The Children's Online Privacy Protection Act (COPPA) imposes requirements on operators of websites, apps, and online services directed to children under 13, or that knowingly collect personal information from children under 13. Enforced by the FTC, COPPA mandates verifiable parental consent before collecting children's data and provides parents with rights to review, delete, and control their children's information.
COPPA compliance requires several specific measures. Operators must post a clear, comprehensive privacy policy describing data collection practices for children. Verifiable parental consent must be obtained before collecting, using, or disclosing personal information from children -- acceptable methods include signed consent forms, credit card verification, government ID verification, video conferencing, and knowledge-based authentication. Parents must be able to review their child's information, request deletion, and refuse further collection. Data collection must be limited to what is reasonably necessary for the child's activity. Reasonable security measures must protect collected data. Data retention must be limited to the period necessary for the purpose of collection. The FTC's COPPA Safe Harbor program allows industry groups to submit self-regulatory guidelines for FTC approval, providing members with a presumption of compliance. The proposed COPPA 2.0 updates would extend protections to teens aged 13-16 and restrict targeted advertising to minors.
FTC COPPA enforcement has resulted in record penalties -- Epic Games paid $275 million in 2022, and TikTok paid $5.7 million in 2019 for COPPA violations. The FTC applies COPPA broadly: if a service has actual knowledge that users are under 13, COPPA applies regardless of whether the service is "directed to children." Age-gating alone is insufficient if the operator has reason to know children are using the service. EdTech platforms, gaming services, social media, and any service with youth audiences must carefully evaluate COPPA applicability.
CDA addresses COPPA compliance within the Data Protection and Sovereignty domain for organizations serving youth audiences. Our C-BUILD missions implement age verification mechanisms, parental consent workflows, data minimization controls, and deletion automation to meet COPPA requirements while maintaining positive user experiences.