COPPA is a federal law, enforced by the FTC, that restricts how businesses collect, use, and share personal information from children under 13. It was originally enacted in 1998 and first went into effect in 2000. The most significant update in over a decade took effect June 23, 2025, with most compliance deadlines falling on April 22, 2026.

COPPA applies to you if you operate a commercial website, mobile app, or online service that:

Is directed to children under 13, or Has actual knowledge that it's collecting personal information from a child under 13 That "directed to children" determination is based on a multi-factor analysis: the subject matter, visual content, use of animated characters, music, language, website age, and whether the service is marketed to children. You don't have to be a toy company. A general-audience site about craft tutorials, family recipes, or games that happens to attract a young audience can qualify.

The "actual knowledge" standard means that if a child submits their birthday during signup and reveals they're 11, you now have actual knowledge — and COPPA obligations kick in.

The January 2025 amendments — published in the Federal Register on April 22, 2025 and effective June 23, 2025 — represent the most substantial revision to COPPA since its original passage. Here's what changed:

Expanded definition of personal information. The definition now explicitly includes biometric identifiers: fingerprints, iris scans, voiceprints, facial templates, genetic data, and gait patterns. It also now includes government-issued identifiers beyond Social Security numbers — state ID cards, birth certificates, and passport numbers are now covered.

Separate opt-in consent for third-party disclosures. Previously, operators could obtain a single bundled parental consent for data collection, use, and third-party sharing. The 2025 rule changes that completely. Operators must now obtain separate verifiable parental consent before disclosing a child's personal information to third parties — unless that disclosure is "integral" to the service (like payment processing). Crucially, advertising, data broker relationships, and AI training are explicitly not considered integral, meaning they all require separate opt-in consent from parents.

New data retention requirements. The rule now prohibits indefinite retention of children's data. Operators must retain children's personal information only as long as reasonably necessary for the specific purpose it was collected, establish a written data retention policy specifying collection purposes, business needs for retention, and deletion timeframes, and include that policy in the online privacy notice.

Mandatory written information security program. Operators now must establish and maintain a formal, written children's information security program — not just reasonable security practices, but a documented program. At minimum, this requires designating employees to coordinate the security program, conducting annual risk assessments, designing and implementing appropriate safeguards, regularly testing and monitoring those safeguards, and annually evaluating and updating the program.

Enhanced parental notice requirements. Direct notices to parents must now include a description of how personal information will be used, the names and categories of third parties that will receive the child's data, and an explanation that parents can consent to data collection without consenting to third-party disclosure (unless that disclosure is integral).

COPPA requires that before you collect, use, or disclose personal information from a child, you must obtain verifiable parental consent — meaning you have to actually confirm a parent is giving the consent, not the child pretending to be a parent.

The updated rule added three new methods for obtaining this consent:

1. Knowledge-based authentication: Multiple-choice questions sufficiently difficult that a child under 12 couldn't reasonably answer them 2. Photo ID verification: Facial recognition matching a submitted government ID to a live photo (the ID and photo must be deleted after the match is confirmed) 3. Text-plus verification: A text message combined with additional confirmation steps — available only for operators who do not disclose children's data to third parties Previously accepted methods still work too: signed consent forms, credit card verification, toll- free phone calls to trained staff, and video conference verification.

The 2025 rule added a formal definition for "mixed audience website or online service" — a site or service that is considered child-directed under COPPA's analysis but doesn't primarily target children and doesn't collect personal information before verifying users' ages.

If your site falls into this category, you have some additional flexibility. You can use an age gate (asking users to enter their date of birth before proceeding) to screen out users under 13. However, that age gate must be implemented seriously — not a simple "click here if you're over 13" checkbox that any kid can click through.

The key practical implication: if you use age screening, you need to collect the information before collecting any other personal data. Don't let someone create an account, enter their name and email, and then ask for their age.

Your privacy policy must include specific information to be COPPA-compliant:

The names, addresses, and phone numbers of all site operators What personal information is collected from children How it's collected How it's used Whether it's disclosed to third parties and how those parties use it A description of parents' rights and how to exercise them Your data retention policy Categories of third parties who receive children's data The policy must be posted on your homepage and anywhere on your site where children's data is collected.

COPPA violations can result in civil penalties of up to $51,744 per violation. The FTC has pursued enforcement actions against companies of all sizes — from major platforms to small app developers. In one recent case, a children's app company paid $6 million in penalties. In others, small developers paid six-figure settlements.

The standard the FTC applies is whether a reasonable operator in your position would know they were collecting data from children. "We didn't think kids would use our site" is not a reliable defense if your content is clearly appealing to children.

If your business involves any of the following, take a close look at whether COPPA applies to you:

Apps or games with cartoon characters, bright colors, animated content Educational tools, homework helpers, or tutoring platforms Creative platforms for writing, drawing, or storytelling Any general-audience platform where you have reason to believe children participate If COPPA applies, your action list includes:

1. Update your privacy policy to meet the 2025 requirements 2. Implement an age gate before collecting any personal information 3. Establish a verifiable parental consent mechanism 4. Draft a written data retention policy for children's data 5. Create a written information security program 6. Audit your third-party integrations — ad networks, analytics tools, and tracking pixels may all trigger the new third-party disclosure requirements

COPPA is not a law you can afford to ignore or treat casually. The 2025 amendments significantly raised the compliance bar — and the compliance deadline of April 22, 2026 for most new provisions is approaching. If children's data might touch your business, the time to get ahead of this is now, not after you've received a warning letter.

Your next step: If there's any chance your site or app reaches children under 13, consult with a privacy attorney and conduct a COPPA compliance audit against the 2025 rule requirements.

COPPA sits alongside general privacy policy duties, GDPR's parallel rules for minors, and — if you market to families — the FTC's advertising disclosure rules.