What COPPA Requires and Who It Applies To
The Children's Online Privacy Protection Act (COPPA) is a US federal law enacted in 1998, with its implementing rule enforced by the Federal Trade Commission (FTC). It applies to operators of websites, apps, and online services that either target children under 13 or have actual knowledge that they are collecting personal information from children under 13.
COPPA does not only apply to websites designed for children. If your site collects data from users and you know (or should know) that some of those users are under 13, the law applies to you. This includes general-audience websites that offer features likely to attract younger users, such as games, quizzes, or interactive content.
The law covers a broad range of personal information: full names, email addresses, physical addresses, phone numbers, photographs, audio or video files, geolocation data, and persistent identifiers like _ga or _fbp cookies when used to track a child across sites.
The 2025 COPPA Rule Amendments
On 16 January 2025, the FTC unanimously approved significant amendments to the COPPA Rule. Published in the Federal Register on 22 April 2025, these changes took effect on 23 June 2025, with full compliance required by 22 April 2026.
The amendments expand the definition of "personal information" to include biometric identifiers and government-issued identification numbers. They also introduce stricter requirements around third-party data sharing: operators must now obtain separate verifiable parental consent before disclosing a child's personal information to third parties for targeted advertising.
Data retention limits are another major change. Operators can no longer hold children's personal information indefinitely. The amended rule requires that data be retained only for as long as reasonably necessary to fulfil the specific purpose for which it was collected.
Safe harbour programmes approved by the FTC must now publicly disclose their membership lists and provide additional reporting to the Commission. This increases transparency for parents trying to evaluate whether a service genuinely protects their children's data.
Verifiable Parental Consent: Methods and Standards
The centrepiece of COPPA compliance is verifiable parental consent (VPC). Before collecting, using, or disclosing personal information from a child under 13, you must notify the parent and obtain their verifiable authorisation.
The FTC does not prescribe a single method. Instead, it requires a method "reasonably designed, in light of available technology, to ensure that the person providing consent is the child's parent." Acceptable methods include:
- Signing and returning a consent form by post, fax, or email
- Credit card transactions where a charge is made and disclosed as a verification mechanism
- Knowledge-based authentication using questions a child under 13 could not reasonably answer
- Government-issued photo identification verified against a database
- Face verification compared against government-issued identification
- Video conferencing with trained personnel
- Text message verification combined with additional identity confirmation steps
There are limited exceptions. You do not need VPC to collect a child's email address solely to respond to a one-off request, or to collect information strictly for internal operations such as maintaining the website or analytics that do not involve sharing data with third parties.
What Counts as a "Child-Directed" Website
The FTC uses a multi-factor test to determine whether a site or service is directed at children. Factors include subject matter, visual content, use of animated characters or child-oriented activities, the age of models, the presence of child celebrities, music or other audio content, and whether advertising on the site is directed at children.
"Mixed audience" sites present a particular challenge. Under the 2025 amendments, operators of mixed-audience services face enhanced obligations. If your site attracts both adults and children, you must implement an age-screening mechanism and apply COPPA protections to any user identified as under 13.
This matters for education websites, gaming platforms, and any service with user-generated content where children might participate alongside adults.
Persistent Identifiers and Cookies Under COPPA
COPPA treats persistent identifiers - including cookies, device IDs, and IP addresses - as personal information when they are used to recognise a user over time and across different websites or services. Setting a tracking cookie like _fbp or _ga on a child's browser without parental consent violates the rule.
This has direct implications for marketing cookies and third-party tracking scripts. If your site could attract children, you need a mechanism to block non-essential cookies for users who may be under 13 - even before a cookie banner interaction occurs.
FTC Enforcement: Recent Actions and Penalties
The FTC has signalled that children's privacy remains a top enforcement priority. Recent cases demonstrate the scale of penalties:
| Company | Year | Fine | Violation |
|---|---|---|---|
| Disney | 2025 | $10 million | Failed to designate child-directed YouTube content, enabling data collection for targeted advertising |
| Cognosphere (Genshin Impact) | 2025 | $20 million | Selling lootboxes to minors without parental consent |
| Apitor Technology | 2025 | $500,000 | Allowing third-party software in children's robotic toys to collect personal information |
| NGL Labs | 2024 | Enforcement action | Marketing anonymous messaging app to children and teens |
| Epic Games (Fortnite) | 2022 | $275 million | Collecting children's data without parental notice or consent |
The FTC pursues both large technology companies and smaller operators. Penalties regularly reach tens of millions of dollars, and the Commission acts against international companies like Apitor (based in China) and Cognosphere (based in Singapore).
