable Parental Consent
Operators must obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13.
Clear Privacy Policy
Post a comprehensive, clearly written privacy policy describing data practices for children, including what is collected and how it is used.
Data Security Program
Maintain a written information security program to protect the confidentiality, security, and integrity of children's personal data.
Data Retention & Deletion
Implement written data retention policies with defined limits. Delete children's data when no longer necessary for its collected purpose.
Parental Review Rights
Parents can review all personal information collected from their child, request deletion, and refuse further collection at any time.
Data Minimization
Cannot condition a child's participation in an activity on providing more personal information than is reasonably necessary.
Full List of Key Provisions
- Verifiable parental consent required before collecting personal information from children under 13
- Separate verifiable parental consent required for third-party data sharing (disclosures for ads, AI training, and monetization are never considered 'integral' to the service)
- Mandatory written information security program to protect children's data
- Mandatory written data retention and deletion policy with defined retention limits
- Enhanced direct notice to parents must disclose identities or categories of all third parties receiving children's data
- Expanded definition of personal information to include biometric identifiers (voiceprints, facial templates, gait patterns) and government-issued IDs
- New verifiable parental consent methods: knowledge-based authentication, facial recognition matching, and text-plus verification
- Operators must post clear privacy policies describing data practices for children
- Parents have the right to review, delete, and refuse further collection of their child's data
- Safe Harbor program transparency requirements (public reporting and accountability)
- FTC enforcement with civil penalties of up to $53,088 per violation (inflation-adjusted)
Who Must Comply with COPPA?
Operators of Child-Directed Services
Any commercial website, online service, or mobile app that is directed to children under 13 must comply with COPPA. The FTC considers factors like subject matter, visual content, use of animated characters, child-oriented activities, age of models, music, and whether advertising on the site or service is directed to children.
General Audience Sites with Actual Knowledge
General audience websites and services that do not specifically target children must still comply with COPPA if they have actual knowledge that they are collecting personal information from a child under 13. This includes platforms where users can disclose their age during registration.
Third-Party Plug-ins and Ad Networks
Third-party services such as advertising networks, analytics providers, and social media plug-ins that collect personal information from users of child-directed sites are also subject to COPPA. The 2025 amendments added requirements for written confirmation from service providers regarding security measures.
COPPA 2.0: What's Changing?
Extends COPPA to teens under 17, bans all targeted advertising to minors, and creates an Eraser Button for data deletion. Passed the Senate 91-3 as part of KOSMA in July 2024 (118th Congress) but the House never voted and the bill expired Jan 3, 2025. Reintroduced in the 119th Congress as S.836 (Senate, March 2025, Senators Markey & Cassidy) and H.R.6291 (House, November 2025). Not yet signed into law.
Key Changes in COPPA 2.0
- Extends COPPA from children under 13 to all minors under 17
- Complete ban on targeted advertising directed at minors
- Creates Eraser Button — minors and parents can request deletion of all personal data
- Prohibits conditioning service access on a minor providing more data than necessary
- Establishes Youth Privacy and Marketing Division within the FTC
- Increased penalties: up to $50,000 per violation (up from $46,517)
Under 13
Current COPPA age threshold
Under 17
COPPA 2.0 proposed age threshold
Penalties for Non-Compliance
The FTC actively enforces COPPA, with penalties reaching hundreds of millions of dollars in recent years.
$520M
Epic Games (2022)
Fortnite privacy practices and dark patterns
$170M
YouTube / Google (2019)
Tracking children without parental consent
$5.7M
TikTok (2019)
Collecting data from children under 13
Under the amended COPPA Rule, the FTC can impose fines of up to $53,088 per violation, per child, per instance.
COPPA Safe Harbor Programs
The FTC allows industry groups to establish self-regulatory programs that provide a "safe harbor" for participating operators.
How Safe Harbors Work
Industry self-regulatory organizations can submit their guidelines to the FTC for approval. If approved, operators who comply with the safe harbor program's guidelines are deemed to be in compliance with COPPA. The FTC currently recognizes several approved safe harbor programs, including CARU (Children's Advertising Review Unit), ESRB Privacy Certified, kidSAFE Seal, Privo, and TrustArc.
2025 Safe Harbor Updates
The 2025 COPPA Rule amendments introduce new transparency requirements for safe harbor programs. Approved programs must now publicly report on their compliance monitoring activities, enforcement actions, and member adherence. This is intended to increase accountability and ensure that safe harbor designation reflects genuine compliance efforts.
How Phosra Helps with COPPA Compliance
Phosra provides a single API to enforce COPPA requirements across all connected platforms, from parental consent management to data deletion and ad blocking.
Frequently Asked Questions
What age does COPPA protect?
COPPA protects children under 13 years of age. Any website, app, or online service that collects personal information from children under 13 must comply with COPPA's requirements, including obtaining verifiable parental consent before collection.
Does COPPA apply to my app?
COPPA applies if your app or website is directed at children under 13, or if you have actual knowledge that you are collecting personal information from children under 13. This includes apps, games, social media platforms, and any online service. Even general-audience sites must comply if they knowingly collect data from children.
What is verifiable parental consent?
Verifiable parental consent (VPC) is the mechanism by which operators confirm that a parent or guardian has authorized the collection of their child's personal information. Acceptable methods include signed consent forms, credit card verification, government ID checks, knowledge-based authentication, facial recognition matching, and text-plus verification (added in the 2025 amendments).
What are the penalties for COPPA violations?
The FTC can impose civil penalties of up to $53,088 per violation under the amended COPPA Rule. Penalties are assessed per violation, per child, per instance. Major enforcement actions have resulted in settlements of $520 million (Epic Games), $170 million (YouTube/Google), and $5.7 million (TikTok).
What is a COPPA safe harbor?
A COPPA safe harbor is an FTC-approved industry self-regulatory program. Organizations that participate in an approved safe harbor program and comply with its guidelines are deemed to be in compliance with COPPA. The 2025 amendments added new transparency requirements for safe harbor programs, including public reporting and accountability measures.
What changed in the 2025 COPPA Rule amendments?
The FTC finalized major amendments in January 2025 that add mandatory information security programs, written data retention and deletion policies, enhanced direct notice requirements, expanded personal information definitions (biometrics, government IDs), new consent methods, and separate consent requirements for third-party data sharing. Full compliance is required by April 22, 2026.