The Children's Online Privacy Protection Act, or COPPA, is a U.S. federal law that protects the personal data of children under 13 years old. If you're building a digital product or service that might be used by children, or collecting data from users under 13, COPPA likely applies to you.

What is the COPPA law?

COPPA is a law passed by the U.S. Congress in 1998 and enforced by the Federal Trade Commission (FTC). It took effect in April 2000. The law gives parents control over what information websites and online services can collect from their children under 13.

In short, COPPA requires companies to:

  • Clearly disclose their data collection practices.
  • Obtain verifiable parental consent before collecting personal information from children.
  • Provide a way for parents to review and delete their child's information.
  • Securely store and manage any data they collect.

What counts as personal information under COPPA?

COPPA defines personal information (sometimes called PII, or Personally Identifiable Information) broadly. It includes:

  • Full name (first and last)
  • Home or physical address
  • Email address or username
  • Telephone number
  • Social Security number
  • A photograph, video, or audio file that contains a child’s image or voice
  • Geolocation data
  • Persistent identifiers (like cookies or IP addresses) that can track a user over time and across websites
  • Any combination of these types of information

Even if the data isn’t collected directly from the child, for example, if an adult submits a child's information, COPPA may still apply.

Who needs to comply with COPPA?

COPPA applies to:

  • Websites and online services directed at children under 13.
  • General audience sites that knowingly collect personal information from children.
  • Third parties, like ad networks or plugins, that collect information through child-directed sites.

Nonprofits are generally exempt, unless they operate for commercial purposes.

If your product could reasonably attract children, you need to assess whether your data collection practices require COPPA compliance, even if children aren’t your primary audience.

What is COPPA compliance?

COPPA compliance means meeting the legal obligations laid out in the rule. Key requirements include:

  1. Posting a clear privacy policy | This must describe what data you collect, how you use it, and who it’s shared with.
  2. Providing direct notice to parents | Before collecting any data, you must inform parents and get their consent. Notices must be clear and easy to understand.
  3. Getting verifiable parental consent | Common methods include: Sending a signed consent form by mail, fax, or email; Using a credit card, debit card, or other online payment system; Having the parent call a toll-free number or video chat; Using a government-issued ID (with safeguards).
  4. Allowing access and deletion | Parents must be able to review, correct, or delete their child’s personal information.
  5. Limiting data collection | Only collect what’s necessary. Avoid sharing data with third parties unless essential and disclosed.
  6. Protecting the data | Take reasonable steps to protect the security and confidentiality of children’s data.

What happens if you don’t comply with COPPA?

The FTC can bring legal action against violators. In some cases, the FTC has required companies to delete all improperly collected data or change their product design.

Some high-profile COPPA cases include:

  • YouTube (2019): Fined $170 million for collecting data from viewers of child-directed content without parental consent.
  • TikTok/ByteDance (2024): Fined $5.7 million for illegally collecting data from users under 13.

These examples show how seriously the FTC takes violations — even for large tech companies.

Quick COPPA FAQs

COPPA, what is it in simple terms?
It’s a law that helps protect kids' personal data online by requiring companies to ask parents for permission before collecting it.

Does COPPA apply outside the U.S.?
Yes, if your company collects data from U.S.-based users under 13, you must comply—even if your company is based overseas.

Can I collect data without parental consent if it’s anonymous?
Yes, but only if it can’t be used to identify or track a user. COPPA doesn’t apply to truly anonymous data.

What is the best way to get parental consent?
There’s no one-size-fits-all answer. The method should be reasonably designed to ensure the person giving consent is the child’s parent.

Understanding and complying with COPPA is critical for any company working with young users. By putting strong privacy practices in place, you protect children, earn trust, and reduce legal risk.

*Updated | July 31, 2025

Read More on Data Laws

Here are other resources on Data Laws and Edlink to help you on your integration journey:

Want to Get Started?

If you're looking for a partner to guide you through developing integrations, then let us introduce ourselves. We're Edlink!