AuditXYZ

Compliance Framework

Children's Online Privacy Protection Act

COPPA regulates the online collection of personal information from children under 13. This guide covers consent mechanisms, privacy policies, FTC enforcement, and compliance for apps, games, and websites.

$15,000–$100,0002–6 months2013 (Rule amendments, with proposed 2024 updates)
Request a ConsultationSee process
Issuing BodyUnited States Federal Trade Commission (FTC)
First Published1998-10-21
Latest Version2013 (Rule amendments, with proposed 2024 updates)
Typical Cost$15,000–$100,000
Typical Timeline2–6 months
Audit RequiredNo
Audit FrequencyNo mandatory audit. FTC conducts investigations and enforcement actions. COPPA Safe Harbor programs provide self-regulatory oversight.
Geographyunited-states

COPPA: Children's Online Privacy Protection Guide

The Children's Online Privacy Protection Act (COPPA) regulates the online collection, use, and disclosure of personal information from children under 13 years of age. Enforced by the Federal Trade Commission (FTC), COPPA imposes strict requirements on operators of websites, apps, games, and online services directed at children — or that knowingly collect information from children — including verifiable parental consent, clear privacy notices, and data minimization.

What COPPA Covers

COPPA requires operators to post clear, comprehensive privacy policies describing their data practices for children's information. Before collecting personal information from children under 13, operators must obtain verifiable parental consent through an approved mechanism. Parents must be able to review their child's information, request deletion, and refuse further collection.

The definition of "personal information" under COPPA is broad, including names, addresses, email addresses, phone numbers, photos, videos, audio recordings, geolocation data, and persistent identifiers that can be used to recognize a user over time. The FTC has expanded enforcement to cover modern data collection practices including voice recordings by smart speakers and tracking through advertising identifiers.

Who Needs COPPA Compliance

COPPA applies to operators of commercial websites and online services directed at children under 13, and to operators of general audience services that have actual knowledge they are collecting information from children under 13. This includes children's apps, games, educational platforms, social media features, and websites with child-directed content. Third-party plugins and ad networks operating on child-directed sites must also comply.

Implementation Approach

Determine whether your service is child-directed or may collect information from children. Implement age screening mechanisms if operating a general audience service. Develop a COPPA-compliant privacy policy. Build verifiable parental consent mechanisms — FTC-approved methods include signed consent forms, credit card verification, government ID verification, and video conferencing. Implement data minimization practices and retention limits. Consider joining an FTC-approved COPPA Safe Harbor program for self-regulatory compliance.

Cost Considerations

COPPA compliance typically costs $15,000 to $100,000 including privacy program development, consent mechanism implementation, and legal review. FTC enforcement carries severe penalties — recent settlements have exceeded $170 million (Fortnite/Epic Games) and $275 million (Fortnite). The proposed 2024 rule amendments would strengthen requirements further, potentially increasing compliance costs.

Get the COPPA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ferpagdprccpa

Get matched with a COPPA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
FERPA
Framework
FERPA protects the privacy of student education records in the United States. This guide covers consent requirements, directory information, vendor obligations, and compliance for educational institutions and EdTech.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View