Table of Contents
COPPA Explained: What Parents Need to Know
COPPA (Children’s Online Privacy Protection Act) is a U.S. law that protects the privacy of kids under 13 online. It requires platforms to get parental consent before collecting or sharing children’s personal data. Violations can lead to steep fines, as seen in cases involving Google and Epic Games.
Key points for parents:
- Covered Platforms: Websites, apps, games, and toys targeting kids under 13.
- Protected Data: Names, addresses, emails, photos, videos, geolocation, and more.
- Your Rights: Review, delete, or revoke consent for your child’s data.
- Penalties: Companies face fines up to $53,088 per violation.
Stay informed by reading privacy policies, monitoring your child’s activity, and using COPPA-compliant platforms like CodaKid for safer online experiences.
COPPA Protected Data Types and Penalties: What Parents Need to Know
Who Must Follow COPPA Rules?
Which Platforms Does COPPA Cover?
COPPA applies to any website or service that targets children under 13 and collects their personal information. This includes mobile apps, internet-connected toys (like smart devices), coding for kids and networked games, location-based services, and even ad networks or plugins operating on child-focused sites.
Even platforms not specifically designed for kids must comply if they are aware they’re gathering data from children under 13. This awareness often comes from collecting birthdates or using age-verification tools. Foreign-based services aren’t exempt either – if they cater to children in the U.S. or knowingly collect data from U.S.-based kids, they must follow COPPA.
The FTC evaluates several factors – like content, design, and advertising – to decide if a platform primarily appeals to children under 13. A platform doesn’t need to label itself as “for kids” to fall under COPPA. If its features and content draw in a young audience, it’s covered by the law.
These rules are strict, and breaking them comes with serious consequences.
What Happens When Companies Break COPPA Rules?
The penalties for violating COPPA are steep. Courts can impose civil fines of up to $53,088 per violation. Since each instance of unauthorized data collection counts as a separate violation, the total penalties can quickly add up to millions.
For example, in September 2019, Google and YouTube paid a record $170 million settlement – $136 million to the FTC and $34 million to New York State – for allegedly collecting data (like cookies) from child-directed channels to serve targeted ads without parental consent. This resulted in YouTube requiring creators to label their content as “made for kids”. More recently, in December 2022, Epic Games settled for $520 million, including a $275 million civil penalty, for enabling default voice and text chat in Fortnite without parental consent.
Beyond financial penalties, companies found in violation must immediately stop collecting, sharing, or using children’s personal data until they meet compliance standards. They may also have to delete illegally obtained data, establish written security protocols, and submit to independent annual reviews.
These measures not only enforce accountability but also uphold the law’s primary goal: protecting children’s online privacy. As FTC Chair Lina M. Khan explained:
“Firms’ financial incentive to harvest kids’ personal data only continues to grow: not only is behavioral advertising now a multi-billion dollar business, but – as FTC’s enforcement experience has shown – expanded deployment of AI models can further incentivize businesses to harvest and retain kids’ personal data.”
What Counts as Personal Information Under COPPA?
Types of Personal Information Covered
COPPA safeguards much more than just a child’s name or home address – it extends to a broad spectrum of data that can identify or track a child online.
Key identifiers include a child’s first and last name, physical address (such as street, city, or town), telephone number, email address, and instant messaging IDs. Government-issued identifiers, like Social Security numbers, state ID numbers, and passport numbers, are also protected under the law.
The law also addresses persistent identifiers – data that tracks users over time and across websites. Examples include IP addresses, cookies, device serial numbers, and unique device identifiers. As the Federal Trade Commission (FTC) clarifies:
“The Rule defines ‘personal information’ to include persistent identifiers… that can be used to recognize a user over time and across different websites or online services.”
COPPA also covers media files containing a child’s image or voice, such as photos, videos, and audio recordings. Similarly, geolocation data that pinpoints specific locations, such as a street name and city, is included because it reveals a child’s physical whereabouts.
Starting in June 2025, COPPA will expand its definition to include biometric identifiers. These include fingerprints, handprints, retina or iris patterns, DNA sequences, voiceprints, gait patterns, and facial templates or faceprints. This update reflects the increasing use of biometric technologies in digital platforms.
Understanding what qualifies as personal information also involves recognizing how this data is gathered online.
How Websites Collect Personal Information
Websites and apps gather children’s data through both direct and passive methods, each carrying its own privacy concerns.
