Continue your mission
FTC-enforced requirements for protecting children's online privacy, mandating verifiable parental consent and data minimization for services collecting data from users under 13.
The Children's Online Privacy Protection Act (COPPA) imposes requirements on operators of websites, apps, and online services directed to children under 13, or that knowingly collect personal information from children under 13. Enforced by the FTC, COPPA mandates verifiable parental consent before collecting children's data and provides parents with rights to review, delete, and control their children's information.
COPPA compliance requires several specific measures. Operators must post a clear, comprehensive privacy policy describing data collection practices for children. Verifiable parental consent must be obtained before collecting, using, or disclosing personal information from children -- acceptable methods include signed consent forms, credit card verification, government ID verification, video conferencing, and knowledge-based authentication. Parents must be able to review their child's information, request deletion, and refuse further collection. Data collection must be limited to what is reasonably necessary for the child's activity. Reasonable security measures must protect collected data. Data retention must be limited to the period necessary for the purpose of collection. The FTC's COPPA Safe Harbor program allows industry groups to submit self-regulatory guidelines for FTC approval, providing members with a presumption of compliance. The proposed COPPA 2.0 updates would extend protections to teens aged 13-16 and restrict targeted advertising to minors.
FTC COPPA enforcement has resulted in record penalties -- Epic Games paid $275 million in 2022, and TikTok paid $5.7 million in 2019 for COPPA violations. The FTC applies COPPA broadly: if a service has actual knowledge that users are under 13, COPPA applies regardless of whether the service is "directed to children." Age-gating alone is insufficient if the operator has reason to know children are using the service. EdTech platforms, gaming services, social media, and any service with youth audiences must carefully evaluate COPPA applicability.
CDA addresses COPPA compliance within the Data Protection and Sovereignty domain for organizations serving youth audiences. Our C-BUILD missions implement age verification mechanisms, parental consent workflows, data minimization controls, and deletion automation to meet COPPA requirements while maintaining positive user experiences.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.