COPPA Compliance: Key Requirements for 2026

Many children are highly active on digital platforms and mobile apps. This can put publishers of websites and apps in a legally sensitive position, given the requirements of the Children’s Online Privacy Protection Act (COPPA), also known as the Children’s Online Privacy Protection Rule. 

Concerns about kids’ safety are increasing, and legislators are moving quickly to address them, leading to new and often complex obligations for digital platforms. COPPA is a U.S. federal privacy law that protects the personal information of children under 13, requiring businesses to take proactive actions in protecting their rights and privacy.
In this guide, we look at the requirements for COPPA compliance, along with a step-by-step guidance for implementation.

Why COPPA Compliance Matters

The compliance landscape shifted significantly in 2025. On January 16, 2025, the FTC voted unanimously to finalize the first major amendments to the COPPA Rule since 2013. Published in the Federal Register on April 22, 2025, the updated Rule took effect on June 23, 2025, and the compliance deadline was April 22, 2026.

The 2025 amendments introduced several substantive changes that affect how organizations must approach COPPA compliance:

• Expanded definition of personal information: Biometric identifiers — including fingerprints, facial templates, retina patterns, and genetic data — and government-issued identifiers such as Social Security numbers are now explicitly covered under the Rule.
• Separate parental consent for third-party disclosures: Operators must obtain distinct verifiable parental consent before sharing children’s personal information with third parties, including for targeted advertising. A single general consent no longer covers downstream data sharing.
• Enhanced direct notice requirements: Parental notices must now specify how personal information will be used, identify the categories of third parties receiving it, and describe the purposes of those disclosures.
• Strengthened data security obligations: Operators must establish, implement, and maintain a written children’s personal information security program with safeguards appropriate to the sensitivity of the data collected.
• Stricter data retention and deletion: The Rule explicitly prohibits retaining children’s personal information indefinitely. Data must be deleted once it is no longer necessary for the purpose for which it was collected.
• Mixed-audience website definition: A formal, standalone definition of “mixed audience website or online service” has been codified, clarifying obligations for sites directed at children that do not target them as their primary audience.

With those changes in mind, there are a number of key reasons why organizations may need to become COPPA compliant:

• Keep sensitive data safe online: COPPA compliance is a necessary tool to prevent unauthorized tracking, profiling, and potential privacy violations and exploitation of the personal information of children in the U.S.
• Avoid legal and financial risks: Non-compliance with COPPA can result in significant civil penalties up to USD 53,088 per violation (a figure the FTC adjusts annually for inflation). Major companies like Google, YouTube, Amazon, Disney, and Microsoft have had multimillion-dollar fines levied against them for COPPA violations.
• Strengthen brand trust: COPPA compliance demonstrates a commitment to children’s safety and privacy, which contributes to increased engagement, customer loyalty, and trust.

Who Needs to Comply with COPPA

• Operators of commercial websites, online services, mobile apps, and internet-connected devices that collect the personal data of children in the U.S. under age 13
• Foreign websites and online services that knowingly collect personal data from children under 13 in the U.S. 
• Third parties — including advertisers and analytics providers — that knowingly collect children’s personal information from users of another website directed at children or a general audience
• Websites that run supplementary services, like ad networks, to collect personal information from children under 13

In most cases,  “directed at children” is the key criterion for COPPA compliance. In detail, it is defined by:

• Subject matter
• Visual, music or other audio content
• Use of animated characters or child-oriented activities and incentives
• Age of models
• Presence of child celebrities or celebrities who appeal to children
• Language
• Advertising, promoting, or appearing on the website or online service is directed to children
• Direct knowledge of collecting personal information from other websites and online services directed to children

The FTC published its first major update to the COPPA Rule since 2013 on April 22, 2025. The amended Rule, which is distinct from the COPPA statute itself, went into effect on June 23, 2025, and the compliance deadline was April 22, 2026.

Among the changes most relevant to scope, the updated Rule formally defines “mixed audience website or online service” as a site directed to children but not primarily targeting them as its primary audience. This codifies longstanding FTC guidance into the Rule text.

