Privacy & Data Protection

Children's Data Protection: COPPA Compliance and Best Practices

By AntiPhishers Published

Children’s Data Protection: COPPA Compliance and Best Practices

The Children’s Online Privacy Protection Act (COPPA) establishes strict requirements for the collection and use of personal information from children under 13 in the United States. The FTC enforces COPPA aggressively, with fines reaching $170 million (YouTube, 2019) and $520 million (Epic Games/Fortnite, 2022). For parents, understanding COPPA helps you protect your children’s data. For businesses, COPPA compliance is both a legal obligation and an ethical imperative.

How We Selected: We examined options using independent security audits, feature analysis, and threat detection rates. Factors in our assessment included update frequency, independent lab scores, privacy policy, false positive rates. Brands featured did not pay for or influence their inclusion.

What COPPA Requires

Verifiable parental consent. Before collecting personal information from a child under 13, operators must obtain verifiable consent from a parent or guardian. Methods include signed consent forms, credit card verification, video calls, and knowledge-based authentication.

Clear privacy notice. Operators must provide a clear, prominently placed privacy notice describing what information is collected, how it is used, and the parent’s rights.

Parental rights. Parents can review personal information collected from their child, request deletion, and refuse further collection. Operators must comply.

Data minimization. Operators cannot collect more information than reasonably necessary for the child’s participation in the activity.

Data security. Operators must implement reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information.

Retention limits. Personal information must be retained only as long as necessary for the purpose for which it was collected.

Common Violations

Tracking without consent. Many children’s apps and websites use tracking technologies (cookies, advertising IDs) that collect personal information without obtaining parental consent. The FTC has taken action against multiple ed-tech companies for this violation.

Third-party data sharing. Sharing children’s data with advertising networks or analytics companies without parental consent violates COPPA. The YouTube settlement involved tracking children for advertising purposes.

Insufficient age verification. Simply asking “Are you 13 or older?” (age gating) is generally considered insufficient. COPPA requires operators directed at children to assume their audience may include children and act accordingly.

For Parents

Review the privacy policies of apps and services your children use. Use parental control features to restrict data collection. Teach children not to provide personal information (real name, school, address, phone number) online without permission. Regularly audit the apps on your children’s devices and delete unused ones. File complaints about COPPA violations with the FTC at ftc.gov/complaint.

For age-appropriate online safety education, see our kids online safety guide. To understand the broader privacy landscape affecting children, explore our GDPR compliance guide which includes provisions for children’s data.

The Age Verification Challenge

COPPA applies to children under 13, but verifying a user’s age online is inherently difficult. Most platforms use self-reported age, which children easily bypass by entering a false birthdate. More robust age verification methods (document verification, credit card verification) raise their own privacy concerns and are impractical for free services.

The FTC has signaled interest in strengthening age verification requirements, and the UK’s Age Appropriate Design Code provides a model for platform-level protections that apply regardless of the user’s stated age. The trend is toward placing more responsibility on platforms to design services that protect children by default rather than relying on parental controls and age gates.

Parents as Advocates

Beyond protecting your own children, advocate for stronger children’s privacy protections through your school board, elected representatives, and consumer feedback to companies. The current regulatory framework is widely acknowledged as insufficient for the digital landscape children navigate daily. Parental advocacy has driven meaningful policy changes including the California Age-Appropriate Design Code and updates to COPPA enforcement priorities.

The Role of Schools

Schools increasingly use educational technology that collects student data. The Student Privacy Pledge, signed by many ed-tech companies, commits to responsible data practices. However, enforcement is voluntary. Parents should ask their school districts which ed-tech tools are used, what data is collected, and what privacy protections are in place. FERPA (Family Educational Rights and Privacy Act) provides additional protections for student educational records held by schools.

More in Privacy & Data Protection

Encryption Basics for Beginners: Protecting Data at Rest and in Transit Biometric Data Privacy: Fingerprints, Face Recognition, and the Law The Future of Digital Privacy: Trends, Challenges, and Predictions Social Media Privacy Settings: Platform-by-Platform Guide

View all Privacy & Data Protection articles →