COPPA Compared to Other Privacy Frameworks
COPPA operates differently from GDPR, CCPA, and other privacy laws. Understanding the differences helps if your site serves a global audience.
| Aspect | COPPA (US) | GDPR Article 8 (EU) | UK Age Appropriate Design Code |
|---|---|---|---|
| Age threshold | Under 13 | Under 16 (member states may lower to 13) | Under 18 |
| Consent model | Verifiable parental consent required | Parental consent for information society services | Best interests of the child, privacy by default |
| Scope | Websites and apps directed at children or with knowledge of child users | Information society services offered directly to a child | Any online service likely to be accessed by children |
| Enforcer | FTC | National DPAs | ICO |
| Penalty range | Up to $50,120 per violation | Up to 4% of global annual turnover | Up to 4% of global annual turnover (under UK GDPR) |
If your website targets both US children and EU/UK young users, you will need to comply with all applicable frameworks simultaneously. COPPA's parental consent requirement is more prescriptive in its verification methods than GDPR Article 8, but GDPR's age thresholds can be higher.
Practical Steps for COPPA Compliance
Start by assessing whether COPPA applies to your site. If your content could attract children - even unintentionally - assume it does and plan accordingly.
Audit Your Data Collection
Run a cookie scan to identify every cookie and tracker on your site. Document which ones collect persistent identifiers. Any third-party script that sets tracking cookies could create COPPA liability if a child visits your site.
Implement Age Screening
For mixed-audience sites, add a neutral age gate before collecting personal information. Do not design the gate to encourage children to enter a false age. The FTC considers "Please enter your birthday" with a free-form field more acceptable than "Are you over 13? [Yes/No]" where the correct answer is obvious.
Build a Parental Consent Flow
Choose a VPC method appropriate for your audience and technical capabilities. For most websites, email-based consent with a follow-up verification step (such as a confirmation link) represents a reasonable starting point.
Ensure your privacy notice is written in plain language and clearly describes what data you collect, how you use it, and which third parties receive it. The FTC requires this notice to be "clearly and understandably written" with no unrelated or confusing material.
Block Third-Party Scripts for Under-13 Users
Configure your site to conditionally load third-party scripts only after verifying a user is not under 13 or after obtaining valid parental consent. This applies to advertising pixels, analytics tools, and social media widgets that set persistent identifiers.
Common COPPA Misconceptions
"My site isn't for children, so COPPA doesn't apply." This is only true if you genuinely have no actual knowledge that children use your service. If you receive emails from parents, see usernames suggesting young users, or have content that clearly appeals to children, the FTC may determine you had constructive knowledge.
"COPPA only applies to US-based companies." The FTC has taken enforcement action against companies based in China and Singapore. If your site or app is accessible to US children and you collect their data, COPPA applies regardless of where your business is located.
"We just need a checkbox saying 'I am over 13'." A simple checkbox does not constitute verifiable parental consent. The FTC has been clear that age gates must be neutral and that parental consent must involve a genuine verification step.
Frequently Asked Questions
Does COPPA apply to websites outside the United States?
Yes. COPPA applies to any operator of a website, app, or online service that collects personal information from children under 13 in the United States, regardless of where the operator is based. The FTC has enforced COPPA against companies headquartered in China and Singapore.
What happens if my website accidentally collects data from a child under 13?
If you discover that you have collected data from a child without parental consent, you should delete that data promptly. The FTC considers prompt remedial action when evaluating enforcement responses. Implementing an age gate and reviewing your data collection practices can help prevent future violations.
Do analytics cookies like Google Analytics violate COPPA?
Persistent identifiers such as the _ga cookie are considered personal information under COPPA when used to track a child across websites or services. If your site is child-directed, you must obtain verifiable parental consent before setting these cookies or use a cookieless analytics alternative.
What is the maximum fine for a COPPA violation?
The statutory maximum is $50,120 per violation. Because each instance of data collection from a child can count as a separate violation, total penalties can reach tens or hundreds of millions of dollars, as seen in the $275 million Epic Games settlement in 2022.
Can schools consent on behalf of parents under COPPA?
Schools can consent on behalf of parents in limited circumstances, specifically when an operator collects children's data solely for a school-authorised educational purpose. The school must act as the parent's agent, and the operator cannot use the data for commercial purposes.
How do the 2025 COPPA amendments change targeted advertising to children?
The 2025 amendments require operators to obtain separate verifiable parental consent specifically for disclosing children's personal information to third parties for targeted advertising. This effectively bans the monetisation of children's data for ad targeting without explicit parental opt-in.
Take Control of Your Cookie Compliance
If your website could attract visitors under 13, understanding which cookies and trackers are active on your site is the first step toward COPPA compliance. Kukie.io detects, categorises, and helps you manage every cookie - so you can identify potential risks before the FTC does.