The new definition does not alter the existing two-step test: operators must first determine whether a site is child-directed, then assess whether children are the primary audience. If not, it qualifies as mixed audience. Operators of mixed-audience sites must age-screen visitors before collecting personal information, applying COPPA obligations to any visitor identified as under 13.

The 2025 Rule amendments also introduced several other substantive changes, including expanded definitions of personal information, stricter requirements for parental notice and consent, a new requirement for separate parental consent before disclosing children’s data to third parties, and enhanced data security and retention obligations.

We need your consent to load the YouTube Video service!

We use a third party service to embed video content that may collect data about your activity. Please review the details and accept the service to watch this video.

More InformationAccept

powered by Usercentrics Consent Management Platform

Types of Personal Information That COPPA Covers

COPPA provides a detailed definition of personal information by including various data types that can let someone identify or contact a child, and that relates to their online activities.

Precisely, § 312.2 defines these components of personal information as the ones that fall under COPPA compliance regulations:

• Full name
• Home or other physical address
• Online contact information, e.g., email address or any other substantially similar identifier that permits direct online contact, including:
  • instant messaging user IDs
  • VOIP identifiers
  • video chat user identifiers
  • mobile phone numbers used for sending texts to a parent in connection with obtaining consent
• Telephone number
• Government-issued identifier, e.g., Social Security number, passport, or birth certificate
• Persistent identifiers that can track a user over time and across various websites or online services, e.g., cookies, IP addresses, a phone’s device ID, or similar persistent identifiers
• Geolocation information sufficient to identify street name and city or town (e.g., GPS coordinates within defined limits).
• Identifiable media: Photographs, videos, or audio files containing a child’s image or voice.
• Biometric identifiers: fingerprints, retina patterns, genetic data, voiceprints, etc. 
• Other information collected through automated means, like cookies, pixel tags, or local storage that can be used to track or identify a child.

This way, the COPPA’s definition for personal information comprehensively covers identifiable data points that can be collected online, providing clarity so that operators handle children’s information with heightened privacy protections and comply with consent requirements.

Get parental / guardian consent

Get parental / guardian consent

Ask a parent or guardian to confirm that the child’s personal information can be used

Update privacy policy

Update privacy policy

Specify the rules and processes regarding children’s personal data in your privacy policy

Introduce privacy by design

Introduce privacy by design

Embed user privacy and data protection compliance in the product design and technologies

Key COPPA Compliance Requirements

Another key COPPA compliance requirement, along with providing a privacy policy and proper data maintenance, is to collect parental or guardian consent before collecting personal information of children under 13.

Parental Consent Requirements

The key method for how to comply with COPPA for websites, apps, and providers of online services is to obtain prior, explicit consent from a parent or guardian. 

The consent requirement applies to a broad range of online providers and websites, including those running supplementary services. Modern, comprehensive state-level U.S. regulations don’t require consent before collecting personal information in most cases. 

COPPA, which is a federal regulation, defines children’s data as sensitive, thus requiring consent, a similar opt-in model to what’s required by the European Union’s General Data Protection Regulation (GDPR). 

Here are some details on gathering parental consent requirements:

• Consent requests should be “reasonably calculated” to confirm that the individual providing consent is the child’s parent or legal guardian.
• They should include verifiable information, such as:
  • signed consent forms (via mail, fax, or scan)
  • credit card verification
  • digital signature with additional verification steps
  • telephone or video calls
  • facial recognition with a government-issued ID
• “Email plus” consent sent to a parent is acceptable if this information is collected and used internally in the organization.
• Consent that’s obtained must be securely documented, and parents should have the ability to easily withdraw consent at any time.​
• Separate consent is required before disclosing information to third parties, if the entity wants to collect more personal data, or if the original purposes for data processing change.

Privacy Policy Expectations

Having an easily accessible privacy policy is also an important COPPA compliance requirement for organizations. Websites must display a clear and comprehensive privacy policy that explains their data handling practices regarding children’s personal data.