Direct collection happens when websites request children to fill out forms, create profiles, or submit details to join contests or games. Some platforms may even pressure children into sharing excessive information by asking for more data than necessary.
Passive tracking, on the other hand, uses tools like cookies, IP addresses, and device IDs to monitor user activity across various sites without requiring explicit input.
Children may also unintentionally share personal information through user-generated content. For instance, when kids post in chat rooms, upload photos or videos, or make their profiles public, they may unknowingly provide data protected under COPPA.
Another concern is the use of manipulative design features, often called “dark patterns.” These are tactics designed to trick children into sharing more data or making unintentional purchases. These strategies are especially common in free-to-play games and social platforms, making it crucial for parents to stay alert.
Parent Rights and How Consent Works
What Rights Do Parents Have Under COPPA?
Under COPPA, parents hold the reins when it comes to their child’s personal information online. The Federal Trade Commission (FTC) makes this clear:
“As a parent, you have control over the personal information companies collect online from your kids under 13.”
This means parents can review and delete any data collected about their child by websites. Even if they’ve initially agreed to data collection, they can later revoke that consent, stopping any further use of their child’s information.
Parents also decide how data is shared. For instance, they can allow a website to use their child’s information internally but block it from being shared with third parties. Plus, companies are prohibited from asking for more information than is necessary for a child to participate in their services.
The consequences for failing to follow these rules are serious. For example, in December 2025, Disney agreed to a $10 million settlement after accusations that children’s data was collected on YouTube without proper parental consent.
Now, let’s dive into how websites ensure they get proper parental consent, especially in specialized fields like AI education.
How Websites Get Parental Consent
Once parents understand their rights, it’s important to know how websites verify who’s giving consent. Websites are required to use methods that ensure the person providing consent is indeed the child’s parent or legal guardian. The FTC has approved several approaches to achieve this, including:
- Financial Transactions: Using a credit card, debit card, or online payment system that alerts the account holder.
- Government ID Verification: Matching a parent’s official ID with a database or using facial recognition to compare a “selfie” to a verified ID photo.
- Direct Communication: Conducting toll-free calls or video chats with trained staff who confirm the parent’s identity.
- Signed Consent Forms: Accepting signed forms sent via mail, fax, or as electronic scans.
- Knowledge-Based Authentication: Asking specific multiple-choice questions that a child would be unlikely to answer correctly.
For websites that don’t share children’s data with third parties, simpler methods like “Email Plus” or “Text Plus” are permitted. These involve sending an initial email or text, followed by a confirmation step, such as a second message or phone call. Additionally, if a website changes how it handles data, it must notify parents and obtain their consent again.
How COPPA Affects Social Media and Sharing
Limits on What Children Can Share
Social media platforms have to follow strict rules about what kids under 13 can post or share online. According to COPPA, if a platform allows a child to make personal information public – whether it’s through posts, photos, videos, or even open chat rooms – it counts as “collecting” that information. To comply, platforms must get parental consent before letting kids share anything that could identify them.
This has led to significant changes. Many platforms now disable features like live chat and public posting by default for users under 13. COPPA also requires platforms to avoid asking children for unnecessary details. For example, if a child wants to join a contest or play a game, such as online coding for kids, the platform can only request information directly related to that activity. Anything beyond that needs separate parental approval.
Age Verification and Parental Controls
Most platforms rely on age gates – simple questions about a user’s birth date – to figure out if someone is under 13. These questions must remain neutral, meaning they can’t nudge kids toward lying about their age. Accurate age verification is crucial for implementing effective parental controls.
However, complying with COPPA isn’t cheap or easy. Many platforms have opted for a simpler approach: banning users under 13 entirely. As GovFacts explains:
“The significant cost and work involved in complying with COPPA has led many websites and social media platforms to simply ban children under 13 from using their services altogether.” – GovFacts
This “compliance shortcut” often feels like the easiest route, as experts point out, but it leaves younger users with fewer options.
For platforms that do cater to children, things are evolving. In February 2026, the FTC introduced new guidance encouraging the use of advanced age verification technologies. These tools come with legal protections, provided they’re used only to confirm a user’s age and don’t store or reuse the data. Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, highlighted their potential:
“some of the most child-protective technologies to emerge in decades”
Platforms that collect data from children must also ensure privacy settings are at their strictest by default. Features like voice chat, text messaging, and public posting are disabled initially, and can only be turned on with parental consent. These steps underline the critical role of parental controls in keeping kids safe on social media.
How Parents Can Protect Their Children Online
Read Privacy Policies
Privacy policies are a critical starting point for protecting your child online. Look for websites that include a “Children’s Privacy” or “COPPA” section, which explains what data is collected and how it’s used. If the policy is difficult to find or written in overly complex legal jargon, it could indicate the platform is not fully COPPA-compliant.
It’s also important to check how the site handles verifiable parental consent. Reliable platforms use secure methods like signed forms or payment verification to ensure parents are informed. Additionally, review whether the policy mentions third-party operators, such as ad networks or analytics services, that might have access to your child’s data.
Track Your Child’s Online Activity
Beyond privacy policies, keeping tabs on your child’s online activities is essential. Be aware of the apps and websites they use, ensuring they are appropriate for their age and comply with COPPA regulations.
Encourage your child to use usernames that don’t reveal personal information, such as their real name, age, location, or contact details. This also includes avoiding sensitive data like Social Security numbers or financial information.
Use Safe Educational Platforms Like CodaKid
In addition to monitoring, choose platforms that prioritize online safety for children. For online learning, selecting a COPPA-compliant platform is a smart move to protect your child’s digital experience.
CodaKid stands out as a platform that protects children’s privacy and security. It offers courses in AI, Python, JavaScript, Minecraft modding, and Roblox game development, all while adhering to strict data protection rules.
COPPA-compliant platforms like CodaKid avoid using personal data for targeted ads or building unnecessary profiles. Instead, they focus solely on educational purposes authorized by parents. They also implement strong security measures to safeguard data and ensure it’s deleted when no longer needed. Parents retain full control – allowing them to review, revoke consent, or request permanent deletion of their child’s information at any time.
The dangers of using non-compliant platforms are real. For instance, in 2016, the website i-Dressup suffered a data breach that exposed the personal information and passwords of over 245,000 children under 13. By opting for COPPA-compliant platforms, you’re ensuring your child can learn valuable skills in a secure and private environment.
Conclusion
Why Understanding COPPA Matters
COPPA (Children’s Online Privacy Protection Act) safeguards children by requiring verifiable parental consent before anyone collects data from kids under 13. This measure is especially important because children are more susceptible to risks like identity theft and aggressive marketing tactics compared to adults.
High-profile cases involving companies like Epic Games and YouTube highlight the serious repercussions of non-compliance. Recent updates to COPPA have further reinforced these protections. As FTC Chair Lina M. Khan explained:
“The updated COPPA rule strengthens key protections for kids’ privacy online. By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission”.
Given these risks, parents must stay vigilant to protect their children’s privacy.
What Parents Should Do Next
Start by taking a thorough look at your child’s online presence. Search their name online and review any accounts they may have on gaming or social media platforms. Educate your children about the importance of keeping sensitive information – like Social Security numbers, addresses, or financial details – private.
When evaluating online platforms for your child, check for a “Children’s Privacy” or “COPPA” section in their privacy policies. Consider using COPPA-compliant platforms, such as CodaKid, which prioritize teaching skills without exploiting children’s data. If you suspect a site is collecting your child’s data without consent, report it at ReportFraud.ftc.gov.
Protecting Children’s Privacy Under COPPA | Federal Trade Commission
FAQs
How do I know If a site falls under COPPA?
If a site targets children under 13 or knowingly gathers their personal information, COPPA (Children’s Online Privacy Protection Act) covers it. To determine this, the Federal Trade Commission (FTC) examines factors such as the site’s content, visual design, and target audience. Child-friendly themes, playful imagery, and interactive features geared toward young users signal that the site targets kids.
What should I do if I think an app collected my child’s data without consent?
If you think an app has gathered your child’s data without your permission, you should report it to the Federal Trade Commission (FTC). Additionally, you can reach out to the app’s operator and request the deletion of the collected data. According to COPPA (Children’s Online Privacy Protection Act), apps must have parental consent before collecting personal information from children under the age of 13.
Does COPPA apply to kids’ data collected through ads, cookies, or plugins?
COPPA also applies to kids’ data collected via ads, cookies, or plugins. The law mandates obtaining parental consent before gathering this type of information to align with privacy rules.
