Many children are highly active on digital platforms and mobile apps. This can put publishers of websites and apps in a legally sensitive position, given the requirements of the Children’s Online Privacy Protection Act (COPPA), also known as the Children’s Online Privacy Protection Rule.
Concerns about kids’ safety are increasing, and legislators are rushing to address them, leading to new and often complex obligations for digital platforms. COPPA is a U.S. federal privacy law that protects the personal information of children under 13, requiring businesses to take proactive actions in protecting their rights and privacy.
In this guide, we look at the requirements for COPPA compliance, along with a step-by-step guidance for implementation.
At a glance
- Importance of COPPA compliance: Learn how COPPA protects children’s rights and personal data and why businesses need to comply with the regulation.
- Key COPPA requirements: The circumstances under which businesses are required to comply with COPPA, and the meaning of key definitions and their applications to businesses.
- Consent collection terms: Learn about parental consent requirements and privacy policy expectations under COPPA.
- Aligning with COPPA: Get a checklist to build consistent COPPA compliance within your organization.
- Software for COPPA compliance: Check out tools and technologies that can help you achieve and automate processes related to COPPA compliance.
Why COPPA compliance matters
The main purpose of COPPA compliance is to prevent data misuse and safeguard children from harmful content, inappropriate marketing, abuse by adults, and privacy breaches. The regulation imposes data handling restrictions, security and protection standards, and consent requirements on websites, apps, and online services that target children.
Key reasons why organizations may need to become COPPA compliant:
- Keep sensitive data safe online: COPPA compliance is a necessary tool to prevent unauthorized tracking, profiling, and potential privacy violations and exploitation of the personal information of children in the U.S.
- Avoid legal and financial risks: Noncompliance with COPPA can result in significant civil penalties up to USD 53,088 per violation. Major companies like Google, YouTube, Amazon, Disney, and Microsoft have had multimillion-dollar fines levied against them for COPPA violations.
- Strengthen brand trust: COPPA compliance demonstrates a commitment to children’s safety and privacy, which contributes to increased engagement, customer loyalty, and trust.
Who needs to comply with COPPA
- Operators of commercial websites, online services, mobile apps, and internet-connected devices that collect the personal data of children in the U.S. under age 13.
- Foreign websites and online services that knowingly collect personal data from children under 13 in the U.S.
- Third parties — including advertisers and analytics providers — that knowingly collect children’s personal information from users of another website directed at children or a general audience.
- Websites that run supplementary services, like ad networks, to collect personal information from children under 13.
In most cases, “directed at children” is the key criterion for COPPA compliance. In detail, it is defined by:
- Subject matter
- Visual, music or other audio content
- Use of animated characters or child-oriented activities and incentives
- Age of models
- Presence of child celebrities or celebrities who appeal to children
- Language
- Advertising, promoting, or appearing on the website or online service is directed to children
- Direct knowledge of collecting personal information from other websites and online services directed to children
The 2025 update to the Act added “mixed audience” as part of COPPA compliance requirements, meaning that being directed to children is not its only requirement. Even if a website doesn’t demonstrate that children are their primary audience, collecting their information still requires parental consent.
Types of personal information that COPPA covers
COPPA provides a detailed definition of personal information by including various data types that can let someone identify or contact a child, and that relates to their online activities.
Precisely, § 312.2 defines these components of personal information as the ones that fall under COPPA compliance regulations:
- Full name
- Home or other physical address
- Online contact information, e.g., email address or any other substantially similar identifier that permits direct online contact, including:
- instant messaging user IDs
- VOIP identifiers
- video chat user identifiers
- mobile phone numbers used for sending texts to a parent in connection with obtaining consent
- Telephone number
- Government-issued identifier, e.g., Social Security number, passport, or birth certificate
- Persistent identifiers that can track a user over time and across various websites or online services, e.g., cookies, IP addresses, a phone’s device ID, or similar persistent identifiers
- Geolocation information sufficient to identify street name and city or town (e.g., GPS coordinates within defined limits).
- Identifiable media: Photographs, videos, or audio files containing a child’s image or voice.
- Biometric identifiers: fingerprints, retina patterns, genetic data, voiceprints, etc.
- Other information collected through automated means, like cookies, pixel tags, or local storage that can be used to track or identify a child.
This way, the COPPA’s definition for personal information comprehensively covers identifiable data points that can be collected online, providing clarity so that operators handle children’s information with heightened privacy protections and comply with consent requirements.
Ask a parent or guardian to confirm that the child’s personal information can be used
Specify the rules and processes regarding children’s personal data in your privacy policy
Embed user privacy and data protection compliance in the product design and technologies
Key COPPA compliance requirements
Another key COPPA compliance requirement, along with providing a privacy policy and proper data maintenance, is to collect parental or guardian consent before collecting personal information of children under 13.
Parental consent requirements
The key method for how to comply with COPPA for websites, apps, and providers of online services is to obtain prior, explicit consent from a parent or guardian.
The consent requirement applies to a broad range of online providers and websites, including those running supplementary services. Modern, comprehensive state-level U.S. regulations don’t require consent before collecting personal information in most cases.
COPPA, which is a federal regulation, defines children’s data as sensitive, thus requiring consent, a similar opt-in model to what’s required by the European Union’s General Data Protection Regulation (GDPR).
Here are some details on gathering parental consent requirements:
- Consent requests should be “reasonably calculated” to confirm that the individual providing consent is the child’s parent or legal guardian.
- They should include verifiable information, such as:
- signed consent forms (via mail, fax, or scan)
- credit card verification
- digital signature with additional verification steps
- telephone or video calls
- facial recognition with a government-issued ID
- “Email plus” consent sent to a parent is acceptable if this information is collected and used internally in the organization.
- Consent that’s obtained must be securely documented, and parents should have the ability to easily withdraw consent at any time.
- Separate consent is required before disclosing information to third parties, if the entity wants to collect more personal data, or if the original purposes for data processing change.
Privacy policy expectations
Having an easily accessible privacy policy is also an important COPPA compliance requirement for organizations. Websites must display a clear and comprehensive privacy policy that explains their data handling practices regarding children’s personal data.
Additionally, the privacy policy:
- Must specify the data collection, usage, sharing, and retention periods
- Include contact details and a link to the parental consent process (if applicable)
- Be easily accessible on the website, app, or online service where children’s data is collected
Other regulations
The COPPA compliance checklist also includes expectations for data collection and storage and provides sharing limitations, strengthened by security and retention rules.
Organizations should:
- Practise data minimization and collect only the personal information necessary to deliver the activity or service
- Don’t make providing more data than needed a condition to enable a child’s participation
- Limit data sharing to only what is permitted by parental consent
- Restrict use for marketing purposes and be clear on what marketing activities are prohibited toward children under COPPA or other relevant laws
- Implement reasonable data security measures to protect children’s personal information from unauthorized access, disclosure, or destruction
- Retain personal information only as long as necessary to fulfill the purpose for which it was collected
- Delete or anonymize the data once it is no longer required, except where retention is necessary for legal or safety reasons
- Maintain records of parental consents and compliance activities ready for inspection
Most of these regulatory requirements fall under the broader privacy by design framework. This framework embeds user privacy and data protection compliance operations directly into the design specifications of technologies, as well as at every step of the user journey. This helps mitigate risk as well as building trust with audiences.
COPPA compliance checklist
Here is a seven-step COPPA compliance checklist to help protect your business from legal risks and foster customer trust when handling children’s personal data in the U.S.
1. Determine if your service is directed at children
Start with the audit of your website information and data collection sources to determine if you are targeting children under 13, your user base includes children, or if your organization knowingly gathers personal data from children.
Also, review your website content in terms of subject matter, child-oriented media, and marketing tactics to see if it meets definitions of being directed at children.
2. Create a data map
Identify all personal data directly or indirectly collected from children — like name, location, or online identifiers, as well as consents obtained for access to that data. Document everything in a map that contains storage locations, access permissions, usage, sharing and handling methods, and other relevant details.
3. Review and update your privacy policy
In case you don’t have a privacy policy, draft a document that will explain to children and their parents what personal data is collected and for what purposes. Describe the exact usage scenarios and parental rights in this regard, as well as storage and security measures. Provide contact details for questions or concerns. Make the policy easily accessible before any data collection.
If you already have a privacy policy, make sure it’s reviewed and updated regularly, as business operations, technologies in use, and legal obligations change, and that it’s easily accessible and includes all the relevant information for COPPA compliance.
4. Implement valid parental consent management
Introduce COPPA-compliant parental consent measures to gain permission before collecting, using, or sharing personal information about or from children under 13 in the U.S. Use methods like consent forms, phone or video calls, credit card verification, or trusted third-party services.
Maintain records of all parental consents to serve as proof of compliance, and ensure that consent can be changed or revoked easily at any time.
5. Make cookies COPPA-compliant
Implement a cookie consent banner or similar tool to clearly communicate and get permission for tracking cookies and similar technologies that collect personal data.
Provide options to accept, reject, or customize cookie settings, and ensure cookies do not collect personal information from children until parental consent is obtained.
6. Add additional security layers
Here are some extra measures to strengthen COPPA compliance:
- Enable parents to review, delete, and decline further collection of their child’s personal data
- Ensure a clear process for parental requests and responses within the required timeframes
- Implement appropriate security measures to protect children’s data from unauthorized access, but also have a comprehensive response plan in the event of a data breach
- Train your personnel on data handling and retention periods, and delete data once it’s no longer necessary
- Assign compliance officers or teams responsible for ongoing compliance management
7. Monitor ongoing compliance
Conduct regular audits and assessments to ensure policies and practices remain compliant as business operations, technologies in use, platform partners, and legal requirements change. Update procedures and privacy policies as regulations or services evolve.
Maintain documentation of all compliance-related activities, consents, and related records or communications. Be prepared to notify regulatory authorities and affected data subjects promptly of any data breaches or noncompliance incidents.
Tools and technologies that help with COPPA compliance
Consent management platforms, parental consent verification tools, and data classification and monitoring systems are the key technologies to enable a website, app, or online service to remain COPPA-compliant:
- Parental consent verification tools: Include e-signatures, credit card verification, phone calls, or uploading government IDs to confirm consent validity
- Data classification and monitoring systems: Assist in tracking data collection points, protecting sensitive information, and managing data access
- CMPs: Manage consent workflows and maintain records of parental permissions in a compliant manner, as well as signaling consent information to third-party systems
How to comply with COPPA with Usercentrics CMP
Usercentrics CMP supports your data privacy compliance with COPPA and other laws as the digital and legal landscapes change. It’s effective for managing consent for audiences including children and adults, and enabling data collection transparency. You can integrate the software with parental consent workflows.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