Additionally, the privacy policy:

• Must specify the data collection, usage, sharing, and retention periods
• Include contact details and a link to the parental consent process (if applicable)
• Be easily accessible on the website, app, or online service where children’s data is collected

Data Handling and Security Obligations

The COPPA compliance checklist also includes expectations for data collection and storage and provides sharing limitations, strengthened by security and retention rules.

Organizations should:

• Practice data minimization and collect only the personal information necessary to deliver the activity or service
• Don’t make providing more data than needed a condition to enable a child’s participation 
• Limit data sharing to only what is permitted by parental consent 
• Restrict use for marketing purposes and be clear on what marketing activities are prohibited toward children under COPPA or other relevant laws
• Implement reasonable data security measures to protect children’s personal information from unauthorized access, disclosure, or destruction
• Retain personal information only as long as necessary to fulfill the purpose for which it was collected
• Delete or anonymize the data once it is no longer required, except where retention is necessary for legal or safety reasons
• Maintain records of parental consents and compliance activities ready for inspection

Most of these regulatory requirements fall under the broader privacy by design framework. This framework embeds user privacy and data protection compliance operations directly into the design specifications of technologies, as well as at every step of the user journey. This helps mitigate risk as well as building trust with audiences.

What Is COPPA 2.0?

The Children and Teens’ Online Privacy and Protection Act (COPPA 2.0) is a proposed federal update to the original 1998 law. The U.S. Senate passed COPPA 2.0 by unanimous consent on March 5, 2026 — the most significant proposed update to U.S. children’s online privacy law in more than 25 years. The bill now moves to the House of Representatives, where previous attempts have stalled, and has not yet been signed into law. Key proposed changes include:

• Extending protections to teens under 17, not only children under 13
• Introducing a right to deletion for children and teens
• Replacing the “actual knowledge” standard with a strengthened “knowledge fairly implied on the basis of objective circumstances” standard
• Establishing COPPA 2.0 as a floor, not a ceiling, for state-level protections

Businesses handling data from younger audiences should monitor this legislation closely, as it would materially expand compliance obligations.

COPPA and State Children’s Privacy Laws: A Patchwork Landscape

Federal COPPA compliance does not operate in isolation. A growing number of U.S. states have enacted their own children’s privacy laws that apply alongside and in several cases go significantly further than COPPA’s requirements. Organizations that focus exclusively on federal obligations risk missing material compliance duties under state law.

Two developments in particular are worth noting.

In California, the Ninth Circuit issued its mandate on April 3, 2026, meaning that many previously enjoined provisions of the California Age-Appropriate Design Code Act (CAADC) are now in effect. The CAADC imposes strict requirements on businesses that provide an online service, product, or feature “likely to be accessed by children,” and defines a “child” as any individual under the age of 18, which is a significantly broader scope than COPPA’s under-13 threshold.

Active provisions include requirements related to age estimation, high-privacy default settings, age-appropriate notices, and restrictions on the use of children’s personal information in ways that may be detrimental to their wellbeing. Some provisions, including certain data use restrictions and the Data Protection Impact Assessment requirement, remain subject to ongoing litigation and should be monitored closely.

In Texas, the Securing Children Online Through Parental Empowerment (SCOPE) Act took partial effect on September 1, 2024, covering digital service providers that host platforms for social interaction. Key provisions have faced multiple federal court injunctions on constitutional grounds, and the law’s enforcement landscape continues to evolve.

The provisions that remain active include requirements to restrict the collection and sale of minors’ geolocation data and personal information, and to prohibit minors from making purchases without parental consent. Organizations operating social platforms in Texas should take legal advice on current obligations given the ongoing litigation.

Beyond these two laws, Maryland, Vermont, and other states have enacted or are advancing similar age-appropriate design code legislation, and several comprehensive state privacy laws, including those in Colorado, Virginia, and Connecticut, treat children’s data as a sensitive category requiring heightened protection.

