Federal Law Explainer · Reviewed April 2026

What Is Children's Online Privacy Protection Act?

COPPA is the federal law governing collection of personal information from children under 13 online. It applies to commercial websites, apps, games, connected toys, and any other online service that is either directed to children or has actual knowledge that it is collecting information from a child under 13. COPPA requires operators to (1) post a clear privacy policy, (2) provide direct notice to parents, (3) obtain verifiable parental consent before collection, (4) give parents continuing control over the child's information, (5) maintain reasonable security, and (6) limit data retention. The FTC issued significant Rule amendments that took effect in 2025, expanding the definition of personal information (biometric identifiers, government ID images), adding a separate parental consent requirement for disclosures to third parties (including for targeted advertising), and strengthening data-retention and deletion obligations.

At a glance

Full name: Children's Online Privacy Protection Act
Short code: COPPA
Enacted: 1998
Last major update: Rule update 2013; FTC final rule amendments January 2025 (COPPA 2.0 legislation pending)
Jurisdiction: United States (federal)
Private right of action: No
Primary enforcer: FTC (primary); state Attorneys General; approved self-regulatory "safe harbor" programs
Statutory citation: 15 U.S.C. §§ 6501-6506; Rule at 16 CFR Part 312

Scope — who COPPA covers

Operators of commercial websites and online services (including mobile apps, connected devices, IoT, smart toys, and plugins) that are either (a) directed to children under 13 or (b) have actual knowledge that they are collecting personal information from a child under 13. 'Operator' covers any entity that operates the site or collects/maintains personal information on behalf of the operator.

Protected data

Personal information from children under 13: first and last name, home address, email address, telephone number, SSN, persistent identifiers (cookies, device IDs, IP addresses when used to recognize a user over time), geolocation, photos/video/audio containing the child's image or voice, and as of the 2025 amendments — biometric identifiers (fingerprints, facial recognition templates, voiceprints, retina/iris scans, genetic data) and government ID images.

Consumer rights & protections

Parents have the right to receive direct notice of the operator's information practices

Parents must give verifiable parental consent before operators collect personal information from their child

Parents have the right to review what information has been collected about their child

Parents have the right to delete their child's information and refuse further collection

Parents have the right to refuse to permit further use or disclosure of collected information

As of 2025 amendments: separate parental consent required for disclosure to third parties, including for targeted advertising

Notable features

COPPA is the only federal privacy law with a well-developed 'verifiable parental consent' framework — the FTC has approved specific methods including signed consent forms, credit card transactions, video chats with trained personnel, and government-ID verification. It is also one of the few federal laws that has generated consistently large penalties: single-case settlements have topped $275M (Epic Games 2022). COPPA 2.0 legislation (passed Senate 2024, pending House) would raise the age to 16, add a right of erasure, and impose data minimization.

Enforcement & penalties

Enforcing agency: FTC (primary); state Attorneys General; approved self-regulatory "safe harbor" programs

Penalties: Civil penalties up to $53,088 per violation (2025 adjusted). Each affected child can constitute a separate violation, leading to multi-hundred-million-dollar settlements. State AGs can also bring parens patriae actions. FTC consent decrees routinely impose 20 years of compliance monitoring.

Private right of action: COPPA has no private right of action at the federal level. Enforcement is through the FTC and state AGs (authorized by 15 USC § 6504). Some state consumer-protection laws have been used to bring derivative claims based on COPPA violations.

Landmark enforcement cases

FTC v. Epic Games (Fortnite)

2022

Epic Games paid $275M — the largest COPPA penalty on record — for collecting personal information from children under 13 without verifiable parental consent, plus $245M in refunds for dark-pattern billing practices.

Official source →

FTC v. YouTube

2019

YouTube and Google paid $170 million for collecting personal information from viewers of child-directed channels without parental consent — the largest COPPA settlement at the time. The case drove YouTube's creation of the 'made for kids' designation.

Official source →

FTC v. TikTok (Musical.ly)

2019

Musical.ly (now TikTok) paid $5.7M — at the time the largest COPPA penalty — for knowingly collecting personal information from children under 13 without parental consent.

Official source →

Relevance to data brokers

Data brokers that aggregate information from sources likely to include under-13 users (gaming platforms, children's apps, education services) are exposed under COPPA — even if they purchase data from third-party sources. The 2025 amendments' explicit third-party disclosure consent requirement creates direct liability for brokers that acquire child data without verifying upstream COPPA compliance. The FTC has signaled that broker liability in the child-data ecosystem is an enforcement priority.

Exercise your rights

Remove your data from 300+ brokers for $5

OfflistMe drafts opt-out emails citing COPPA and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.

Start for $5 →

FAQ

What age does COPPA cover?+

COPPA covers children under 13. Once a user turns 13, COPPA's specific parental consent requirements no longer apply (though other laws may). The proposed COPPA 2.0 legislation would raise the age to 16.

What counts as "verifiable parental consent"?+

The FTC has approved several methods, including: providing a consent form to sign and return; requiring a credit/debit card transaction; toll-free phone call or video conference with trained personnel; government-ID verification matched against a database; and knowledge-based authentication. The 2025 Rule amendments are likely to narrow some methods and add biometric-based options.

Does COPPA apply to schools?+

Schools can provide consent on behalf of parents when the operator is collecting the information solely for the use and benefit of the school (for educational purposes). This is NOT a blanket exemption — commercial uses of student data still require parental consent, which is a recurring FTC enforcement focus.

What is COPPA 2.0?+

A proposed amendment (S.1409, 118th Congress) passed the Senate in July 2024. It would raise the covered age to 16, create a right to delete personal information, ban targeted advertising to minors, and impose data minimization requirements. As of April 2026 it has not been enacted by the House.

Official sources & citations

Other federal privacy laws

Federal privacy law is sectoral — each statute covers a specific data type or industry. Here are the other federal regimes to know alongside COPPA:

Federal · enacted 1970What is FCRA?Federal · enacted 1999What is GLBA?Federal · enacted 1996What is HIPAA?Federal · enacted 1914What is FTC Act §5?

Related concepts & guides

US Privacy Laws MatrixAll state laws compared What is CCPA?California baseline What is GDPR?EU framework What is a data broker?Full explainer Privacy glossaryTerms defined Enforcement TrackerFines and actions What is GPC?Browser opt-out signal What is Daniel's Law?Profession-based removal Start for $5Generate compliant removal emails