Understanding COPPA and Children's Online Privacy

Every time your child plays an online game, watches YouTube, or uses an educational app, personal data may be collected about them — often without your knowledge. The Children's Online Privacy Protection Act (COPPA) is the federal law designed to prevent this, but understanding what it actually protects (and what it doesn't) is crucial for every parent.

What Is COPPA?

COPPA is a federal law enacted in 1998 and enforced by the Federal Trade Commission (FTC). It regulates how websites, mobile apps, online games, streaming platforms, and other digital services collect, use, and share personal information from children under the age of 13.

The law was significantly updated in April 2025 — the first major revision in over a decade — with new compliance requirements taking effect in April 2026.

What COPPA Requires

Any website or app that knowingly collects data from children under 13 must:

• Post a clear privacy notice: The privacy policy must be easy to find and written in plain language, explaining exactly what data is collected and how it's used.
• Get verifiable parental consent: Before collecting any personal information from a child, the operator must obtain consent from a parent or guardian.
• Allow parental review and deletion: Parents have the right to review all personal information collected about their child and request that it be deleted.
• Limit data collection: Operators may only collect data that is reasonably necessary for the child's participation in the activity.
• Maintain data security: Reasonable security measures must protect all collected children's data.
• Delete data when no longer needed: Data must be securely deleted once it no longer serves its stated purpose.

The 2025 COPPA Amendments: What Changed

The April 2025 amendments introduced several important updates that parents should know about:

Expanded Definition of Personal Information

Biometric data (such as facial recognition patterns and voiceprints) is now explicitly included as protected personal information.

Stricter Consent Requirements

New requirements make it harder for companies to bury consent mechanisms in lengthy terms of service. Consent must be specific, informed, and verifiable.

Stronger Data Security and Retention Rules

Companies face stricter obligations around how long they can retain children's data and how securely they must store it.

Third-Party Disclosure Limits

Tighter restrictions on sharing children's data with advertisers and third-party tracking services.

What COPPA Doesn't Protect

Despite its importance, COPPA has significant limitations:

• Only applies to children under 13: Teenagers (13-17) currently have no federal online privacy protections — a gap COPPA 2.0 aims to address.
• "Actual knowledge" standard: Currently, COPPA only applies when a site has actual knowledge that a user is under 13. Many sites simply don't ask for age, sidestepping the requirement.
• No individual right of action: Parents cannot sue companies for COPPA violations directly — only the FTC and state attorneys general can enforce it.
• General audience sites: Sites not specifically directed at children may not be subject to COPPA even if children use them.
• Data brokers: If a data broker collects a child's information from public sources rather than directly from the child, COPPA may not apply.

How Parents Can Exercise Their COPPA Rights

1. Request a copy of your child's data: Contact any website or app that your child uses and request a copy of all personal information they've collected.
2. Request deletion: You have the right to demand that a company delete all personal information collected about your child.
3. Revoke consent: You can withdraw consent at any time, which requires the company to stop collecting data and delete what they have.
4. File a complaint: If a company refuses to comply, file a complaint with the FTC at ftc.gov/complaint.

Penalties for COPPA Violations

The FTC takes COPPA violations seriously. Civil penalties can reach $50,120 per violation — and since each instance of unauthorized data collection counts as a separate violation, fines can escalate quickly. Recent enforcement actions have resulted in multi-million-dollar settlements against major companies, including gaming platforms and social media apps.

Practical Steps to Protect Your Child's Privacy

Beyond relying on COPPA, take these proactive steps:

• Review app permissions before your child installs anything: Check what data each app requests access to — camera, microphone, location, contacts.
• Use parental controls: Enable built-in parental controls on phones, tablets, and gaming consoles.
• Teach data awareness: Help your child understand that they should never share their name, address, school, phone number, or photos with strangers online.
• Create a family email for signups: Use a dedicated family email address for your child's accounts so you can monitor activity.
• Check for data broker listings: Data brokers may list your child's information if it's attached to household records. PrivacyOn monitors 100+ data broker sites and can help remove your family's information — including data linked to your children.
• Opt out of edtech data collection: Review privacy settings on all educational technology platforms your child uses at school.

The Bottom Line

COPPA provides a vital foundation for children's online privacy, and the 2025 amendments significantly strengthened those protections. But the law alone isn't enough — proactive parenting and personal privacy tools are essential to keeping your child's data safe in an increasingly data-hungry digital world.