The Children's Online Privacy Protection Act (COPPA) is a US federal law that places strict restrictions on collecting personal information from children under 13. It applies more broadly than many businesses realise.
Who COPPA applies to
COPPA applies to:
- Websites and online services directed at children under 13
- General audience websites that have actual knowledge that they are collecting personal information from children under 13
A website is considered "directed to children" based on factors like: subject matter, visual content, use of animated characters, music, celebrities popular with children, and whether the site is advertised through children's channels.
General audience platforms like social networks, gaming platforms, and video platforms that allow minors to register are also subject to COPPA when they have actual knowledge of underage users.
What COPPA requires
Verifiable parental consent: Before collecting any personal information from a child under 13, you must obtain verifiable consent from a parent. "Verifiable" means something more than just a checkbox — acceptable methods include signed consent forms, credit card verification, or video consent. A child typing their parent's email address is not sufficient.
Privacy notice: You must post a clear and comprehensive privacy policy describing your practices for collecting personal information from children. It must be linked from your home page and every place where you collect information from children.
Parental rights: Parents have the right to review the personal information collected from their child, have it deleted, and refuse further collection.
Data minimisation: Only collect as much information as is reasonably necessary for the activity the child is participating in.
Confidentiality and security: Keep children's information confidential and secure.
COPPA and "age gates"
Many websites use a simple age gate — "Are you over 13? Yes/No" — to avoid COPPA obligations. This approach is generally not sufficient. The FTC has taken the position that self-reported age gates do not constitute actual knowledge, but deliberately designing a gate to allow children through is treated as wilful non-compliance. Robust age verification or simply not allowing under-13 users is a safer approach.
Third-party analytics and advertising
One of the more complex COPPA issues for SMBs is third-party tracking on sites directed at children. Advertising networks and analytics tools that set cookies and collect behavioural data may be in violation of COPPA if deployed on sites where children are users. You are responsible for ensuring that third parties you authorise to collect data on your site are COPPA compliant.
Penalties
The FTC enforces COPPA and can issue civil penalties of up to $51,744 per violation per day. The FTC has pursued cases against companies ranging from large tech platforms to small apps and websites. State attorneys general can also bring COPPA enforcement actions.
UK and EU equivalents
In the UK, the ICO's Children's Code (Age Appropriate Design Code) applies to online services "likely to be accessed by children." It requires privacy-by-default settings, data minimisation, and prohibits profiling children for commercial purposes. In the EU, GDPR requires parental consent for processing data of children under 16 (member states can lower this to 13).