The contested preemption provisions in the proposed COPPA 2.0 legislation reflect precisely this complexity: with state laws multiplying and diverging, businesses operating nationally face a patchwork of obligations that COPPA alone does not address. Until federal legislation establishes a clear floor — and potentially a ceiling — organizations should assess their exposure under applicable state laws in addition to their COPPA compliance program.

COPPA Compliance Checklist

Here is a seven-step COPPA compliance checklist to help protect your business from legal risks and foster customer trust when handling children’s personal data in the U.S.

1. Determine If Your Service Is Directed At Children

Start with the audit of your website information and data collection sources to determine if you are targeting children under 13, your user base includes children, or if your organization knowingly gathers personal data from children. 

Also, review your website content in terms of subject matter, child-oriented media, and marketing tactics to see if it meets definitions of being directed at children.

2. Create a Data Map

Identify all personal data directly or indirectly collected from children, including name, location, or online identifiers, as well as consents obtained for access to that data. Document everything in a map that contains storage locations, access permissions, usage, sharing and handling methods, and other relevant details.

3. Review and Update Your Privacy Policy

In case you don’t have a privacy policy, draft a document that will explain to children and their parents what personal data is collected and for what purposes. Describe the exact usage scenarios and parental rights in this regard, as well as storage and security measures. Provide contact details for questions or concerns. Make the policy easily accessible before any data collection.

If you already have a privacy policy, make sure you review and update it regularly, as business operations, technologies in use, and legal obligations change. Also make sure that it’s easily accessible on your site and includes all the relevant information for COPPA compliance.

4. Implement Valid Parental Consent Management

Introduce COPPA-compliant parental consent measures to obtain permission before collecting, using, or sharing personal information about or from children under 13 in the United States. Use methods like consent forms, phone or video calls, credit card verification, or trusted third-party services. 

Maintain records of all parental consents to serve as proof of compliance, and ensure that consent can be changed or revoked easily at any time.

5. Make Cookies COPPA-Compliant

Implement a cookie consent banner or similar tool to clearly communicate and get permission for tracking cookies and similar technologies that collect personal data.

Provide options to accept, reject, or customize cookie settings, and ensure that cookies in use do not collect personal information from children until parental consent is obtained.

6. Add Additional Security Layers 

Here are some extra measures to strengthen COPPA compliance:

• Enable parents to review, delete, and decline further collection of their child’s personal data
• Ensure a clear process for parental requests and responses within the required timeframes
• Implement appropriate security measures to protect children’s data from unauthorized access, but also have a comprehensive response plan in the event of a data breach 
• Train your personnel on data handling and retention periods, and delete data once it’s no longer necessary
• Assign compliance officers or teams responsible for ongoing compliance management

7. Monitor Ongoing Compliance

Conduct regular audits and assessments to ensure policies and practices remain compliant as business operations, technologies in use, platform partners, and legal requirements change. Update procedures and privacy policies as regulations or services evolve.

Maintain documentation of all compliance-related activities, consents, and related records or communications. Be prepared to notify regulatory authorities and affected data subjects promptly of any data breaches or noncompliance incidents.

Tools and Technologies That Help with COPPA Compliance

Consent management platforms, parental consent verification tools, and data classification and monitoring systems are the key technologies to enable a website, app, or online service to remain COPPA-compliant:

• Parental consent verification tools: Include e-signatures, credit card verification, phone calls, or uploading government IDs to confirm consent validity
• Data classification and monitoring systems: Assist in tracking data collection points, protecting sensitive information, and managing data access
• CMPs: Manage consent workflows and maintain records of parental permissions in a compliant manner, as well as signaling consent information to third-party systems

How to Comply with COPPA with Usercentrics CMP

Usercentrics CMP supports your data privacy compliance with COPPA and other laws as the digital and legal landscapes change. It’s effective for managing consent for audiences including children and adults, and enabling data collection transparency. You can integrate the software with parental consent workflows.

Celestine Bahr

Director Legal, Compliance & Data Privacy, Usercentrics GmbH

Read bio

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Newsletter

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy